To grow, every business needs a good reputation. That requires protecting your customers’ data and privacy.
It’s no longer enough to just protect financial transaction data. Users expect any personal information that they send to you — such as name or phone number — to be protected.
That’s where SSL certificates come in. They need to be part of your online security mix. Indeed, Google now considers SSL certificates to be a best practice for all websites, not just e-commerce sites.
Read on to learn what SSL is, how SSL certificates work, and what types are available. You’ll also get guidance on good options for your small business.
If you’re not technically oriented, don’t worry. When you purchase an SSL certificate, do it from a source that will install it for you (for a modest fee) and provide 24/7 support.
Browse the table below to give you a quick overview of the big players in the SSL space.
Digital.com offers real user opinions of the industry’s biggest providers, and we compile real user ratings from Twitter comments to give you an overall approval score. Here’s how to choose the best SSL certificate for your small business or startup website or online store.
| Company | Main features | Price | Rating | More |
|---|---|---|---|---|
Comodo | Trusted by 99.9% of web browsers Up to $2,000,000 warranty Full 128/256 bit encryption Free 1 year PCI & vulnerability scanning 30-day money-back guarantee More features at comodo.com | From 7.27 /year | 40% score | Visit website Read reviews |
GeoTrust | Up to 256-bit encryption Trusted by 99% of web browsers Up to $500,000 warranty Free 24/7 customer service Free 30-day trial plus money-back promise More features at geotrust.com | From 68.50 /year | 71% score | Visit website Read reviews |
RapidSSL | 30-day money-back guarantee Up to 256-bit SSL encryption Trusted by 99% of web browsers Up to $10,000 warranty Free SSL reissue & competitor replacement More features at rapidssl.com | From 59.00 /year | 40% score | Visit website Read reviews |
Symantec SSL | Free 24/7 customer support ECC, RSA & DSA algorithm support Nearly 100% compatible with browsers & systems 30-day free trial $1,500,000 warranty More features at symantec.com | From 279.00 /year | 80% score | Visit website Read reviews |
Thawte | Trusted by 99% of web browsers Up to $500,000 warranty Full 128/256 bit encryption Free EV upgrader tool Free 21-day trial plus money-back promise More features at thawte.com | From 47.00 /year | 50% score | Visit website Read reviews |
SSL stands for Secure Sockets Layer, a standard security protocol. SSL ensures that the connection between a web server and a web browser is encrypted. This means that any data passing between the server and the browser will also be encrypted, and therefore protected.
What sort of data passes from web browsers to web servers? Think of anything that you type online into a form field on a website. This can include name, email address, phone number, home address, social security number, messages, and financial data.
Note: Technically, the updated version of SSL is called Transport Layer Security (TLS), but the SSL terminology is so widespread that it’s remained in common use. Sometimes writers use the term TLS/SLL.
Video: What is SSL? What are the benefits of using an SSL certificate?
An SSL certificate is required in order to establish the secure, encrypted SSL connection.
To understand what’s in an SSL certificate, let’s first look at how a small business owner obtains SSL protection.
The verification of your business, your identity, and the identity of your website is part of this process. When you generate the cryptographic key, it digitally attaches your organizational details to a domain name, web host name, or web server name.
For small businesses, the certificate will typically confirm your:
When activated and installed, visitors to your site will see a padlock icon and the “https” protocol, signifying that your site is secure.
If you’re obtaining your SSL certificate from a web host, then they can install it for you. Otherwise, you can purchase it from a vendor who offers installation for a modest fee.
This vendor also offers 24/7 customer support and step-by-step instructions for those who want to install it themselves.
SSL was invented in 1994 by Netscape, the same company that produced one of the first web browsers.
It was originally designed to encrypt the connection between two computers on the same network but ended up having a much bigger impact across the entire web. Version 2.0 — the first public version — was released in February 1995.
If you have a website, an SSL certificate is a must-have to prove to your visitors that their actions on your website are private and secure. SSL certificates used to be thought of as must-haves only for online stores, but that has changed. With Google viewing SSL certificates as a best practice for all sites, it’s now considered a must-have for any website.
That’s because even if you don’t’ process payments, it’s likely your site collects information from visitors, via newsletter sign-ups, downloadable e-books, contact forms, and more.
Here’s what Kayce Basques of Google says about this:
You should always protect all of your websites with HTTPS, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both your websites and your users’ personal information, HTTPS is a requirement for many new browser features, particularly those required for progressive web apps.
As cyber attacks become more and more sophisticated, security is increasingly important. If your email account has been hacked, you’ll know just how inconvenient and unnerving it can be. Every e-commerce store in the world should now have SSL enabled to protect customer data. And if you run a small business, you should implement it, too.
Why? Most online consumers now recognize a secure connection, because it’s highlighted by their web browser. Many will refuse to go ahead with an inquiry or purchase if the SSL padlock icon isn’t present in the browser URL bar. And with good reason.
Unsecured transactions represent a gold mine for hackers, and even a small data leak can result in identity fraud.
Even if you don’t accept payments on your website, you should still use an SSL certificate to secure users’ browsing.
Since 2014, Google has given secure sites a boost in search results. (In fact, it has been keen to encourage the use of SSL since 2012.)
It’s a very small boost, but in competitive markets, it makes sense for small businesses to take advantage of any SEO advantage that comes along.
Furthermore, if your website does not have an SSL certificate, Google, the most popular search engine, will flag your site as “not secure.”This has a great impact on the trust customers place on your website and even your business.
In a word: yes. And they’re risky for your small business, as well as your customers.
You might have read about the dangers of public WiFi. On an unsecured WiFi network, it’s technically possible for anyone to see what you’re doing online.
If your website doesn’t have SSL, hackers and other criminals can view personal data when forms are submitted. They can use packet sniffing to see the data that is being transferred to your server. You may also be susceptible to attacks from compromised computers, such as a machine running malware.
A malicious observer could scrape credit card details and logins, for example. And that could have massive consequences for your customers.
Let’s face it: for any retail operation, a personal data breach is a huge no-no. It will almost certainly result in bad press for your brand, and it could lead to fines and penalties.
At best, you’ll lose custom and revenue. At worst, your business will crash and burn. It just isn’t a risk worth taking.
Here are some answers to common questions about SSL for business.
As a small business owner or freelancer, you should be fine with an Organization Validation (OV) or Domain Validation (DV) certificate. If you are conducting online sales, you should spring for the OV certificate, since it will instill more trust in your site. However, if you are not, you should be okay with the cheaper DV certificate.
Whether you choose a single-domain, wildcard, multi-domain certificate depends on the number of domains/subdomains you need to be secured.
Self-signed certificates are those that are signed by the person creating it (in this case: you). Though these certificates will offer you and your visitors encryption similar to that offered by a certificated issued by a CA, you should spring for one signed by a CA if at all possible.
The biggest reasons for this is that a self-signed certificate is less secure and offers fewer options for you in the event that your website becomes compromised.
SSL certificates are issued by trusted providers (also called “certificate authorities” or “issuers”), that are responsible for authenticating the business requesting the certificate. There are dozens of providers on the market, including Thawte, Symantec, and GeoTrust.
Prices vary from provider to provider. So it’s important to compare SSL certificate providers to ensure that you’re getting the best deal.
SSL certificates can be forged. So the issuing authority is important. It’s the authority that confirms that your small business is genuine.
In most circumstances, your browser will try to verify the signature from a list of known authorities. This list is built into the code of the browser itself, so verification adds very little overhead to loading times.
Now that you understand how certificates work, we can get into the detail of what each type does. Right now, there are three different types of SSL certificate. Let’s look at each one in turn.
Extended Validation – or EV – certificates are only issued once the provider has validated the website. This vetting makes the approval method very reliable. Typically, this type of SSL certificate is used for government agencies and very large businesses.
Organization Validation – or OV – certificates verify the business only. The provider, or authority, conducts a series of checks before the SSL certificate is granted. That includes the business’ trading address. If a website has this kind of certificate, customers should assume that the website is legitimate and connected to a genuine, functioning business.
The final certificate type is Domain Validation or DV. This type of SSL certificate involves the least amount of verification; the provider simply checks that the domain name is legitimately owned, and the registration data matches the SSL certificate application. The provider does this by running a check on the WHOIS record for the domain.
In addition to the SSL certificate types mentioned above, you’ll need to decide on whether you need a:
The cost varies depending on the number of domains/subdomains you need to be secured.
Those who are technically inclined may be interested in diving further into the details of how SSLs work and how SSL became part of the Apache Web Server.
Initiating a session is as simple as loading a web page that begins with the https:// protocol.
Note the difference between http:// and https://. That extra ‘s’ is what makes the connection secure.
When you press enter, your web browser initiates a connection to the website. It will send information that is not confidential to do this. When the server replies, it sends the browser its certificate and a public key.
Your web browser then validates the certificate and returns a secret key to confirm that the connection is secure. Once that happens, all data is protected by a virtually unbreakable encryption algorithm.
For a connection to be encrypted, both sides of the connection must be able to communicate. So in the case of SSL, both the user’s browser and the web server must understand the protocol.
This means that both browser manufacturers and web server makers had to add SSL to their applications.
By far, the most used web server is Apache. Coincidentally, both Apache and SSL were released the same year: 1995. For obvious reasons, the first version of Apache didn’t include SSL because:
But the potential of adding SSL to Apache was immediately apparent. So Ben Laurie took Eric A Young’s open-source SSLeay (eay for Young’s initials), which he first released in 1995, and combined it with Apache, which is also open-source. The result was SSL-Apache.
(Eventually, Apache-SSL switched from SSLeay to OpenSSL. This is because the SSLeay project was ended. OpenSSL was forked from the last version of SSLeay.)
So very quickly, people could have their own SSL-enabled server. But there was a problem. Every time SSLeay/OpenSSL or Apache was updated, Apache-SSL had to be updated. In addition to having to fix its own bugs, this required a lot of work. In other words, SSL-Apache was a maintenance nightmare.
Apache has a module system, which allows programmers to create compiled code that adds functionality to the base system. For example, mod_cgi adds a CGI system to the server.
So, in 1998, Ralf S. Engelschall decided to port Apache-SSL (1.17) into a module for Apache 1.2 that he called mod_ssl. This improved Apache-SSL in a big way. So when a new version of Apache came out, mod_ssl didn’t need to be changed.
However, because of conflicts with the Apache-SSL development cycle, for version 1.3 of Apache, mod_ssl v2 became completely independent of the older system. It was written from scratch and effectively became part of Apache.
In addition to Apache changes not affecting mod_ssl, mod_ssl could make changes without having to mess with the base Apache code.
This meant that changes to SSL or improvements to the module could easily be made.
The mod_ssl does not provide SSL encryption to Apache itself. Instead, it provides an interface so that Apache can use OpenSSL. OpenSSL is an open-source implementation of the SSL/TLS protocols.
OpenSSL is the most popular encryption software library. It is used in most open-source software that wants to add encrypted communication to it.
OpenSSL is a great product. But it isn’t perfect and not everyone likes it. As a result, over the past several years, a number of OpenSSL forks have appeared.
In 2009, Marco Peereboom released Agglomerated SSL. It doesn’t change the encryption code itself. Instead, it simplifies the interface.
This makes Agglomerated SSL easier to include in different programs. It is used, for example, to allow VLC to be able to play Blu-ray discs.
Five years later, the Heartbleed bug appeared in version 1.0.1 of OpenSSL. It was so bad that it could allow hackers to determine a user’s private key. A number of quick fixes solved the problems of the Heartbleed bug. But it wasn’t until OpenSSL version 1.0.1g that Heartbleed was completely defeated.
The bug was not disclosed publicly for two years, in 2014. This caused the creation of LibreSSL by members of the OpenBSD project.
Within days of LibreSSL’s release, problems with it were reported, but it is not clear just how important these problems were.
Regardless of any early problems, LibreSSL has gone on to be developed. It is not only the default TLS for FreeBSD, but also for a number of Linux distributions. New releases are available on average every four months or so. Overall, it has had fewer problems than OpenSSL.
Just after LibreSSL came out, Google released BoringSSL. But it isn’t meant for general use the way OpenSSL and the two other forks are. Google is working with OpenSSL and BoringSSL to create an SSL library for use with its own projects.
Google recommends against other developers using BoringSSL. But it is likely to be running in many applications people are using.
Because of some changes in US law about exporting cryptography, mod_ssl became an official part of Apache 2. The Apache Software Foundation now maintains it.
Given that server-side SSL involved two distinct applications and numerous teams and individuals, it’s helpful to see the timeline that brought us to our current state.
| Year | Product | Description |
|---|---|---|
| 1994 | SSL | Version 1.0 created (never released) |
| 1995 | SSL | First public release (V 2.0) |
| 1995 | Apache | First Public release (V 0.6.2) |
| 1995 | SSLeay | First Public release |
| 1995 | Apache-SSL | First Public release |
| 1998 | SSLeay | Project ended |
| 1998 | OpenSSL | Forked from SSLeay, first public release (V 0.9.1) |
| 1998 | mod_ssl | Ported from Apache-SSL V 1.17 but not released |
| 1998 | mod_ssl | First public release (V 2.0.0) |
| 2002 | mod_ssl | Became an official part of Apache |
| 2009 | Agglomerated SSL | First version of this OpenSSL fork |
| 2012 | OpenSSL | Heartbleed bug introduced |
| 2014 | LibreSSL | Fork of OpenSSL V 1.0.1g introduced |
| 2014 | BoringSSL | Google’s fork of OpenSSL for internal use |
| 2017 | Apache | Current stable version V 2.4.29 |
| 2017 | OpenSSL | Current stable version V 1.1.0g |
