Before buying SSL certificates for your small business, consult the table below. Digital.com offers real user opinions on the industry’s biggest providers, and we compile real user ratings from Twitter comments to give you an overall approval score. Here’s how to choose the best SSL certificate for your small business or startup website or online store.
| Company | Main features | Price | Rating | More |
|---|---|---|---|---|
 Comodo | Trusted by 99.9% of web browsers Up to $1,750,000 warranty Full 128/256 bit encryption Free 1 year PCI & vulnerability scanning 30-day money-back guarantee More features at comodo.com | From 12.99 /year | 40% score | Visit website Read reviews |
 GeoTrust | Up to 256-bit encryption Trusted by 99% of web browsers Up to $1,500,000 warranty Free SSL certificate management console Free 30-day trial plus money-back promise More features at geotrust.com | From 65.00 /year | 71% score | Visit website Read reviews |
 RapidSSL | 30-day money-back guarantee Up to 256-bit SSL encryption Trusted by 99% of web browsers Up to $10,000 warranty Free SSL reissue & competitor replacement More features at rapidssl.com | From 16.89 /year | 40% score | Visit website Read reviews |
 Symantec SSL | Up to $1,750,000 warranty ECC, RSA & DSA algorithm support Nearly 100% compatible with browsers & systems 30-day free trial Includes trust mark "Norton™" secured seal More features at symantec.com | From 274.00 /year | 80% score | Visit website Read reviews |
 Thawte | Trusted by 99% of web browsers Up to $1,500,000 warranty Full 128/256 bit encryption Free EV upgrader tool Free 21-day trial plus money-back promise More features at thawte.com | From 45.00 /year | 50% score | Visit website Read reviews |
SSL stands for Secure Sockets Layer. SSL ensures that the connection between a web server and a web browser is secure. So if a hacker is eavesdropping on your connection, they can’t see what you’re doing online.
If you’ve accessed online banking or a webmail account like Gmail today, you’ve already used SSL without even noticing.
The SSL certificate is key, because it verifies that the web server is genuine. If you run a small business, an SSL certificate is recommended to show your users that you respect their privacy and security. And if you conduct financial transactions online, SSL is essential.
How SSL Became Part of the Apache Web Server
In order for a connection to be encrypted, both sides of the connection must be able to communicate. So in the case of SSL, both the user’s browser and the web server must understand the protocol. This means that both browser manufacturers and web server makers had to add SSL to their applications.
The Earliest Versions of Apache
By far, the most used web server is Apache. Coincidentally, both Apache and SSL were released the same year: 1995. But for obvious reasons, the first version of Apache didn’t include SSL:
- There was no time to include it
- Almost no browsers supported it
- And the web wasn’t the commercial marketplace it is today.
Adding SSL to Apache: Apache-SSL
But the potential of adding SSL to Apache was immediately apparent. So Ben Laurie took Eric A Young’s open-source SSLeay (eay for Young’s initials), which he first released in 1995, and combined it with Apache, which is also open-source. The result was SSL-Apache.
(Eventually, Apache-SSL switched from SSLeay to OpenSSL. This is because the SSLeay project was ended. OpenSSL was forked from the last version of SSLeay.)
So very quickly, people could have their own SSL-enabled server. But there was a problem. Every time SSLeay/OpenSSL or Apache was updated, Apache-SSL had to be updated. In addition to having to fix its own bugs, this required a lot of work. In other words, SSL-Apache was a maintenance nightmare.
Apache Modules to the Rescue!
Apache has a module system, which allows programmers to create compiled code that adds functionality to the base system. For example, mod_cgi adds a CGI system to the server.
So, in 1998, Ralf S Engelschall decided to port Apache-SSL (1.17) into a module for Apache 1.2 that he called mod_ssl. This improved Apache-SSL in a big way. So when a new version of Apache came out, mod_ssl didn’t need to be changed.
However, because of conflicts with the Apache-SSL development cycle, for version 1.3 of Apache, mod_ssl v2 became completely independent of the older system. It was written from scratch and effectively became part of Apache.
In addition to Apache changes not affecting mod_ssl, mod_ssl could make changes without having to mess with the base Apache code.
This meant that changes to SSL or improvements to the module could easily be made.
How Does mod_ssl add SSL Encryption to Apache?
The mod_ssl does not provide SSL encryption to Apache itself. Instead, it provides an interface so that Apache can use OpenSSL. OpenSSL is an open-source implementation of the SSL/TLS protocols.
OpenSSL is the most popular encryption software library. It is used in most open-source software that wants to add encrypted communication to it.
Recent Forks
OpenSSL is a great product. But it isn’t perfect and not everyone likes it. As a result, over the past several years, a number of OpenSSL forks have appeared.
Agglomerated SSL
In 2009, Marco Peereboom released Agglomerated SSL (assl). It doesn’t change the encryption code itself. Instead, it simplifies the interface.
This makes Agglomerated SSL easier to include in different programs. It is used, for example, to allow VLC to be able to play blu-ray discs.
LibreSSL
Five years later, the Heartbleed bug appeared in version 1.0.1 of OpenSSL. It was so bad that it could allow hackers to determine a user’s private key. A number of quick fixes solved the problems of the Heartbleed bug. But it wasn’t until OpenSSL version 1.0.1g that Heartbleed was completely defeated.
The bug was not disclosed publicly for two years, in 2014. This caused the creation of LibreSSL by members of the OpenBSD project.
Within days of LibreSSL’s release, problems with it were reported, but it is not clear just how important these problems were.
Regardless of any early problems, LibreSSL has gone on to be developed. It is not only the default TLS for FreeBSD, but also for a number of Linux distributions. New releases are available on average every four months or so. Overall, it has had fewer problems than OpenSSL.
BoringSSL
Just after LibreSSL came out, Google released BoringSSL. But it isn’t meant for general use the way OpenSSL and the two other forks are. Google is working with OpenSSL and BoringSSL to create an SSL library for use with its own projects.
Google recommends against other developers using BoringSSL. But it is likely to be running in many applications people are using.
Mod_ssl Becomes an Official Part of Apache
Because of some changes in US law about exporting cryptography, mod_ssl became an official part of Apache 2. It is now maintained by the Apache Software Foundation itself.
Timeline
Given that server-side SSL involved two distinct applications and numerous teams and individuals, it’s helpful to see the timeline that brought us to our current state.
| Year | Product | Description |
|---|---|---|
| 1994 | SSL | Version 1.0 created (never released) |
| 1995 | SSL | First public release (V 2.0) |
| 1995 | Apache | First Public release (V 0.6.2) |
| 1995 | SSLeay | First Public release |
| 1995 | Apache-SSL | First Public release |
| 1998 | SSLeay | Project ended |
| 1998 | OpenSSL | Forked from SSLeay, first public release (V 0.9.1) |
| 1998 | mod_ssl | Ported from Apache-SSL V 1.17 but not released |
| 1998 | mod_ssl | First public release (V 2.0.0) |
| 2002 | mod_ssl | Became an official part of Apache |
| 2009 | Agglomerated SSL | First version of this OpenSSL fork |
| 2012 | OpenSSL | Heartbleed bug introduced |
| 2014 | LibreSSL | Fork of OpenSSL V 1.0.1g introduced |
| 2014 | BoringSSL | Google’s fork of OpenSSL for internal use |
| 2017 | Apache | Current stable version V 2.4.29 |
| 2017 | OpenSSL | Current stable version V 1.1.0g |
Why Small Businesses Need SSL
SSL was created by Netscape, the same company that produced one of the first web browsers. It was originally designed to encrypt the connection between two computers on the same network, but ended up having a much bigger impact across the entire web. Version 2.0 — the first public version — was released in February 1995.
As cyber attacks become more and more sophisticated, security is increasingly important. If your email account has been hacked, you’ll know just how inconvenient and unnerving it can be. Every e-commerce store in the world should now have SSL enabled to protect customer data. And if you run a small business, you should implement it too.
Why? Most online consumers now recognize a secure connection, because it’s highlighted by their web browser. Many will refuse to go ahead with an enquiry or purchase if the SSL padlock icon isn’t present in the browser URL bar. And with good reason. Unsecured transactions represent a gold mine for hackers, and even a small data leak can result in identity fraud.
Even if you don’t accept payments on your website, you should still use an SSL certificate to secure users’ browsing. Since 2014, Google has given secure sites a boost in search results. (In fact, it has been keen to encourage the use of SSL since 2012.)
It’s a very small boost, but in competitive markets, it makes sense for small businesses to take advantage of any SEO advantage that comes along.
How SSL Sessions Work
Initiating a session is as simple as loading a web page that begins with the https:// protocol.
Note the difference between http:// and https://. That extra ‘s’ is what makes the connection secure.
When you press enter, your web browser initiates a connection to the website. It will send information that is not confidential to do this. When the server replies, it sends the browser its certificate and a public key.
Your web browser then validates the certificate and returns a secret key to confirm that the connection is secure. Once that happens, all data is protected by a virtually unbreakable encryption algorithm.
What’s In an SSL Certificate?
SSL certificates are issued by trusted providers (also called ‘authorities’ or ‘issuers’), that are responsible for authenticating the business requesting the certificate. There are dozens of providers on the market, including Thawte, Symantec, and GeoTrust.
Prices vary from provider to provider. So it’s important to compare SSL certificate providers to ensure that you’re getting the best deal.
The SSL certificate verifies the identity of the server. For small businesses, the certificate will typically confirm your:
- Domain name or hostname
- Company name
- Location
- Date of certificate creation
- Date of certificate expiry.
SSL certificates can be forged. So the issuing authority is important. It’s the authority that confirms that your small business is genuine.
In most circumstances, your browser will try to verify the signature from a list of known authorities. This list is built into the code of the browser itself, so verification adds very little overhead to loading times.
Understanding SSL Certificate Types
Now that you understand how certificates work, we can get into the detail of what each type does. Right now, there are three different types of SSL certificate. Let’s look at each one in turn.
Extended Validation SSL Certificates
Extended Validation – or EV – certificates are only issued once the provider has validated the website. This vetting makes the approval method very reliable. Typically, this type of SSL certificate is used for government agencies and very large businesses.
Organization Validation SSL Certificates
Organization Validation – or OV – certificates verify the business only. The provider, or authority, conducts a series of checks before the SSL certificate is granted. That includes the business’ trading address. If a website has this kind of certificate, customers should assume that the website is legitimate and connected to a genuine, functioning business.
Domain Validation SSL Certificates
The final certificate type is Domain Validation, or DV. This type of SSL certificate involves the least amount of verification; the provider simply checks that the domain name is legitimately owned, and the registration data matches the SSL certificate application. The provider does this by running a check on the WHOIS record for the domain.
Are Non-Secure Connections Risky?
In a word: yes. And they’re risky for your small business, as well as your customers.
You might have read about the dangers of public WiFi. On an unsecure WiFi network, it’s technically possible for anyone to see what you’re doing online.
If your website doesn’t have SSL, hackers and other criminals can view personal data when forms are submitted. They can use packet sniffing to see the data that is being transferred to your server. You may also be susceptible to attacks from compromised computers, such as a machine running malware.
A malicious observer could scrape credit card details and logins, for example. And that could have massive consequences for your customers.
Let’s face it: for any retail operation, a personal data breach is a huge no-no. It will almost certainly result in bad press for your brand, and it could lead to fines and penalties.
At best, you’ll lose custom and revenue. At worst, your business will crash and burn. It just isn’t a risk worth taking.