What does SSL stand for? SSL is a protocol that offers assurance that your website (and any data that transmits to it) is secure. SSL security certificates are what help you put that protocol to use to secure your website

Do you think the terms “SSL” and “TLS” are just geek jargon? What about SSL or TLS certificates? Do you feel a bit hesitant about trying to understand these technical terms? Don’t worry, this article is written to provide you with SSL meaning & definition in a simplified way that most non-technical readers can follow. (This includes defining SSL/TLS certificates as well!)

SSL meaning is two-fold. SSL is a crucial component of secure communications on the internet. It’s a security protocol developed especially for the secure transfer of data via websites on the internet. However, SSL also is a term used to describe SSL certificates. And SSL certificates, while closely related, are different than the protocol itself. But before we can really talk about SSL/TLS certificates in-depth, we first need to talk about what SSL and TLS mean and how they relate to those certificates.

What Does SSL Mean? SSL Definition & Meaning

When people talk about “SSL” for website security, they’re typically referring to SSL certificates. However, there’s more to it than that — it’s only part of the picture. So, what does SSL stand for? The term SSL actually refers to a web protocol known as the secure sockets layer. This is the protocol that facilitates authentication and secure communications in public channels through the use of encryption and decryption. (This makes it possible to have secure transactions take place on your website.)

The quick SSL definition is that it’s a way to provide a secure data transmission channel between two endpoints (such as a computer and a web server). Of course, technology is always evolving, so SSL is really an outdated term. Nowadays, we’re really using TLS — or transport layer security — as the secure protocol for such data exchanges. Out with the old and in with the new! (Note: It’s not actually all that new. Although TLS 1.3 is now the standard, TLS 1.0 was first introduced back in 1999!)

Regardless of whether you want to call it “SSL/TLS,” “TLS” or “SSL,” what we’re really talking about is TLS. This protocol is what makes the “HTTPS” and nifty security padlock appear in our browsers. So, in a way, the SSL meaning is synonymous with HTTPS and data security.

Prior to the creation of SSL/TLS, information would transmit in plaintext, readable format. (This is the “HTTP” you’d often see in web address bars.) Using a secure protocol means that data transmits using an encrypted connection (HTTPS). This results in data transferring as gibberish-looking ciphertext that no one can understand without a decryption key. So, basically:

  • HTTP = insecure protocol
  • HTTPS = secure protocol.

So, why do we still call the protocol SSL instead of TLS? Because the industry is slow to change in terms of updating our use of lingo. Basically, IT and cybersecurity pros that when people talk about SSL, they’re really meaning TLS. This can be a bit confusing at times, though, because people within our industry tend to use the terms “SSL” and “TLS” interchangeably.

This becomes even more confusing because people use the terms “SSL” and “SSL certificates” interchangeably as well. The way to make a website load via HTTPS is by installing an SSL/TLS certificate on your web server, so people just use “SSL” as a way to describe the digital certificates. This brings us to the definition and meaning of an SSL certificate (or, really, a TLS certificate).

SSL Meaning: What Is an SSL/TLS Certificate?

Now, it’s time to talk about SSL meaning in the other sense. You can’t talk about SSL meaning without also talking about SSL/TLS certificates. An SSL certificate is basically your website’s version of an ID card. It’s what identifies your organization (and its website by proxy) as being legitimate. And much like how government ID cards are issued by a reputable authority (such as the Department of Motor Vehicles), these certificates are issued by trusted third parties known as certificate authorities (CAs).

SSL/TLS certificates come in different “flavors,” if you will, depending on the needs of your organization. They can be organized in terms of the types of sites they secure or by the level of business validation that they provide. (We’ll speak more to that later in the article.)

More technically speaking, SSL/TLS certificates are digital certificates (files) that allow servers to authenticate themselves to clients and establish secure, encrypted connections with them. They do this using that TLS protocol we talked about a moment ago and something known as public key cryptography.

Public key encryption is a process that involves the use of two cryptographic keys — a public key and a private key — to encrypt (public key) and decrypt (private key) data. The public key is known by the server and is publicly available. The private key, on the other hand, is kept secret.

SSL certificates bind your organization’s information to those cryptographic keys in a way that tells browsers (web clients) that the key belongs to your domain or organization. This allows the server to quickly authenticate itself to the web client before moving on to establish a symmetric connection to transfer the data.

Now, for this encryption to happen, certain cryptographic functions need to take place to allow clients to connect with your website via the secure HTTPS protocol. The SSL/TLS certificates provide the information that makes this series of processes possible. This involves:

  • Exchanging information relating to cipher suites and parameters. This helps the client and web server figure out which cryptographic features they mutually support.
  • Identifying and authenticating one (or both, in some cases) parties in the exchange. This way, the client can verify it’s connecting to the right server and not an imposter.
  • Exchanging keys that leads to the generation of symmetric session keys. This is integral to creating the secure, encrypted connections we talked about earlier.   

Why Using SSL/TLS Certificates Matters

Without SSL/TLS certificates, none of these things would be possible. The purpose of SSL/TLS certificates is to:

  • Add identity to authenticate the website’s server to a user’s web client (browser).
  • Keep the data secret as it transmits between the user & web server (using encryption).
  • Ensure that the data isn’t altered in transit (data integrity).

If there are no SSL certificates on the websites, the data that transfers between the user’s device and your web server will be in plaintext. Anybody who knows how to intercept this data can read or even manipulate the data by attacking on the line of transmission. This is called man-in-the-middle (MitM) attack. This hacker will be able to use your data with malicious intent or will sell your data to someone else who will use it.

By using an SSL certificate, you’re making it so that the communication channel is encrypted, which prevents anyone listening in from being able to read or alter that data. Of course, there are some additional benefits to using SSL/TLS certificates:

  • It can help your site build stronger trust and confidence in the eyes of consumers.
  • It can help to improve your site’s reputation in the eyes of Google (boost your Google search engine ranking).  
  • You stay compliant with different data privacy regulations in terms of data security.

SSL/TLS certificates can also help users recognize potential phishing sites by adding identity to a site. Identifying whether an organization is legitimate or fake (by reading the certificate details, depending on the type of certificate the site has) can help prevent users from inputting their information on scam sites.

How SSL/TLS Certificates Secure In-Transit Data

Now, let’s talk about SSL meaning in the sense of how it protects data on the internet. The SSL protocol encrypts the data that is being transferred between the server and the client, which protects it from eavesdroppers. When this data transmits via the SSL/TLS protocol, attackers who intercept it will find nothing but garbage even if they manage to get hold of the data.

Without the decryption key, they can’t steal or change the data during the transfer. This makes online shopping, banking, or any other transactions safe and secure for all the parties involved.

The above image shows the padlock and the “HTTPS” before our web address, which indicates the website is secure and that it’s validated by a trusted certificate authority.

When you click on the padlock, you can see that the connection is secure and that the trust certificate is valid. The figure below shows the screenshot of this validity:

When you click on the padlock, you can see that the certificate verifies that the website is using a secure, encrypted connection.

When you click on the Certificate (Valid) option, another window will pop up that provides you with additional information about the certificate, domain, and/or the organization that owns it. This verified identity is what helps to make it possible for servers to establish trust with browsers.

Here’s a fun video that gives an overview of how SSL/TLS certificates work:

SSL and the Chain of Trust

An SSL certificate doesn’t stand on its own; it is actually part of an SSL certificate chain. This is what helps to give it the necessary credibility, which is what makes it a critical part of public key infrastructure.

A certificate chain is an aggregate of three types of certificates: root certificates, intermediate certificates, and server certificates. All these digital certificates are crucial for the successful encryption and decryption of the data. These certificates are interconnected, forming what’s known as a certificate chain or a “chain of trust.”

The chain of trust consists of:

  • A self-signed root CA root certificate,
  • One or more intermediate certificates, and
  • A server certificate (SSL/TLS certificate).
A breakdown of the certificate chain and how one certificate signs the next.

Although there’s only one root certificate and server certificate for a particular website, there can be more than one intermediate certificate. The “chaining” makes it easy to trace a server certificate back to its trusted root.

How to Tell if a Website Is Using SSL

There are special indicators assigned to prove that the website is secure and that the data it collects will remain confidential as it travels across the internet. These indicators include:

  • A security padlock icon (in Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge, etc.),
  • A green address bar (in Internet Explorer), and
  • “HTTPS” at the start of a website’s web address (URL).

When you see these signs on the address bar, you can rely on the fact that the website has an SSL certificate.

What Are the Different Types of SSL Certificates?

Okay, so we’ve talked about SSL meaning, what SSL/TLS certificates are, why they matter, and what they help you to accomplish in terms of authentication and data confidentiality. But what are the types of SSL/TLS certificates and how do they differ in terms of validation?

  • Single domain — This basic SSL/TLS certificate secures a single domain.
  • Multi-domain — This allows you to secure multiple domains.
  • Wildcards — This certificate enables you to secure unlimited number of subdomains on a single level for an individual domain.
  • Multi-domain wildcards — This allows you to secure an unlimited number of subdomains for multiple domains.

They also come with different validation levels:

  • Domain validation (DV),
  • Organization validation (OV), and
  • Extended validation (EV).

Different types of certificates are required because websites have different purposes. Some websites do not need any interaction with the users. Some ask users to submit sensitive data like their names and email addresses. And some will ask for more personal information such as banking details for online trading.

Let’s explore the three levels of validation more in-depth to help you see what each validation level is about and why it’s necessary.

Domain Validation (DV) SSL/TLS Certificates

A domain validated certificate is the most basic type of SSL certificates. While issuing a DV certificate, the CA will simply check whether you own the domain for which you want the certificate. It is quite a straightforward process and you can own a DV within a few minutes.

You can choose to buy a DV from any of the companies like RapidSSL, Comodo, Thawte, GeoTrust, DigiCert, Sectigo, or any other. A DV is typically the most inexpensive type of certificate. Because it requires no business validation, CAs can issue DV certificates automatically within minutes.

Now, if your website does not collect the data of the visitors, you can opt for a DV. But If your organization does collect personal or financial information, or any other sensitive data, then you’ll need to use a certificate that has greater validation requirements (i.e., one of the next two types of certificates).

A quick note for site visitors: If you’re on a website that only has a DV certificate, you should never give out your sensitive information. That’s because you have no way to verify the identity of the entity on other end of your secure connection. A secure, encrypted connection doesn’t help if you’re sending your data to a cybercriminal directly!

Organizational Validation (OV) SSL/TLS Certificates

An organizational validation SSL certificate is also known as a basic business validation certificate because it requires a certain amount of organizational verification for a CA to issue it. It takes a couple of days (1-3) to issue an OV certificate because of the manual verification processes it requires.

In addition to verifying a site’s domain ownership, the CA also checks government records and alternative resources to make sure the organization meets other validation requirements:

  • It’s legitimate and is legally registered (organization authentication).
  • It has an active legal presence in the area where it’s registered (locality presence verification).
  • The company’s phone number matches government records (telephone validation).
  • That specific company information can be confirmed via a phone call (final verification call).

These kinds of certificates are for organizations that wish a moderate level of trust from the public as they are not handling sensitive information. The website might ask for login information with basic credentials like the name, email address, and phone number of the visitors for marketing purposes.

If your organization collects any type of personal or financial data, then organization validation should be the absolute minimum that you use on your site.

Extended Validation (EV)

Extended validation, as the name suggests, is an in-depth validation by the CA for an enterprise. The EV certificate is necessary when the website accepts payment from the clients online for the goods or services they provide. They have to handle the sensitive information of the clients like the bank details and the bank passwords for the payment gateway.

The CA will have to make the highest level of verification of the enterprise to issue an EV. It will take up to five days to issue the certificate (though it’s usually an average of about three days). Much like with the OV process, a trusted CA will verify the organization’s information — but this time, they’ll go more in-depth in that validation process. They’ll verify:

  • Registration of business with government or other third-party reports.
  • Enrollment form or Acknowledgement of Agreement
  • Validation of actual operational existence
  • Verification of the company’s exact physical address.
  • Telephone validation
  • Domain validation
  • Final verification call

For additional information about the DV, OV and EV validation processes, check out our SSL validation guide.

When you are a customer, you should never pay for any goods online if the website does not have an EV. The EV certificate is represented by the padlock or the green address bar on the web browser.

Final Thoughts on SSL Meaning (To Sum It All Up…)

An SSL meaning or definition boils down to asserting identity and making secure data exchanges possible. It protects businesses and consumers alike by securing the data transmissions between them while it’s in transit.

The retail e-commerce sales worldwide reached $3.53 trillion in 2019, according to data from Statistica. The market and consumer data giant also predicts that the e-commerce revenues will top $6.5 trillion by 2022.  As a result of the amount of money spent online, it’s easy to see why scammers keep trying to find ways to steal it. In addition to the money users spend, there’s also the astronomical amount of money transfers users make online… not to mention all of the valuable data that flies across the internet every second.

Any one of these is a compelling reason to protect your website and your customers’ sensitive data. This is why using an SSL/TLS certificate on your site to use the SSL (TLS) security protocol is critical to ensure your website facilitates secure, encrypted communications over the internet. With SSL/TLS certificates and protocols at work, the chances of your communication being compromised in a MitM (Man in the Middle) attacks is virtually zero.

Author

Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.