As of July 2018, every website now needs an SSL certificate, lest it be marked “not secure” by browsers like Google Chrome. That’s led to an influx of site owners scrambling to grab digital certificates that many of them know very little about. So, in this article to answer questions like “what is the purpose of SSL certificates” or “what is the purpose of SSL,” we’ll cover the basics:
- What SSL certificates are,
- What SSL certificates do,
- How SSL certificates work, and
- Why we need SSL certificates.
The internet has never been more important, which makes everyone on it — and all of their data — targets for cybercriminals. SSL certificates provide an important line of defense. Let’s briefly discuss how.
What Are SSL Certificates?
From a technical standpoint, SSL certificates are actually now TLS certificates, and both acronyms refer to the protocol being used in each instance. SSL, or secure sockets layer, was the original version that has since been retired. Now, we’re using TLS, or what stands for “transport layer security.” An SSL/TLS certificate is a type of X.509 digital certificate. Hold on a second… I see your eyes glazing over.
Let’s start with what a digital certificate is and what it does. In the context of SSL/TLS, digital certificates are cryptographic files that you install on a server. The certificate serves two primary functions:
- The certificate authenticates the identity of the server; and
- The certificate binds a key pair to that server.
What Exactly Do SSL Certificates Do?
To answer your question about “what is the purpose of SSL certificates,” we’ll further explain the two aforementioned functions and how they relate to validating a site’s identity. Authentication and the binding of a key pair are both part of what’s called public key infrastructure, or PKI. Using these certificates, it’s possible for an internet user to verify the identity of the website they’re visiting, and then negotiate an encrypted connection with it.
The way it specifically does this is via the SSL/TLS protocols. As we stated earlier, SSL is retired now — it’s out herding goats on a small farm in Montana, so we’re now using TLS. We just refer to it as SSL colloquially — which, if TLS is truly being honest, hurts its feelings.
Anyway, in summation: SSL certificates authenticate the website’s identity (and possibly the organization that owns it) and facilitate an encrypted connection with that site. Now, that second part is important. Why does a connection need to be encrypted? We’re glad you asked. Internet connections are far more complicated than most people realize. They route through dozens of points on their way to their destination. If the connection isn’t encrypted, all of the data that’s passing through all of those points — many of them unsecure — will be sent in plaintext. As you can imagine, that’s problematic if you’re transmitting sensitive information.
SSL certificates enable websites to use HTTPS, which means that the connections they make are encrypted. This is called in-transit encryption. It’s a critical component of just about every compliance framework.
How Does an SSL Certificate Work?
We’re going to try to keep this as simple as possible. For the purpose of this explanation, the web user is the client (their web browser) and the website is the server.
When a client wants to connect to a server, the client and the server first perform something called the TLS handshake. It consists of three fists bumps, two hand claps, and a shimmy…
First, the server is going to present the client with its SSL certificate. The client will perform a series of checks to ensure the certificate was issued by a trusted certificate authority (CA), that it hasn’t expired, that it isn’t revoked, and that the server is the rightful owner of the key pair. Provided that all checks out, the client considers the server’s identity authenticated. Alongside the authentication, the client and server also negotiate the parameters of their encryption.
Once the handshake is complete, the encrypted connection begins and all information that’s passed between the two parties is protected. That’s why we say that SSL enables a secure, encrypted connection for data in transit.
Why We Need SSL Certificates on Our Websites
Although we’ve already covered this, it bears repeating: Everyone needs an SSL certificate on their website to not be flagged as “not secure” by major browsers such as Google Chrome. It’s no longer optional if you want your website to stand a chance of ranking on search engine results pages (SERPs) and being trusted by clients. After all, SSL isn’t just a matter of security; it’s a matter of trust.
Are SSL certificates worth it? Absolutely. If you don’t have SSL/TLS on your website now, you’re likely missing out on a lot of business. Don’t self-sabotage — get an SSL certificate for your website today.
Purchase a DV SSL Certificate & Save Up to 88%!
We offer the best discount on all types of Domain Validation SSL Certificates (DV SSL). We offer certificates from the leading CAs, including Comodo CA, Sectigo, Thawte, GeoTrust, and RapidSSL with DV certificates starting as low as $5.45 per year.