GDPR has been in existence for nearly three years and it’s still clear that a lot of websites, even ones launched since May 2018, are not GDPR compliant. Sorry, we don’t get out of the EU General Data Protection Regulation because of Brexit. In this blog, we’ll look at SSL certificates which are vital to protect website user data.
What are SSL certificates?
SSL (Secure Socket Layer) certificates perform two main functions. Firstly, they show the user that the website has a secure connection between their computer’s web browser and the website’s hosting server. Secondly, the SSL encrypts any actual data entered by the web user into the website which cannot be decoded should information be intercepted without the unique, long and complicated decryption key that is issued with the SSL certificate. SSLs are also important for user confidence and ‘assurance’ as website visitors can see if a site is secure by the little padlock in the browser address bar and the prefix ‘https:’ (‘s’ for ‘secure’). There are several SSLs available all with different levels of assurance, warranties, and prices.
Basic level (free) SSLs provide encryption of user details entered into the website such as things like contact forms or enquiry forms. These are often adequate for standard websites. However, more assurance, and warranties, can be obtained with a paid-for SSL certificate.
Prices depend on the level of warranty required and the fee is billed annually. SSL certificate providers, such as GlobalSign, provide a warranty should anything go wrong with one of their certificates.
SSL certificates all provide the same high level of security and encryption. The main difference between them is the warranty and the ‘assurance’. Assurance is the level of trust a company wants to give its web visitors and this is gained during the certificate application process and shows proof of a company identity and they are who they say they are. Website users can see the certificate information by clicking on the little padlock in the address bar.
Types of SSL certificates
Basic SSLs are also known as low assurance SSLs and come with a small warranty. These provide a high level of website security but, as their name suggests, only provide a basic level of assurance. These can be issued immediately without an application process and no company information is stored in the certificate itself meaning there is no validation of the company identity and users cannot be truly assured that whoever is receiving their information is who they say they are.
Domain Validated SSLs are known as medium assurance SSLs and come with, you guessed it, a medium level of warranty. These can be issued immediately without an application process and the Certificate Authority will check that the applicant has the right to use a specific domain name, usually by a validation email which is sent to an email address that has the same domain suffix as the website. Again, no company information is stored in the certificate itself meaning there is no validation of your company identity and, similarly, users cannot be truly assured that their information is going where it appears.
Organisation Validated SSLs are high assurance SSLs and come with a quite a large warranty. There is an application process for this SSL and as well as validating the applicant with the domain, the Certificate Authority checks that the organisation/company actually exists with an extra vetting procedure. Company information is then ‘validated’ and included in the SSL certificate giving users clarification that the company is genuine should they wish to inspect the certificate.
Extended Validation SSLs are the same high assurance SSLs but come with a larger warranty. The application process is the same but the Certificate Authority does more rigorous vetting to confirm the applicant’s company identity and checks that the certificate has been correctly applied to the website. Up until recently, this type of SSL used to display a green banner in the address bar with the company name for extra user assurance. However, browser companies, such as Google and Mozilla, saw fit to not show this as they didn’t feel it offered the assurance that SSL providers claimed. Another story.
Picking the right certificate
As all SSLs do the same job, the choice of SSL depends on how much warranty is required should there be a breach and how much assurance you want to give your users. With prices for SSLs ranging from free (no warranty) to several hundred pounds a year (millions of quid in warranty) it generally comes down to the size of the company, the website functionality, and the kind of data being collected through it. Larger companies, ecommerce sites, and websites that collect a lot of personal data should probably opt for a higher end one. Standard brochure sites and smaller companies can protect user data with one of the lower end ones. You pays your money, you take your choice.
If you need any help or advice about which one to choose, or need more information about what are SSL certificates, please get in touch – we’d be glad to hear from you.