You might have noticed that a web address often shows the HTTPS protocol, rather than HTTP and that your browser displays a padlock in front of the URL to indicate that your connection is secure. Although this gives a sense of security, it also raises the question of what exactly this means and how your connection is protected.
What is SSL and how does it work?
When a website uses the HTTPS protocol, your access to the website is protected by a Secure Sockets Layer (SSL). SSL is an Internet Security Protocol that ensures the connection between a website and a user is secure. SSL protects your connection in three ways.
- Proof of authenticity
- Message Authentication Codes
First, SSL is a proof of the authenticity of a website: it shows that the website you’re visiting really is what it claims to be and isn’t a fake website set up by attackers who try to obtain private data from visitors.
Secondly, SSL ensures that communication between the two parties is encrypted. With the standard HTTP protocol, data is transmitted in plain text. This means that anyone who can intercept this connection can see the data that is sent in plain text. With HTTPS, however, the data is encrypted before being transmitted, so even if it's intercepted, it looks like a random jumble of characters without the right key to decrypt it.
Finally, SSL ensures that the transmitted data cannot be tampered with through the use of Message Authentication Codes (MAC). Although, technically, messages sent through SSL can still be intercepted or altered, the MAC ensures that the user will always know if this has happened.
Traditionally, SSL was only used on web pages which process personal information, such as online payments or login screens. These days, however, many websites have an SSL certificate to guarantee the security and authenticity of the website itself. With modern browsers and devices, the time it takes to set up an SSL connection is mostly negligible and, therefore, provides no disadvantages anymore.
If you’re already familiar with SSL, you might have also heard of Transport Layer Security (TLS). In fact, whenever SSL is discussed, most of the time it’s actually about TLS, which is the successor to SSL. In 1999, the development of SSL was taken over from its original creator, Netscape, by the Internet Engineering Task Force. With this takeover the name was changed to TLS and the last version of SSL (version 3) was deprecated. However, the name SSL has stuck around and the two are now used interchangeably.
What types of SSL certificates are there?
There isn’t just one type of SSL certificate. SSL certificates vary in coverage of hostnames and in the degree of verification. According to our data, where we looked at approximately 59 million certificates, the most used coverage of SSL certificates is Single-Domain. That means only one hostname is covered by the certificate, usually the www hostname of a domain (for example, www.google.com). An expansion of this certificate is the Wildcard certificate, which covers all subdomains of a domain. Finally, the Multi-Domain certificate covers multiple unrelated domains.
An SSL certificate can also have a varying degree of verification. These degrees correspond with different levels of background checks required before a certificate is issued. The least demanding level of verification is the Domain Validation, where the owner only has to show proof of ownership of the domain. For the Organization Validation, the owner of the domain is directly contacted by the Certificate Authority. The most extensive vetting occurs for the Extended Validation, where a full background check of an organization is conducted before the certificate is issued. Our data shows that the vast majority of domains with SSL certificates (93%) only validate the domain. Organization Validation comprises 7% and Extended Validation certificates are less than <0.1%.
The SSL certificate a website acquires, has to be issued by a Certificate Authority (CA), the most popular one being Let’s Encrypt. Let’s Encrypt is a free-to-use nonprofit CA, created for the public benefit and sponsored by a diverse range of tech companies. It covers 65% of domains with an SSL certificate and only provides certificates of Domain Validation. It’s therefore a popular choice among smaller organizations and individuals looking to protect their website visitors’ data. Apart from Let’s Encrypt, Sectigo and DigiCert are also widely used CAs. Other popular options are Cloudflare, cPanel and GoDaddy who offer SSL certificates as part of their product packages.
According to our data, globally, about 3.1 million Business and eCommerce websites store privacy sensitive information but have no SSL certificate.
Does this mean that every website that needs an SSL certificate already has one? As a matter of fact, no. Of the 88 million domains we checked, only about two-thirds (65%) had a valid SSL certificate. Although many websites don’t strictly need HTTPS because no user data is transmitted, we still see many that store privacy sensitive information such as login credentials, contact information or payment details from their visitors without an SSL certificate. According to our data, globally, about 3.1 million Business and eCommerce websites store privacy sensitive information but have no SSL certificate.
Website owners who care about their integrity and visitors’ privacy should strongly consider protecting their website with SSL. Now that you have learned about what SSL is and does, you may also be more wary of websites that don’t have an SSL certificate.