What Is SSL/TLS?
SSL stands for secure sockets layer. SSL is a protocol for maintaining a secure connection and protecting sensitive data to keep internet users safe during online transactions, login sequences, and more. Transport layer security (TLS) is the successor to SSL that’s in place today and handles vulnerabilities even more effectively.
More About SSL/TLS
In an age when some of our most important information and transactions live online, ensuring the security of digital interactions has become paramount.
In this beginner-friendly guide (that isn’t afraid to go deep!) we’ll demystify the core systems that work behind the scenes and that every website owner or manager needs to know to preserve user privacy and their business reputation.
What Is SSL?
SSL stands for secure sockets layer. SSL is a protocol for maintaining a secure connection and protecting sensitive data to keep internet users safe during online transactions, login sequences, and more.
SSL is used in other processes, such as securing file transfers and protecting email applications, but we’ll most refer to how it impacts internet security as that’s where it’s come to be most recognized.
What Is TLS?
Transport layer security (TLS) is the successor to SSL that’s in place today and handles vulnerabilities even more effectively.
Is SSL Obsolete?
SSL has undergone many iterations since its introduction decades ago, in an effort to keep improving functionality and security. TLS is merely a more safeguarded and more current version of SSL.
In effect, both SSL and TLS refer to the same thing. However, at the time of this writing, SSL is still the more widely-used term for the protocol, so you’ll still see it used often — and we’ll also refer to it frequently in this article.
What Does SSL/TLS Look Like?
When an SSL/TLS certificate (more on these later) is in place and up to date on a website, you should see the URL in the address bar begin with “HTTPS” instead of “HTTP.” If you don’t see the full URL, it will likely appear if you click in the address bar. Some browsers choose to truncate it for simplicity.
You should also see a small green padlock icon — or sometimes other colors depending on the browser — preceding the URL when SSL/TLS is being used.
What Does SSL/TLS Do?
SSL/TLS facilitates a secure connection between two systems. These can be a server and a client (for example, a shopping website and browser) or two servers.
SSL/TLS uses encryption and cryptographic key pairs to verify the identity of systems and prevent data from being shared with bad actors.
That data includes:
- Financial details such as credit card numbers, bank account information, etc.
- Personally-identifiable data — full name, social security number, address, date of birth, etc.
- Sensitive legal documents
- Private medical records
- Confidential information such as client specifics, trade secrets, etc.
- Login credentials
How Does SSL/TLS Work? The SSL Handshake
With all the groundwork laid, let’s get into the heart of how SSL/TLS functions!
SSL/TLS works by encrypting data during transmission to prevent hackers from accessing it as it travels across a network. Names, addresses, credit card numbers, and other information are among the potentially sensitive facts SSL/TLS is used to protect.
Here’s a basic summary of how it does that:
- When a user initiates a process that’s protected by SSL/TLS, such as a purchase on a website, the client (the user’s browser) sends a hello package to the website’s server. This package contains a message about the transaction, TLS type, cipher suites, and “client random” which is a string of randomized bytes.
- The server receives this message and responds with its own hello package, containing an answer to the message, its SSL/TLS certificate, cipher suite, and “server random” — another selection of randomized bytes.
- The client goes through a process to authenticate the SSL/TLS certificate, which proves the server is the trustworthy service it claims to be (AKA, not a hacker). Then, it sends something called a “premaster secret” that’s encoded with the SSL/TLS certificate’s public key. The idea is that the server should have a private key, which can decode this message.
- If all is going right, the server does have the private key associated with the SSL/TLS certificate and can decode the premaster secret. After doing so, the server creates a session key and sends the info to the client.
- Now both the client and server send a “finished” message to each other that’s encoded with the session key. This indicates a secure session is open between the two and any data shared during it should be safe and sound.
This procedure is often called the SSL handshake and it happens in mere milliseconds.
Why Is SSL/TLS Important?
SSL/TLS protection is necessary on websites for many reasons:
- To protect users’ information
- To build customer trust in the brand
- To validate website ownership
- To stop malicious people and programs from building a false version of a site and siphoning sensitive information
Any time a website requires that users log in, asks for personal information, or provides access to private content — its ability to maintain privacy for the user is crucial.
SSL/TLS contributes to the privacy of online communications and reassures visitors that a website is reliable and secure.
In addition, major browsers are going to label HTTP websites without SSL/TLS certificates “not secure.” This throws up a huge red flag to visitors and can quickly push them to close out and try another website. Today, websites that don’t invest in SSL/TLS are likely at risk of losing traffic and revenue.
Should I Turn SSL/TLS Off? What Happens If I Do?
In short, as a website owner or administrator it’s pretty much always better to be using SSL/TLS than to not be.
And that’s true even if you don’t collect any user information on your website.
Not only is SSL/TLS critical for data security as we’ve mentioned many times — it’s also helpful for keeping your website from being copied by bad actors and for avoiding that daunting “Your connection is not private” message that can scare off many users.
At the end of 2023, about 85% of websites are making use of SSL/TLS to secure their HTTPS status.
What Is An SSL Certificate?
Now, let’s add a little depth to the SSL/TLS certificate concept — which we’ll shorten to SSL certificate from here on out — that we introduced earlier.
An SSL certificate is a digital certificate issued by none other than a certificate authority (CA). Its job is to connect the identity of the website to which it was issued to a cryptographic key pair — these are the public and private keys we’ve talked about already.
Aside from supporting secure transactions via its keys, these certificates are also helpful for letting users know the background of a website and who owns it, so they can make a determination for themselves on its trustworthiness.
As a user, you can check out the details of an SSL certificate by clicking the padlock icon in the address bar. Information you can see here may include:
- The domain name that the certificate is for
- The business or person the certificate was issued to, and by which certificate authority
- The certificate authority’s digital signature and the public key
- When the certification was issued and when it expires
If any of the info from the certificate feels fishy or doesn’t seem to match up to the website you’re visiting, you know to take a closer look before sharing any personal information.
5 Types Of SSL Certificates
There are several types of SSL certificates, with varying degrees of validation.
Extended Validation SSL Certificate (EV SSL)
Extended validation SSL certificates (EV SSLs) represent the highest tier, and most pricey form, of SSL certification.
To get this level of security, the applicant must go through an identity verification process. It’s usually used by websites that host credit card transactions and collect sensitive information. With an EV SSL, HTTPS and the lock icon are displayed in the address bar alongside the certified business’ name and country. All of these details support a site’s trustworthiness.
Organization Validated SSL Certificate (OV SSL)
Organization validated SSL certificates (OV SSLs) are similar to EV SSLs in the application process and information they display in the address bar, they’re just a step down in security level and expense.
OV SSLs are usually used by commercial or public-facing websites to show their commitment to keeping information confidential.
Domain Validated SSL Certificate (DV SSL)
Domain validated SSL certificates (DV SSLs) are less secure and less rigorous (and also less expensive!) certifications often utilized by blogs and other informational websites that do not involve data collection or online payments.
Typically, the validation process only requires website owners to confirm their ownership by email or phone. With this certification, the address bar usually displays only HTTPS and a padlock icon.
Multi-Domain SSL Certificate (MD SSL)
Multi-Domain SSL certificates (MD SSLs) are also referred to as subject alternate name (SAN) and unified communication certificate (UCC).
An MD SSL certificate can protect several top-level domains as well as subdomains — think en.domain.com, blog.domain.com, etc. The number of items it will cover is determined by the certificate authority that issues it.
Each property that you want to protect under this certification needs to be defined at the time of issuance. To add more, the holder must ask for it to be updated and reissued by the CA. This precaution makes it more secure than the next option.
Wildcard SSL Certificate
Wildcard SSL certificates provide security for one domain and unlimited subdomains attached to it.
For websites with lots of subdomains, this can be a fast and affordable way to make sure every section of your website is automatically protected by encryption. The downside is that if just one subdomain becomes compromised, other subdomains under the same wildcard certificate can also be compromised.
How To Get An SSL Certificate in 7 Steps
If you’re ready to take advantage of the security an SSL certificate can provide, these basic steps should help most website owners get the documentation they need:
1. Choose Your SSL Coverage Level
How many domains and subdomains do you want to secure? How much security do you need? Use the above guide to SSL certificate types to determine what kind you’re looking for.
2. Generate A Certificate Signing Request
A certificate signing request (CSR) is an encrypted file containing business and domain info as well as the private and public keys your CA will need to create your certificate.
How you generate a CSR varies based on which platform you’re on, or which website host you go through. Most hosts will allow you to create a CSR through their admin panel. Here’s how DreamHost customers can create a CSR.
If you’d rather try to tackle this step without host help, this guide may help you track down the specific steps you need to follow.
3. Purchase Your Certificate Through A Certificate Authority
Your next step is to seek out a reputable CA to purchase your SSL certificate from. There are many options, including:
Whatever provider you choose, their website should guide you through selecting your SSL certificate type, submitting your CSR, and completing your purchase.
DreamHost customers can acquire an SSL certificate — free or paid — via the customer panel. See how here.
4. Complete Validation (If Required)
If you’ve chosen a highly-secure certificate type that requires you to prove your identity and/or website ownership, your CA will give you steps to follow to provide validation.
5. Install Your New SSL Certificate
If all is going according to plan, you should now be able to download the certificate files provided by your CA. Now it’s time to install it on your website.
This is another step that can vary a good amount based on your website platform, your hosting provider, and even the type of certificate you’ve gone for. Contact your hosting provider or log into your website host’s customer panel and look for something called “SSL/TLS settings” or “SSL/TLS manager” and follow the steps for installing the files you downloaded.
Or, if you prefer to do it on your own, DigiCert has another guide to help you navigate most platforms.
For WordPress users, SSL certification installation can be handled using a plugin like Really Simple SSL. DreamHost customers can add a third-party SSL certificate by following these instructions.
Related: What Is A Plugin?
6. Test Your SSL Installation
To verify that your certificate is installed correctly and functioning properly, Google the phrase “SSL checker tool” to find a platform that will run a quick analysis for you. The CA you used may also have an SSL checker on their website.
7. Redirect HTTP URLs
Finally, you have to redirect any HTTP URLs to HTTPS URLs after installing your SSL certificate to make sure users are only accessing the most secure version of your website.
DreamHost automatically redirects visitors to the HTTPS version of your site once you add an SSL certificate, and other website hosts may do the same.
If this isn’t an option for you and you need to update your server manually, we have instructions for accessing an Apache or Nginx server to force a redirect here.
For WordPress users, if you used an SSL installation plugin it may also have HTTP-to-HTTPS migration services built in. If not, Redirection or another plugin could be a big help here.
Related: What Is A Redirect?
Do SSL Certificates Expire?
Yes, SSL certificates expire.
Per the Certificate Authority/Browser Forum which regulates all things SSL, certificates should expire after about 13 months. This decision was made in response to Apple saying they would no longer accept certificates with two-year validity periods — which used to be the norm. When yours expires depends on the CA that provided your SSL.
SSL certification expires because of the fast pace of change on the internet. Regulations that impact data collection come and go, businesses and websites change hands, and older key pairs become less secure as hackers get more advanced. Recertification gives website owners a chance to refresh their security and CAs time to review the information attached to the certificate to make sure everything is accurate.
When an SSL certificate expires and the website is no longer protected by this security protocol, the browser will throw a warning letting users know that the site is not secure and to proceed with caution.
Of course, an SSL expiration doesn’t come out of nowhere. The CA you got your documentation from will send a notification when it’s time to renew. They typically begin around 90 days out from expiration, and we recommend you start acting on them as soon as you get them. And make sure you sign up to have these notifications sent to an email address you know you’ll always check and have access to.
How To Renew Your SSL Certificate
With many SSL certification providers, the steps for refreshing your SSL certificate are the same as getting one the first time around. So you’ll need to generate a CSR, purchase an SSL certificate from a CA, complete any validation required, and install and test your certificate.
That said, a lot of SSL providers and website hosts are starting to automate as much of this process as possible. So, you actually may not have to walk through all the steps every time — but it’s helpful to know what kind of maintenance you could have on your plate when considering SSL certification and upkeep on your website.
Related: How To Fix Common SSL Issues In WordPress
Choose A Web Host That Empowers Your Security Goals
Luckily, securing the online user experience and instilling trust in your brand with SSL/TLS coverage is a decently approachable process. However, that doesn’t mean every website owner will have the desire or the time to not only find the best SSL certification option but to install it and maintain it year after year.
If you’d rather focus on the business side of things, DreamHost’s website management pro services team can support your security and experience goals by handling everything from minor updates to hacking recovery, link migration, and full-blown website administration and monitoring.