What is an SSL certificate?
Written for Symantec
An SSL certificate is a type of digital certificate that provides authentication for a website and enables an encrypted connection. These certificates communicate to the client that the web service host demonstrated ownership of the domain to the certificate authority at the time of certificate issuance.1
This authentication process is much like sealing a letter in an envelope before sending it through the mail. SSL, short for Secure Sockets Layer, is commonly used on e-commerce sites and pages that require users to submit personal or credit card information.
By ensuring that all data passed between the two parties remains private and secure, SSL encryption can help prevent hackers from stealing private information such as credit card numbers, bank information, names, and addresses.
SSL certificates create trust with users by verifying that websites used to track finances and make online purchases are secure and legitimate.
Why do you need an SSL certificate?
An SSL certificate ensures that the provider is who they claim to be and also indicates secure connections between personal devices and websites. Understanding SSL certificates is important for website trust and to help protect customers from becoming a victim to scammers. It’s smart to keep in mind that not all websites, or SSL certificates, are created equal.
An SSL certificate helps secure information such as:
- Login credentials
- Credit card transactions or bank account information
- Personally identifiable information — such as full name, address, date of birth, or telephone number
- Proprietary information
- Legal documents and contracts
- Medical records
What are the different types of SSL certificates?
Website owners purchase SSL certificates through Certification Authorities. CAs are trusted entities that manage and issue security certificates and public keys that are used for communication in a public network.
There are three different types of SSL certificates. Each provides a different level of security. The levels of security differ greatly among the types of certificate. This is why it’s important to understand what kind of SSL certificate a site is using when performing a financial transaction or doing anything involving personal user data.
- Domain validated (DV). DV certificates only verify who owns the site. It’s a simple process where the CA will send an email to the website’s registered email address in order to verify its identity. No information about the company is required. Be aware that DV certificates have the lowest level of trust and are commonly used by cybercriminals because they are easy to obtain and can make a website appear more secure than it is.
- Organizationally validated (OV). To receive an OV certificate, a CA must validate certain information, including the organization, physical location, and its website’s domain name. This process typically takes a couple of days. OV certificates have a moderate level of trust and are a good option for public-facing websites that deal with less sensitive transactions.
- Extended validation (EV). This type of certificate is a must-have for websites that handle sensitive information. It has the highest level of security5 and is the easiest to identify. In order to issue an EV certificate, the CA performs an enhanced review of the applicant to increase the level of confidence in the business. The review process includes examination of corporate documents, confirmation of applicant identity, and checking the information with a third-party database. Users can know if a website holds an EV certificate if the browser’s URL bar contains a padlock and the company name is listed in green.
Ensure your online session is secure
Now that you know what an SSL certificate is, the three different types, and that DV-enabled sites pose a risk for scams, it’s important to learn how to reduce your exposure while shopping or performing other sensitive transactions online. To help ensure your online session is secure, follow these four steps:
- Look for trust indicators on shopping sites. Reputable logos or badges signify that the website meets certain security standards.
- Understand the type of SSL certificate a website holds. As a first step, look for visual cues indicating security, such as a lock symbol and green color in the address bar. Only EV-enabled websites include the company name in the web address bar. Browsers don’t distinguish a DV certificate from an OV certificate. Norton’s Safe Web tool can help you easily decipher the difference.
- Only conduct transactions and provide personal data to sites with OV or EV certificates. DV certificates can serve legitimate purposes, but that doesn’t include using them for e-commerce sites. If you drop a URL into the Norton Safe Web tool and it reports that the site has a DV certificate, rethink conducting any type of transaction through that site. If it’s an OV or EV certificate site, you know that the business information has been confirmed.
As more consumers continue to shop online, cyber risks continue to evolve. Understanding the types of SSL certificates to look for, what makes a safe site, and potential risks of online shopping, will help consumers avoid scams and protect their personal data from cybercriminals.
Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.