Everything you need to know about SSL and TLS
If you’ve ever wondered how SSL certificates work and what TLS has to do with it, you’ve come to the right place. To start, let’s dive into what exactly SSL certificates are.
An acronym of Secure Sockets Layer, SSL is a type of digital certificate that you can install on your server to enable a secure, encrypted connection for users accessing your website or application. Encryption converts the information shared over this connection into an unreadable code. This means that any data transmitted cannot be intercepted by third parties, keeping user information safe and secure.
For example, if someone tries to access the HTTPS version of your site through a web browser, the browser will first check that your site has an SSL certificate and then verify its validity in a process known as the SSL handshake (which we’ll talk more about later). Once the presence of a valid SSL is confirmed, an encrypted connection to the website is created.
It’s generally advised that SSL certificates be obtained from a trusted Certificate Authority (CA). At Namecheap, our SSLs are issued by the CA Sectigo. There are numerous types of SSL certificates available, depending on how many domains or subdomains you have and the level of validation you need for your site. For the number of domains, there are:
Click here to read more about the different types of SSL certificate based on the number of domains you need to protect.
Then there’s validation level. This refers to the extent of background checks a CA performs on your website. For example, for a simple blog website, you probably wouldn’t need extensive checks, however, for business websites that take credit card transactions, background verification is more important for customer peace of mind. The different validation levels are:
Read more about the different validation levels here. It’s important to note that no matter what type of SSL certificate you go for, the level of encryption is the same for all of them. The only difference is the number of domains you wish to secure and the validation level you need.
Now that you have a general handle on what an SSL certificate is and the different types available, let’s move on to address a very common confusion.
If you’ve been doing any research into SSL certificates you’ve probably come across the term TLS certificates. How are they different? Today we’ll let you in on a little secret: these days, they’re the same thing. If anything, TLS certificate is a more accurate name for what we call SSL certificates. However, SSL has become the catch-all industry brand name. Confused? We’ll explain.
TLS is short for Transport Layer Security and it is the cryptographic protocol that is enabled when an SSL certificate is installed on your site. The TLS protocol is what ensures the connection between a client and your server is encrypted. So why do we call them SSL certificates?
The simple answer is when SSL certificates were first created (way back in 1995), they did use the Secure Sockets Layer protocol to create encrypted connections. But, as with many technologies used on the Internet, it was phased out over time. SSL had many security flaws, so a better encryption protocol was created to replace it: TLS. Use of the SSL protocol has been deprecated since 2015, and there have been many iterations of TLS over the past two decades, with the protocol improving and strengthening with each one. Currently, the TLS standard across the web is TLS version 1.3.
However, it should be noted that the protocol your website uses is not dictated by the certificate itself, but by your server settings. If you’re unsure about the protocol enabled on your server, you can check with this site, reach out to your web hosting provider, or enlist the help of a systems administrator.
If you have ever visited a website, then you’re probably familiar with HTTPS. You’ve likely seen HTTPS in a browser address bar as the prefix of a website address. Old school users of the Internet probably remember the days when HTTP was the widespread prefix. Short for Hypertext Transfer Protocol, HTTP is the protocol used for the transfer of data over the World Wide Web.
These days, HTTPS is the norm, with the “S” standing for secure. It’s like HTTP, but safer. The HTTPS protocol is encrypted by the TLS protocol. HTTPS is one of the key indicators that a website has an SSL certificate installed and that your connection is safe. If a site you visit uses HTTP, this means your connection isn’t secure and your web browser will probably flag it as unsafe.
This is a complicated, technical process, but we’ll try to explain it in the most simple terms possible. When a client (such as a browser) attempts to connect to a server (such as your website) they perform a process known as the SSL handshake, which helps them to communicate, authenticate and validate each other before finally setting up a secure connection.
Here’s how a simplified version of the TLS 1.3 handshake looks:
A few years ago, the general advice was that you only needed an SSL certificate for things like login pages, transaction pages, or if your website dealt with taking any kind of sensitive user data. Today it is recommended that all websites have SSL enabled on every page, no matter what the website type.
There are several reasons for this. Cyber attacks are constantly on the rise and website users are generally becoming more and more discerning when it comes to the websites they visit (and rightly so). If your site doesn’t have an SSL certificate, many users will hit that back button.
Furthermore, since 2014 Google has been campaigning for “HTTPS everywhere”, encouraging the adoption of HTTPS throughout the web. In the years since, it has become more widespread, and is now a requirement for all major web browsers. If a website doesn’t have an SSL certificate, web browsers will flag it as unsafe and advise users not to proceed.
To keep user data safe and to help create a more secure Internet, having an SSL certificate is a necessity.
Search Engine Optimization (SEO) refers to the steps you can take to optimize your site for ranking higher in search engine results pages (SERPs). This encompasses many things, but in the past few years, having a secure, encrypted connection on your site is one of them. Since 2014, Google has considered having an SSL certificate on your site a ranking signal. This means that any site with an SSL certificate will have an edge over websites that don’t, and will likely rank higher in Google’s SERPs. To read more about how SSLs can positively impact SEO, check out this piece.
SSL indicators have evolved a lot over the years and can be dependent on which browser you use.
One key indicator common to all modern web browsers is the padlock icon in the address bar, to the left of the website address.
Depending on the browser you use, you may also see the HTTPS prefix (Since mid-2019, Google Chrome no longer shows this).
You can learn more about a website’s SSL certificate by clicking on the padlock icon. When you do so, a box will appear. When a website has an OV or EV SSL, this box should display the company name.
You can click on “Certificate” to find out further information about the SSL certificate, such as the individual or organization the certificate was issued to, the CA the certificate was issued by, and its validity period.
A website with an SSL may also display a secure site seal, which is a logo from the CA which informs users that your site uses SSL. Here is an example of Sectigo’s site seal:
If a website doesn’t have an SSL certificate (or has an untrustworthy SSL), a security warning message will most likely be displayed. Here are examples of such a security warning in Google Chrome, Firefox, and Microsoft Edge.
Google Chrome security warning:
Firefox Security warning:
Microsoft Edge security warning:
The first step is getting an SSL certificate from a reputable source. If you're unsure which type of SSL is most suitable for your situation, check out this piece on our blog which should help point you in the right direction.
Once you’ve purchased and activated your SSL, installation will be dependent on the type of server you have. Here is a list of the most commonly used server types, and how to install an SSL certificate on each one.
Unfortunately, things can sometimes go wrong during the SSL installation process and you may encounter errors. Here is a list of common installation errors on different server types and how to solve them. If your SSL errors are specific to Google Chrome, check out this guide. Other common errors occur due to a lost Private Key, having insecure or mixed content on your site, or an expired SSL certificate.