How do SSL certificates work? What are the types of SSL certificates?

In the past, the green padlock in browsers was a security symbol, indicating an encrypted connection using SSL/TLS. But now browsers such as Google Chrome, for example, have changed the way security is presented, removing the green padlock. Encrypted connections are now standard, and the emphasis is on warning users when security is not in place.

How does the connection: browser – server work?

When you type the address of a web page into your browser, the browser sends a request to the server that hosts the page. The server responds by sending various components of the page, such as HTML code, CSS files, JavaScript and images. The browser collects these components, creates a complete page from them and displays it on the user’s screen.

With a regular HTTP connection, the data sent between the server and the browser is not encrypted. This means that the transmitted information can be intercepted or even modified by third parties. For simple information pages, the risk may be small, but when we’re talking about pages that require logging or the transfer of personal data, the lack of encryption poses a serious threat. For example, if someone intercepts the login data for an admin panel or personal information in a contact form, they can use it in an unauthorized way.

Data encryption becomes crucial when sensitive information such as logins, passwords, credit card data or other personal information is exchanged. This is where the need for an SSL/TLS certificate, which provides a secure, encrypted connection between the browser and the server, comes in.

How does the encrypted connection between the browser and the server work?

The principle of downloading a page over SSL is identical to that of a regular connection. The browser sends a request for page elements, and after the server returns them, it arranges them locally and displays them.

The difference is that the browser agrees with the server to encrypt the data before sending the request. With an SSL connection, the request to the server and all the items the server returns are encrypted before transmission and decrypted only in the browser. This means that such data cannot be eavesdropped on or modified between the server and the client.

The fact that data is encrypted is now indicated by a padlock icon in the browser bar (although it is no longer green, as it was before). Data can also be encrypted without such an indication, such as with “self-signed” certificates, which can be generated independently. However, in order for the browser to display the padlock, the certificate must be issued by a trusted certification center, recognized by browsers as trustworthy. It is worth remembering that the presence of the padlock is the result of cooperation between the browser and the certificate issuer, which must meet strict requirements.

Types of SSL certificates

There are several types of SSL certificates, which differ primarily in how they verify the identity of the site’s owner, rather than the level of encryption itself. All certificates display a padlock icon in the browser, but those with a higher level of verification may additionally show the name of the organization for which they were issued.

DV (Domain Validation) certificates

DV (Domain Validation) certificates guarantee encryption of information transmission in the certified domain. These are the most popular and simplest certificates (easiest to issue).
During the issuance of a certificate, ONLY domain verification takes place. Completion of the verification process is limited to confirmation of the SSL certificate order sent to the email address: “admin@customer-domain.eu”

Of course, the address must exist in the domain for which the certificate is purchased, in this case it would be: “customer-domain.eu”. Clicking on the link sent by the certificate issuer to the address, e.g. admin@customer-domain.eu, is the only verification that you are the owner of the domain for which you want a certificate. After clicking the link, the certificate is issued.

If you look into the details of the certificate (for example, by clicking on the padlock icon in your browser), you will see information about the domain, but you won’t find details about the company or organization for which the certificate was issued.

Such certificates are the cheapest, costing about $40 per year, but they can be purchased even cheaper from some resellers.

Organization Validation (OV) certificates

OV (Organization Validation) certificates are characterized by a more advanced verification process. Before issuing them, it is necessary to confirm the company’s data on the basis of the relevant registration documents. Typically, this process requires sending documents by email, fax or snail mail. Compared to DV (Domain Validation) certificates, an OV certificate includes company information in the certificate details. From the user’s perspective, the browser displays an identical padlock icon to the DV certificate.

OV certificate prices are $170 per year.

EV (Extended Validation) certificates

Ordering a certificate requires accurate data and a set of documents in English.
The certification company may contact the company requesting the certificate directly; English language skills are required. The issuance procedure includes:
A. Organization Authentication Requirements
B. Operational Existence Confirmation
C. Physical Address Confirmation
D. Telephone Number Confirmation
E. Domain Authentication Requirements
F. Order Verification Requirements

The price of an EV certificate is $699. At many resellers you can buy these certificates much cheaper.

The advantage of this certificate is that they can display the organization’s name next to the standard padlock icon, which increases user trust. This solution is often used by financial institutions such as banks to emphasize the credibility of their website.

DV, OV, EV certifications – how about security?

As you can see from the descriptions above, certificates differ mainly in “formal issues” – the more advanced the certificate, the more information about the site owner is included: DV has none, OV has information inside the certificate details, and EV displays it in the address bar of the web browser.

Other than that, the certificates are technically no different – they have the same encryption algorithms and the same length of encryption keys.

Is it worth using free SSL certificates?

A comparison of paid certificates with free certificates can be seen in the article: What is the difference between free SSL certificates and paid SSL certificates?