What is SSL and TLS

Everything you need to know about SSL and TLS

If you've ever wondered how SSL certificates work and what TLS has to do with it, you've come to the right place. To start, let's dive into what exactly SSL certificates are.

SSL Certificates: a primer

An acronym of Secure Sockets Layer, SSL is a type of digital certificate that you can install on your server to enable a secure, encrypted connection for users accessing your website or application. Encryption converts the information shared over this connection into an unreadable code. This means that any data transmitted cannot be intercepted by third parties, keeping user information safe and secure.

For example, if someone tries to access the HTTPS version of your site through a web browser, the browser will first check that your site has an SSL certificate and then verify its validity in a process known as the SSL handshake (which we'll talk more about later). Once the presence of a valid SSL is confirmed, an encrypted connection to the website is created.

It's generally advised that SSL certificates be obtained from a trusted Certificate Authority (CA). At Namecheap, our SSLs are issued by the CA Sectigo. There are numerous types of SSL certificates available, depending on how many domains or subdomains you have and the level of validation you need for your site. For the number of domains, there are:

  • Single-domain SSLs: This is ideal if you have a single domain
  • Multi-domain SSLs: Great if you have multiple domains
  • Wildcard SSLs: This SSL will protect multiple domains or subdomains (for example, login.yourwebsite.com, example.com, mail.example.net)

Click here to read more about the different types of SSL certificates based on the number of domains you need to protect.

Then there's validation level. This refers to the extent of background checks a CA performs on your website. For example, for a simple blog website, you probably wouldn't need extensive checks, however, for business websites that take credit card transactions, background verification is more important for customer peace of mind. The different validation levels are:

  • Domain Validation (DV): This will simply check that you are indeed the owner of the website;
  • Organization Validation (OV): This will verify that you own the website and minor background checks into you and your business will be carried out;
  • Enterprise Validation (EV): Extensive vetting of you and your business will be carried out, from its legal existence to physical location.

Read more about the different validation levels here. It's important to note that no matter what type of SSL certificate you go for, the level of encryption is the same for all of them. The only difference is the number of domains you wish to secure and the validation level you need.

Now that you have a general handle on what an SSL certificate is and the different types available, let's move on to address a very common confusion.

The difference between SSL and TLS

If you've been doing any research into SSL certificates you've probably come across the term TLS certificates. How are they different? Today we'll let you in on a little secret: these days, they're the same thing. If anything, TLS certificate is a more accurate name for what we call SSL certificates. However, SSL has become the catch-all industry brand name. Confused? We'll explain.

TLS is short for Transport Layer Security and it is the cryptographic protocol that is enabled when an SSL certificate is installed on your site. The TLS protocol is what ensures the connection between a client and your server is encrypted. So why do we call them SSL certificates?

The simple answer is when SSL certificates were first created (way back in 1995), they did use the Secure Sockets Layer protocol to create encrypted connections. But, as with many technologies used on the Internet, it was phased out over time. SSL had many security flaws, so a better encryption protocol was created to replace it: TLS. Use of the SSL protocol has been deprecated since 2015, and there have been many iterations of TLS over the past two decades, with the protocol improving and strengthening with each one. Currently, the TLS standard across the web is TLS version 1.3.

However, it should be noted that the protocol your website uses is not dictated by the certificate itself, but by your server settings. If you're unsure about the protocol enabled on your server, you can check with this site, reach out to your web hosting provider, or enlist the help of a systems administrator.

How is SSL related to HTTPS?

If you have ever visited a website, then you're probably familiar with HTTPS. You've likely seen HTTPS in a browser address bar as the prefix of a website address. Old school users of the Internet probably remember the days when HTTP was the widespread prefix. Short for Hypertext Transfer Protocol, HTTP is the protocol used for the transfer of data over the World Wide Web.

These days, HTTPS is the norm, with the "S" standing for secure. It's like HTTP, but safer. The HTTPS protocol is encrypted by the TLS protocol. HTTPS is one of the key indicators that a website has an SSL certificate installed and that your connection is safe. If a site you visit uses HTTP, this means your connection isn't secure and your web browser will probably flag it as unsafe.

How do SSL / TLS certificates actually work?

This is a complicated, technical process, but we'll try to explain it in the most simple terms possible. When a client (such as a browser) attempts to connect to a server (such as your website) they perform a process known as the SSL handshake, which helps them to communicate, authenticate and validate each other before finally setting up a secure connection.

Here's how a simplified version of the TLS 1.3 handshake looks:

  1. First, the client sends what is known as the "Client Hello" message to the server, along with a list of Cipher Suites that it supports (a cipher suite outlines the order of steps to follow to perform a cryptographic function. You can read more about them here). At the same time, the client guesses which key agreement protocol the server will use, and sends along its key share. A key agreement protocol is what creates a shared encryption key between the client and server.
  2. The Server responds with a "Server Hello" message, along with its chosen key agreement protocol, its own key share, its SSL certificate, and a "Server Finished" message.
  3. The browser then verifies that the SSL certificate is legitimate and then generates keys with the key share the server sent in its message. Once this is done, encryption begins.

Why SSL is always necessary

A few years ago, the general advice was that you only needed an SSL certificate for things like login pages, transaction pages, or if your website dealt with taking any kind of sensitive user data. Today it is recommended that all websites have SSL enabled on every page, no matter what the website type.

There are several reasons for this. Cyber attacks are constantly on the rise and website users are generally becoming more and more discerning when it comes to the websites they visit (and rightly so). If your site doesn't have an SSL certificate, many users will hit that back button.

Furthermore, since 2014 Google has been campaigning for "HTTPS everywhere", encouraging the adoption of HTTPS throughout the web. In the years since, it has become more widespread, and is now a requirement for all major web browsers. If a website doesn't have an SSL certificate, web browsers will flag it as unsafe and advise users not to proceed.

To keep user data safe and to help create a more secure Internet, having an SSL certificate is a necessity.

Does SSL affect SEO?

Search Engine Optimization (SEO) refers to the steps you can take to optimize your site for ranking higher in search engine results pages (SERPs). This encompasses many things, but in the past few years, having a secure, encrypted connection on your site is one of them. Since 2014, Google has considered having an SSL certificate on your site a ranking signal. This means that any site with an SSL certificate will have an edge over websites that don't, and will likely rank higher in Google's SERPs. To read more about how SSLs can positively impact SEO, check out this piece.


How to know if a site has SSL

SSL indicators have evolved a lot over the years and can be dependent on which browser you use.

One key indicator common to most modern web browsers is the padlock icon in the address bar, to the left of the website address.

Note : From September 2023, the padlock icon will be replaced by a tune icon in the new Chrome browser version. Google's reasoning is that secured HTTPS connections have become the online norm, not the exception, and no longer serve as a trust indicator. As such, the tune icon itself will not be a trust indicator but will provide detailed information about a website's connection and settings. So moving forward, when using a Chrome browser, the primary indication of a successful SSL certificate installation on a site will be the absence of security warnings :

Depending on the browser you use, you may also see the HTTPS prefix (Since mid-2019, Google Chrome no longer shows this).

You can learn more about a website's SSL certificate by clicking on the padlock/tune icon. When you do so, a box will appear. When a website has an OV or EV SSL, this box should display the company name.

You can click on "Certificate" to find out further information about the SSL certificate, such as the individual or organization the certificate was issued to, the CA the certificate was issued by, and its validity period.

A website with an SSL may also display a secure site seal, which is a logo from the CA which informs users that your site uses SSL. Here is an example of Sectigo's site seal:

If a website doesn't have an SSL certificate (or has an untrustworthy SSL), a security warning message will most likely be displayed. Here are examples of such a security warning in Google Chrome, Firefox, and Microsoft Edge.

Google Chrome security warning:

Firefox Security warning:

Microsoft Edge security warning:


How to add SSL / TLS to your website

The first step is getting an SSL certificate from a reputable source. If you're unsure which type of SSL is most suitable for your situation, check out this piece on our blog which should help point you in the right direction.

Once you've purchased and activated your SSL, installation will be dependent on the type of server you have. Here is a list of the most commonly used server types, and how to install an SSL certificate on each one.


The most common SSL errors and how to solve them

Unfortunately, things can sometimes go wrong during the SSL installation process and you may encounter errors. Here is a list of common installation errors on different server types and how to solve them. If your SSL errors are specific to Google Chrome, check out this guide. Other common errors occur due to a lost Private Key, having insecure or mixed content on your site, or an expired SSL certificate.


Conclusion

Hopefully, you walk away from this overview of SSLs feeling more informed. If you would like to buy an SSL or get further information, head over to Namecheap's SSLs page or check out the Knowledgebase.

Updated
Viewed
7181 times

Need help? We're always here for you.

notmyip