I have had a number of clients ask me whether it is necessary to install a TLS on their website or not.
Let me put it this way. If your site contains public and private view i.e content protected by a password, then yes; using a TLS protects you as well your customers by encrypting sensitive information like email, password, address etc.
Google has been “nudging” site owners to adopt HTTPS permanently, in fact, it has made a serious announcement this February regarding chrome’s support for non-https websites.
Now, you know that you need a TLS certificate, you know there are vendors or Certificate Authorities (CA) like Comodo, Symantec, Digicert etc who provide a range of certificates.
But there are dozens of options, you will see. Some cost $10, other costs $1000. Why such difference in price? Are the expensive ones more secure than cheaper ones?
Now we come to understanding the different types of SSL/TLS certificates.
Types of TLS Certificates
SSL Certificates come in all ranges. They can be FREE, they can cost you thousand of dollars, or they can cost something in between.
Now why is that? Especially when they’re doing the same thing ie. securing communication between a server and user agent.
Now if you may be wondering; if a FREE SSL offers the same level of security as that of an expensive SSL, then what the heck are these prices for?
What you’re paying for is the “Trust factor” not security.
TLS certificates are categorised based on the vetting process; meaning how the buyer is verified.
The 3 types of validation based TLS are:
- Domain Validation (DV Type)
- Single Domain
- Multi-domain / SAN
- Organization Validation (OV Type)
- Single Domain
- Multi-domain / SAN
- Extended Validation (EV Type)
- Single Domain
- Multi-domain / SAN
Domain Validation Certificate
DV Certificates are the most inexpensive TLS available in the market. As the name implies, the only thing you need to prove is your ownership over your domain.
This verification can done by changing a DNS record, or via an email or uploading a file to your website root directory as given to you by your CA.
DV requires no owner verification and because of that this, the DV is available to anyone, whether you’re an individual or a business. Once you buy this certificate, its takes about few minutes to issue your certificate. Once properly installed on your server, you will get the green padlock immediately.
When you opt for any premium SSL, your customers are entitled to a warranty in case of data breach in spite of the secured connection as promised by your CA.
Depending on the type of SSL, your CA assures a certain amount. Since DV is easily available, the CA will offer a small amount as warranty as compared to other SSL certificates.
Who should go for DV Type TLS
Since DV is very easy to obtain and costs next to nothing, this certificate is beneficial for bloggers, portfolio websites, startups and small ecommerce sites*.
There are conditions for ecommerce sites. Not all ecommerce sites are same. There are ones who sell products like toys and shoes to your average retail customer and there are those who sell highly specialized products or services not meant for the average consumer.
For instance, if your business sells security solutions to banks or your government, then I would strongly advise you not to use a DV type. Your customers will scrutinize your site to check if you’re a genuine business and using a DV might prompt them to go for your competitor.
As I said before, the type of customers your business targets plays an important role when buying a SSL certificate.
If your business falls under this type, its best you go for OV or EV Type SSL which I will get to next.
DV Certificate types
By default, all SSL/TLS will secure your base domain. For example, if you own a domain called mycakeshop.com, then a DV Single-domain certificate will only secure your base domain i.e mycakeshop.com.
DV Wildcard can secure unlimited number of subdomains of the base domain. For example, if mycakeshop.com is your base domain, then you can secure help.mycakeshop.com, login.mycakeshop.com, blog.mycakeshop.com etc.
The DV multi-domain variant allows you to secure upto 100 domains. It protects different domains with a single certificate with the help of the SAN (Subject Alternative Name) extension.
You can even secure subdomains using this type of certificate.
Organisation Validation Certificate
The second type of SSL, we’re going to call Organization Validation Certificate or OV for short. If DV is validated by a domain, than a OV should be validated by ….. That’s right, an Organization.
Unlike the DV, this certificate is not the easy to get. This type of SSL will verify your ownership of your domain like that of a DV SSL but also it will verify the legal existence of your business.
The CA will investigate your business in government records and also verify through a phone call. This process takes from couple of days to a week, and it offers a substantial warranty amount than that of a DV.
Finally the cost for purchasing this SSL certificate. Since there is human involvement in this process the procure this certificate, its no doubt the OVs are costlier than DV certificates.
But in overall sense, the OV guarantees users that they are dealing with a legitimate business.
Who should use OV Type TLS
In general, they’re mostly used on mid to large e-commerce businesses like amazon, and corporate landing pages like ICICI bank.
If you have an established business and want improve your online trustworthiness, you can go for OV.
Now, I’m sure you noticed something. Here is my little blog for example on the left hand side, and corporate giant ICICI Bank to the right.
Do you spot any difference?
At first glance, there is no visual difference between a site using DV and another using an OV used by giants like ICICI, Amazon etc. It’s only after you dig a bit to find out what is what.
How to differentiate DV & OV certificates
Follow these steps to quickly identify if a site is using DV or OV type TLS
- Visit https://sslanalyzer.comodoca.com/
- Paste the URL of the website
- Check the Validation type row
Extended Validation Certificate
Finally, the third type of SSL is called the Extended Validation Certificate or EV for short. This SSL differentiates itself with the famous Green Bar, where along with the padlock, the name of the business is displayed.
This certificate offers the highest assurance to the users when it comes to online credibility. That’s why you will find major corporations, governments and financial organisations use this type of SSL a lot, especially on sites with high number of transactions. See examples below.
Now, in terms of security the EV is no more different than DV or the OV. But when it comes to the vetting process, the CA follows very strict guidelines.
And because of that strict vetting process, the EV is the most expensive TLS of all. Depending on the CA, these TLS can cost from hundreds to thousands of dollars.
The business has to prove its legal existence, current office address and whether it is currently operational or not. This vetting process may take weeks depending on the CA.
Since EVs are have stringent vetting criteria, the warranty sum offered is huge. The sum can go to millions of dollars depending on the CA.
Why do some businesses use an expensive EV SSL?
Online scammers often target popular websites to steal user’s confidential information. They achieve this by creating fake landing pages of these target websites. They use a DV TLS on their fake website to add a veneer of credibility and trick users to part with their information.
An example of this is the PayPal scam. PayPal is one of the most targeted website for online scammers. To combat this, PayPal had implemented an EV Type TLS so that their customers know they’re dealing with a genuine website.
As I mentioned before, there are some businesses which are more specialised. For instance, selling scientific equipments to universities, research labs etc. Such businesses greatly benefit using an EV type. This helps them have an edge over their competitors in online trustworthiness.
So, if you have a budget and are will to go an extra mile to ensure high online credibility, then an EV type is your answer.
Who should go for the EV SSL?
The examples above should give you an idea what types of entities are eligible for the EV type.
If your business plans to collect and store customer credit card information, it pays in the long run to use an EV type to give a peace of mind to your customers.
If you’re a corporate or an e-commerce business, you can improve your bottomline using an EV type.