Choosing the right SSL certificate can be a difficult process mostly because the industry uses confusing language and provides many similar sounding options.
By the end of this article, you’ll be able to better understand the often cryptic meaning (no pun intended) behind the specifications for an SSL certificate and clearly differentiate between your options.
Tip: if you’re hosted with us, using Plesk Control Panel, and you want an SSL certificate, you don’t need to purchase a commercial one! Check out our guide to installing a FREE Let’s Encrypt certificate with Plesk. Commercial certificates are recommended for eCommerce sites and any website that is storing sensitive data. Drawbacks of Let’s Encrypt certificates include: no site seal, no warranty, and the slightly higher potential for a certificate to be spoofed.
To get you started, I’m going to pull some info comparing SSL certificates from Sectigo (previously known as Comodo CA), our primary commercial SSL provider.
Stats like validity options (how long it’s valid for), and issuance time (how long it takes to provide the certificate) are all either fairly obvious or standard, so I’m not going to include them here. Below you’ll find 6 comparison points:
- SSL Certificate Validation Methods
- How SSL Warranties Work
- Wildcard Certificates
- Dynamic Site Seals (some really like these)
- UC/SAN multi-domain support
- Key Strength / Encryption Strength
SSL Validation Methods
Validation is typically of 3 types:
Cheaper, or Free SSL certificates are typically only domain validation. With domain validation, the SSL issuer only checks that you own the domain and nothing more. This is done by sending an approval email to an email address that’s already associated with the domain either by being listed on the domain registration WHOIS record, or by being a ‘standard’ email address for the domain. For example, for the domain websavers.ca, most SSL certificate providers will provide you with the option of sending the approval email to email@example.com, firstname.lastname@example.org or other similar ‘standard’ email addresses.
These certs are cheap or free and most are issued within minutes. Check out the link above for the simplest and cheapest (free!) Domain Validated certificate option, Let’s Encrypt.
With organization validation the issuer verifies that you both own the domain and that you are actually a representative of your company. They’ll place the company contact information directly in the certificate so that savvy users who are curious about the certificate can look at it to confirm that the site they’re visiting really does belong to you.
The problem with organization validation is that the additional info within is only visible to tech savvy visitors who actually want to look at the certificate. Most visitors aren’t going to notice a difference between Organizational Validated SSL Certificates and Domain Validated SSL Certificates.
This is similar to organizational validation, however it doesn’t only show the organization information in the certificate for tech savvy visitors. It also shows your company name in the address bar. You’ve probably seen this on PayPal’s website and other larger companies. Look in the address bar and notice that it doesn’t just show that the website is secured, it also shows the name of the corporation that owns the site.
If you wish to have your organization show up in the address bar to put your visitors at ease when making purchases on your site, then an EV-SSL certificate is for you.
Please note: EV certificates have fairly in-depth requirements compared to other certificates. The issuer must validate that your company exists and has a physical location with manual verification. If you’re not prepared to undergo this extensive verification process, pick a different type of certificate.
SSL Certificate Warranty
This one confused me for quite some time. Most people think that the warranty refers to the amount of money that the SSL Issuer will pay you in lost sales if the certificate fails to function as it should. In actual fact the warranty refers only to the max that the SSL issuer will pay your website visitors if they are defrauded through a forged SSL certificate while making purchases on your website.
Due to the rigorous security of the SSL certificate issuance process, there are only a couple instances of fraudulent certificates every few years (it’s quite rare) and attackers generally target larger brands. However I suppose it could happen to anyone.
Unless you’re processing a massive amount of sales dollars through your website, I see little reason to pay attention to this particular stat.
Free Let’s Encrypt certificates have no warranty. Generally speaking, the more costly the cert, the greater the warranty coverage.
Wildcard SSL Certificates
Most SSL certificates will only secure a single subdomain at a time. For example, an SSL cert for websavers.ca will only secure www.websavers.ca and websavers.ca (they are treated as the same). If I want to secure clients.websavers.ca or ssl.websavers.ca then I need to buy a separate certificate for each… unless of course I buy a wildcard certificate.
These are typically more expensive, but they allow you to specify a domain like *.websavers.ca when requesting the certificate, which allows you to secure any number of subdomains across multiple servers (most of the time — there are some providers that will not work on multiple servers).
If you wish to secure more than one subdomain, be sure to order a wildcard SSL Certificate.
Dynamic Date Site Seal
The idea behind a a dynamic date/time seal is that you can place a piece of code on your website that says your site is secure. When a visitor hits your website, the code checks in with the SSL certificate issuer and confirms that your SSL certificate is valid, displaying this status to your visitors.
This might sound great, but here’s why I think it’s a gimmick:
- Anyone could easily throw up any old image of a lock that looks like one of these site seals on their website and claim their site is secure. Because this undermines those using actual dynamic site seals, it basically makes the whole site-seal system meaningless.
- Your browser already indicates when the site is secure and likely does a much better job of it. It’s also comparatively difficult to fool a browser into thinking a site is secure when it’s not.
If you really want one of these things badly, then be sure you choose an SSL certificate that supports it, but if you have to pay more for a certificate just to get this functionality, I wouldn’t recommend it.
UC/SAN multi-domain support
UC/SAN certificates are usually quite expensive, but they do provide some interesting functionality. If you wish to secure multiple domains (not subdomains, but actually different domains like websavers.ca and myserver.ws) but you don’t wish to purchase an SSL certificate for each one, then a UC/SAN cert might be for you. As I understand it, companies like GeoTrust provide these certs wherein you can login to their panel and generate a certificate for a new domain (typically up to about 25 domains) at any time within the cert’s validity period.
This is also an option for free Let’s Encrypt certificates available in Plesk (see link above).
Key Strength / Encryption Strength
You’ve seen things like 128-bit encryption, 256-bit encryption, 2048-bit keys, 4096-bit keys, and it’s all very confusing. How can something be 256-bit and 2048-bit? What is a bit? Who is a bit? A bit what? A bit confused yet?
The world’s most powerful computer as of writing this can do 93,000 trillion calculations per second. So, to lean on an answer someone gave on how long it would have taken the most-powerful-computer-on-earth to crack 256-bit encryption, it would still take over three years. At which point your certificate would be expired (since they expire after either 1 or 2 years) and a whole new one would need to be generated, and those trying to crack it would need to start all over again.
And, lets face it, if China, Russia, or the CIA have more powerful computers (did ya put on your tinfoil hat yet?) and they’re trying to crack your web browsing sessions, you’ve probably got bigger things to worry about than the level of encryption you’re using on your eCommerce site.
Long story short, since SSL certificate providers are in business to provide security services, its in their best interest to provide you with SSL certificates that are sufficiently secure. As computing power increases, so too does the encryption strength of certificates over time. Any certificate that’s still available for purchase from a legitimate source (like Comodo) is going to be strong enough to protect your website visitors.
Which do I choose then?
Here’s my rule of thumb:
- If you wish to simply secure registration or login to your site, use a domain validated SSL certificate. They’re cheap, easy and quick to obtain.
- If you wish to instill the utmost of confidence in your visitors that your site is reliable and secure and you have a registered corporation, then purchase an EVSSL certificate so they can clearly see your organization name in the address bar.
- If you’ve got more than a few subdomains to secure, pick up a wildcard SSL certificate so as to avoid paying for a certificate for each individual subdomain.
Do you have additional information on SSL certificates that could help our visitors in making a decision? I’d love to hear about it! Use the comment form below to tell me all about it.