Who to trust: Different types of SSL certificates

We explain what digital certificates are, what types exist, and what problems are associated with them.

A secure connection is encrypted and therefore safe; an unprotected one isn’t. Easy, right? But where do certificates come from, and what’s the difference between SSL and TLS? What does a digital certificate have to do with security, anyway?

In this post, we will try to answer at least some of these and other related queries. But let’s begin by looking at what HTTP and HTTPS in your browser’s address bar mean.

HTTP and HTTPS for data transfer

When an online visitor reads or enters data on a website, information is exchanged between their computer and the server on which the site is hosted. The process is governed by a data transfer protocol called HTTP (HyperText Transfer Protocol).

HTTP also has an extension called HTTPS (HyperText Transfer Protocol Secure). The secure version handles the transfer of information between client and server in encrypted form, meaning information exchanged between the client and server is available only to them, and not to third parties (for example, a Wi-Fi provider or administrator).

Data transmitted from the client to the server is in turn encrypted with its own cryptographic protocol. The first such protocol used for this purpose was SSL (Secure Sockets Layer). There were several versions of SSL protocol, all of which at some point ran into security troubles. A revamped and renamed version followed — TLS (Transport Layer Security), which is still in use today. The initials SSL stuck, however, and so the new version of the protocol is still usually called by the old name.

To employ encryption, a site must have a certificate, also called a digital signature, confirming that the encryption mechanism is trustworthy and conforms to the protocol. In addition to the letter S in HTTPS, another indicator that a site has such a certificate is a little green padlock (or a shield in some browsers) with the word Secure or the name of the company in the browser address bar. You can actually see what it looks like at the top of your browser window right now; all Kaspersky Lab websites use HTTPS.

How a site gets an SSL certificate

There are two ways to obtain a certificate. A webmaster can issue and sign the certificate and generate cryptographic keys. Such certificates are called self-signed certificates. When attempting to access the site, users are shown a warning that the certificate is untrusted.

On such sites, the browser window displays a crossed-out padlock, a red shield, the words Not Secure, the letters HTTPS in red instead of green, or the letters HTTPS in the address bar crossed out and highlighted red — it varies by browser and even for different versions of the same browser.

The better way is to purchase a certificate signed by a trusted certificate authority (CA). CAs check the site owner’s documents and right to own the domain — after all, the presence of a certificate should indicate that the resource belongs to a legitimate company registered in a particular region.

Although quite a few CAs exist, you can count the number of blue-chip ones on your fingers. A CA’s reputation determines the extent to which browser developers trust it and how they display sites bearing its certificates. The price of a certificate depends its type and duration of validity, as well as the reputation of the CA.

Types of SSL certificates

Certificates signed by CAs come in different flavors, varying by their trustworthiness, who can receive them and how, and price.

Domain Validation certificates

To obtain a Domain Validation certificate, an individual or legal entity must prove that they either own the domain in question or administer their site on it. This certificate enables a secure connection to be established but does not contain information about the organization to which it belongs, and no documents are required to issue it. Getting such a certificate rarely takes longer than a few minutes.

Organization Validation certificates

Higher-level versions are known as Organization Validation certificates, which confirm not only that the connection to the domain is secure, but that the domain actually belongs to the organization specified in the certificate. Checking all of the documentation and then issuing a certificate can take several days. If a site has a DV or OV certificate, the browser displays a gray or green padlock with the word Secure and the letters HTTPS in the address bar.

Extended Validation certificates

Finally, we have top-level Extended Validation certificates. As with the OV type, only legal entities that have provided all necessary documents can obtain certificates of this sort, and they cause organizations’ name and location to appear in green, next to a green padlock, in the address bar.

EV certificates are the most trusted by browsers, and they are also the most expensive. Again, depending on the browser, information about the certificate (who issued it, when, its validity period) can be viewed by clicking on the organization name or the word Secure.

Problems with certificates

Online security and user data protection are key principles that major browser developers such as Google and Mozilla factor into their policies. For example, in the fall of 2017 Google announced that henceforth it would name and shame all pages using an HTTP connection by marking them “Not Secure” and essentially obstructing users’ access to such pages.

Google’s move effectively forced HTTP sites to purchase a trusted certificate. Accordingly, demand for CA services shot up, prompting many authorities to speed up the document-checking stage, which had a negative effect on quality control.

The net result is that nowadays, trusted certificates may be issued to websites that aren’t totally reliable. A Google study revealed that one of the largest and most reputable CAs had issued more than 30,000 certificates without performing due diligence. Consequences were dire for the CA in question: Google stated that it would stop trusting all of its certificates pending the complete overhaul of its verification system and the introduction of new standards. Mozilla also plans to toughen certificate verification in its browsers.

Despite the responses, it is still not possible to be totally sure that a certificate and its owner are bona fide. Even in the case of an EV certificate that outwardly meets all security requirements, the green font cannot be trusted unconditionally.

The situation with EV certificates is lamentable. Phishers can, for example, register a firm under a name suspiciously similar to that of a well-known company and obtain an EV certificate for the site. The familiar-sounding company name will appear in green in the address bar of the phishing website, adding credibility. Therefore, when using any Web page, users must always stay vigilant and follow these guidelines.