All about SSL TLS certificates: what they are and what they are for

The safety when browsing online is a very important factor. Whenever we enter a web page or access an online service, we send and receive data. That personal information could be exposed on the network if there was no security, if it did not travel in encrypted form. That’s where protocols like SSL and TLS. The objective is to allow that personal data that we send when you log in, for example, not be exposed so that anyone can collect it. In this article we are going to talk about it and explain why it is so important.

What are SSL TLS certificates

The SSL or TLS certificates They are also known as digital certificates. TLS is nothing more than a renewed version of SSL, but in many cases we will continue to see this term simply as an SSL certificate. It is basically a file that contains data to link cryptographic keys with the data of a website.

The objective of this type of certificate is to provide security. What it does is encrypt the content that we send and receive when we browse a web page. We will be able to verify if the site has a certificate in the browser itself. For example, in Chrome we will see a padlock just before the URL. That will indicate that you use this type of digital certificates. Of course, some browsers leave these types of signals aside and simply alert us when a page does not have a certificate.

Once a user enters a website, a secure connection between the server where that site is hosted and the browser from which a person is accessing. The browser can be any browser that supports that type of protocol that the website uses. The normal thing is that anyone we use today is.

This certificate will be linked to a domain name, such as RedesZone, the server name or a host. In addition, it will also be linked to the name of the company or organization, to provide reliability. When successfully installed on the server, HTTPS will appear instead of HTTP when someone enters the website.

Because they are important

Why is it really important to have an SSL certificate? The reason is clear: security. If we do not browse an encrypted page, our data may be exposed. It means that everything we send is going to travel in plain text. If, for example, we connect to a Wi-Fi network at an airport, someone within that network could be reading what we send. It could, in short, carry out a Man-in-the-Middle attack and steal our passwords and credentials.

Let us think, for example, of a card payment on any web page. We have to enter data in the payment gateway and contact the server. That information will travel through the network and if there were no encryption it would be exposed so that anyone could read it.

Also important are SSL/TLS certificates to use social networks or any instant messaging service. Everything we send is encrypted and, in this way, we prevent an intruder from reading the content of a conversation. It would, once again, be a possible attack within an insecure Wi-Fi network if it were not encrypted.

But also, in order to have your own website, it is very important that you have SSL certificates. It will be important for the positioning of the web, since Google and other search engines value this a lot. It will also improve the confidence of visitors, since seeing a warning message saying that the site is insecure does not invite you to visit it.

TLS 1.3

How does it work

These types of certificates must be installed on a server. From then on, when the user accesses that page hosted on that server, their browser will display a message indicating that the site is indeed secure and encrypted. They will see HTTPS and, if they click on the padlock icon, they will also be able to access the information of that certificate.

The server will send a copy of the public key to the browser. For its part, the browser will create a symmetric session key and encrypt it with that server’s asymmetric public key. It then sends it back to the server.

That server handles decrypt session key which you have received via your asymmetric private key and gets the symmetric session key. From that moment on, everything that is sent will be encrypted. The communication between the browser and the server will be encrypted and no one will be able to read what is sent.

Keep in mind that this session key is created when we enter a website. It doesn’t matter if we go back in later, since it would create another one. This process is completely automatic and it is a time that we are not going to notice the users when we enter any website.

Types of SSL and TLS protocols

Not all protocols are the same as there are different versions. In fact, SSL we can say that it has become obsolete. Today the current ones are TLS, although it is still generally called an SSL certificate. And yes, there are also several versions of TLS certificates and some of them are obsolete.

There are three types of versions SSL: 1.0, 2.0 and 3.0. The first never really got used; the other two yes until 2011 and 2015, respectively. Since that year it began to be considered as a disappeared protocol.

As for TLS certificates, there are also different versions: TLS 1.0, 1.1, 1.2 and 1.3. The last two are the ones that are still in force today. Both are considered safe and perfectly functional.

Therefore, if you are going to install an SSL/TLS certificate on your website, it is essential that you install the protocol version 1.2 or 1.3 of TLS. Only then will you really be protecting the page and browsers will consider it safe. Otherwise, your site would be vulnerable and that would be a problem for Google and the prestige of the website itself.

Validation level

SSL certificates have different levels of validation. This will depend on whether we are an organization, a private user, etc. The objective of this is to be able to certify that the website is the one it should be and for this it is necessary to carry out a process with which to be able to validate it.

domain validation

This is the easiest of the three levels. It basically consists of validating that the domain owner is what it says it is. They can verify it through an email, for example. They perform different checks on the DNS records of that domain to confirm identity.

It is essential so that HTTPS appears in the domain, in the browser URL. It does not take too long, since we talked about the maximum being a few hours. However, it normally takes a few minutes. It is the most common validation for users who have a web page.

The organisation

The next level is already more complex. Is about validate an organization and in this case it is not so automatic. The normal thing is that they have to contact that company and thus confirm that they really are the ones who want to create that domain and verify the identity. It is a way to avoid fraud and impersonation.

In this case, you do have to spend more time. It will last several days. Of course, it is a more complete validation. The information of the organization will appear and that will generate trust. It is the most used by companies. Very important for, for example, an online store. In this way we will ensure that customers have guarantees.

Extended

The third level is what is known as extended validation certificates. We are already at the maximum level. Here it will be necessary to validate it through legal issues, submit documents and also receive an inspection to verify that everything is indeed legal and there is nothing strange behind it.

This is used especially by large companies that are well known. It takes more time, several weeks, and it is also a more expensive process. However, this process will give users maximum security so that they know that they are really browsing the page corresponding to that company or organization.

Number of domains or subdomains

These certificates can also be differentiated according to the number of domains or subdomains. There are different types, as we will see. The objective is the same: to validate a domain in order to increase the guarantees for visitors, so that they have no doubts about its security.

simple domain

The first is the simplest of all. It basically consists of give validity to a specific domain. For example a certificate that acts on RedesZone.net. It will only validate that specific one and not any subdomain or any other domain that we own.

It is the most suitable for those who have their own web page, on a personal level, and do not need more than that. It is the simplest and it will not be necessary to certify any additional subdomain that may be on a larger website, for example.

wild card

In order to validate the subdomains, WildCard comes into play. This is very useful for those who have different pages within the same domain and want to validate all of them. They would have to use a certificate of this type, which covers what the simple domain cannot.

If we talk about RedesZone, let’s think about, for example, different sections for online store, forum, etc. We could have subdomains of the type store.redeszone or forum.redeszone. In those cases, it is where a WildCard certificate will act, in order to validate all these subdomains that we have.

multiple domains

In this case, the objective is to validate more than one domain. For example, if we have a web page with several extensions, such as .es and .com, even if they keep the same name. This is something that many companies and organizations take into account to prevent someone else from taking advantage of the brand name.

Therefore, certificates for multiple domains will allow more than one to be validated. It is more oriented to large companies and organizations, which will be the ones that need this.

Conclusions

We can say that having certificates of this type is something basic today. There are very few insecure, unencrypted web pages left. In addition, in order to optimize web positioning and not have problems with Google, it is also necessary to make this investment and acquire a certificate for the page.

We have seen that at the user level we must also make sure that we are on an encrypted page. For example, to be able to make an online payment without the information being exposed or to be able to send messages through social networks without an intruder being able to read that content.