Posted by Calico UK - 10:00 on 19 June 2018
You may have wondered why you use "http" when accessing some websites, and "https" for others. With http, any information that goes between your device and the website is transferred unencrypted (the web page is "insecure") - mostly this is not a problem. But when you are logging into a site using a password, or when you are entering personal or financial information into a form, then a more secure connection between your device and the website would be better. That's where https comes in.
With https, the website has an SSL certificate associated with it. The certificate has a list of names that it will vouch for (it may be only one or two names) and can be used by your device to check that the website you have arrived at is the one you wanted. So, for example, one of the names on the certificate on our www.cali.co.uk website is "www.cali.co.uk" which lets your device know it's at the right place. If there was no certificate, or if none of the names on the certificate matched the name on the website, then your device would warn you that something wasn't right and there was a potential security problem.
When a certificate is created ("issued") then there has to be some sort of traceable link between the certificate and the domain name it is vouching for. For low cost certificates, this is done by sending an email to the domain administrator. The email contains a link to allow the domain administrator to verify that the certificate should be issued. So, the traceable link is:
Issuer -> Checks the domain exists -> Sends email to domain administrator -> domain administrator clicks on link to approve the certificate -> Issuer gets affirmative notification -> certificate is issued.
There is also a traceable link from the issuer to a list of approved "root" certificates to vouch for the issuer.
Most browsers (including Chrome, Firefox, etc) will alert you if you reach an insecure webpage with a form on it. Website development system WordPress also recommends the use of http for its sites.
Normally the process can be completed quite quickly, depending on how quickly the administrator takes to approve the certificate.
More expensive certificates provide a greater degree in confidence in the link between the certificate and the domain name and the verification process is more involved. Sometimes these are called "Organisation Validation" certificates, and could include a phonecall from the Issuer to the domain administrator to check details on the certificate, to check the legal status of the company behind the domain name, etc.
When a webpage with an SSL certificate is accessed using https, the browser will normally display either a gray or green padlock in the address bar if everything is OK. The difference between the two is that the green padlock indicates that the more expensive certificate (and hence more checks) is in place.
In 99% of cases, the basic version ("Domain Validation") of the certificate is enough.
If your website has several subdomains, eg www.domain.com, secure.domain.com, mobile.domain.com, etc then you might want to think about a Wildcard certificate, which vouches for all subdomains with the same domain name ending, not just the www. subdomain. Again, in 99% of cases this is not necessary as the basic certificate will vouch for, for example, https://www.cali.co.uk as well as plain https://cali.co.uk.
At Calico, we provide a range of certificate options depending on your hosting requirements:
Basic certificate £10
Basic certificate £30
Wildcard certificate £100
Organisation Validation £110
Basic certificate £24
Prices are per annum, excluding VAT.
If you have any questions, or you'd like to bolt an SSL certificate onto your existing service, then contact our friendly helpdesk team.
Add your comment below