This is an SSL certificate primer for dummies. It is not intended to be exhaustive or turn you into an expert. It is merely an initiation. Feel free to add tips you feel are important in the comments section however.
Whenever I am visiting local websites I am amazed with how many of them continue to use unsecured http connections when submitting forms. There are even corporates and public sites that continue to offer email and other such sensitive services on these connections. For some reason they fail to comprehend that these days we live in a perilous world where online security is constantly being undermined by all sorts of people from your average day hacker to governments.
Not having an SSL connection to secure your site is simply inexcusable nowadays, you can get one online for as little as $7/year. This might not spare you from government backed hacking like PRISM, but it will certainly scare away script kiddies and your random hacktivist. Even Google no longer uses unsecured for making searches. It is strange therefore whenever I visit bank websites and see they have not even bothered to at least purchase a domain validation certificate. It seems most people operate under the naive assumption that no one will be eavesdropping on their connections.
When you see the light and do decide to use an SSL certificate, it is important that you choose the right one depending on your budget and the purpose for which you intend to use the certificate for. There are five major classes of certificates:
Self signed certificates– these are self-generated as opposed to being issued by a Certification authority. They are great for testing purposes and internal use in organisations. They are not recommended for production or e-commerce use because every time a user visits the site they receive a warning and they have to manually override this to see the site. Self signed certificates give a red text in the address bar.
Domain Validation certificates– these are the traditional certificates, their purpose is to assure a person visiting the website that it is indeed the authentic site and encrypt the connection between the two computers
Organizational Validation certificate-these, in addition to the services provided by domain validation certificates, are only issued after the applying entity has been vetted and includes a clickable link with your organisation’s information. These are characterised by green text in your address bar. They are ideal for payment processing,email services and other personal services.
Extended Validation certificate-these offer the highest level of security and involve thorough verification of your website. These are also known as greenbar certificates because they present a greenbar in the address bar which can be clicked to give additional information about the organisation. This is a must have if you are an ecommerce website.
Wildcard certificates– can belong to any of the above categories but are not tied to any single domain. There are issued to domains of the form *.example.com and can be used on your subdomains as well. They are usually more expensive and should only be used by large organizations. Chances are most Zimbabweans, even organisations, do not need these unless you are an ISP.
It is would be great if everyone was security conscious, and I feel some web companies here in Zimbabwe should do more to conscientize and help their clients to use secure connections especially for websites that habitually collect personal information such as online directories, organizational email, banks (these should have at least domain validation certificates for their sites), social sites and ecommerce sites.
CheapSSL.com offers affordable cerficates that most of you will find affordable and they also accept Zimbabwean credit cards without a fuss as some do.
If you have any suggestions or additional tips please leave them in the comment section.