The Certificate and SSL Thing – Is it worth it?

Nearly everyone of us have seen the ‘https’ in the address bar. In-case you have a gmail account or are using any Google service, you will generally see it more than once a day. So what does this ‘https’ means? It means two things :
1. Trust – When you see a ‘https’ in the address bar, and the page opens without any warning etc., it means that website has been verified by a third trustworthy party.

Now this verification is SSL industry is taken broadly at two levels – Domain Name verification (e.g. Thawte SSL123) and Identity verification.

When a Digital Certificate is issued with Domain Name verification, it essentially means that the domain name owner has been verified by using the domain name credentials. Thats it.

But when a Digital Certificate is issued with Identity verification, it means that apart from domain name, other credentials of the website owner have also been verified. There are many websites and services which run on this notion of Trust.
2. Security – The concept of security is most mis-understood in the context of Digital Certificates. Many believe that having a Digital Certificate will make their website safe and will prevent hacks from hackers, malware etc.

But that is completely wrong. Security in the context of Digital Certificate means security of transfer of data from the client’s browser to the web server. Thats it.

When you open any site with ‘https’, the data from your browser will be encrypted first and then transfer to the web server, where it will be decrypted back again. And same vice-versa.

In-fact you do not need to buy a Digital Certificate if you just want to secure your data-transfer. You can always use a self-signed certificate to the same effect. Except that it will throw a warning in the browser that the certificate is not-validated. For deep digging, please visit this Wikipedia article :http://en.wikipedia.org/wiki/X.509.

Now we come to the important question;

Is a Digital Certificate required :

Yes – If you want both Trust and Security of data-transfer. Typical examples are credit-card processing, internet banking, collection of sensitive information, or where it is mandated by law –HIPAA.
No – If you just want Trust and do not require Security of data-transfer – In this case you can go for a Verisign Seal.  Verisign is the most trusted name in the SSL and Trust field. They will issue you the seal upon Identity verification. And once the seal is issued, you can paste a small javascript code on your page. So when a visitor visits your website, he will see the seal the same way as you can see ours. This seal is click-able and verifiable.

I hope this article of mine will help you make an informed choice. 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s