Disclaimer: This article was published before the Google Chrome update that removed padlock icons from the UI. The authors realize that this can change, but this is today's UX and we have already learned this way, so we look at it this way. Oh, and the padlock icon will still be there, just concealed.
Something tells me that you're an Internet user, which means you come across SSL certificates every time, even if you don't know about it. Now you will learn more about what these certificates are, how to distinguish them on the user side, and which one to choose if you are a website owner.
Self-signed Certificates
In a country far, far away, there were knights, and each had a castle. And in the eyes of the citizens, anyone who had a castle was already considered a knight, but not everyone was trustworthy at first sight
Self-signed certificates are SSL certificates created by the website owner, authenticated by them, and issued on their server. That's one's own certification authority. Signatures from this authority are still legitimate, but any browser will suspect something wrong and show a warning upon visiting the website. The notification will say that the website is configured incorrectly, or has a self-signed certificate, or the certificate has expired, which means that users risk being deceived here. Usually, such certificates are used in gray networks deployed within companies or locally in a test environment when no domain has been purchased yet. Developers are used to seeing such messages while working and can be sure that their test123.ru website is definitely not going to steal data. However, if an Internet user is taken to the website from a search engine and sees a warning in their browser, perhaps it is better to skip such website and find another resource. A research paper downloaded for free and without an SMS might not cost the data stolen.
A browser will never trust self-signed certificates just because. Even if the user risks visiting such a website, the padlock icon will differ from the ones the browser trusts. The only way to avoid it is to manually add a certificate directly to the browser, but the website owner cannot force all users to do it
DV Certificates and the Fantastic Let’s Encrypt
The far, far away country helped those who wanted to become knights and had a registration but did not have the money to buy a castle
But if a domain has already been purchased, why not do it right? There are two ways: free and fee-based. Let's start with the first one.
In 2014, several organizations united their efforts to make the Internet safer in an affordable way. The idea is simple: if you buy a domain and can prove that you own it, Let's Encrypt gives you a certificate after an automatic verification. You don't have to pay, but you will need to repeat the procedure in 90 days. In fact, they suggest coming back every 60 days to make sure it does not expire, but most control panels automate this process. Plus, there are scripts that allow you to refresh certificates on a schedule. This made hundreds of millions of websites safer for users and their owners. But what are the pitfalls of such free certificates? None except that anyone can get a certificate after buying a domain. And it is not so hard to do without showing your real bank details or personal data, for example, with crypto currency or even by getting a free domain, which means that such websites can be easily used for phishing or fraud. Even Let's Encrypt itself does not deny this and suggests reporting such websites through dedicated forms.
Let's Encrypt issues Domain Validation certificates for free. The nature of validation can be easily guessed by its name: it verifies the domain, or rather the ownership of the domain. There are several types of validation used by Let's Encrypt for this purpose. The most common one is a trivial
verification of the availability of the website, or rather a specific file on the website (HTTP-01). There is also a DNS validation, where special TXT records for a domain name are verified (DNS-01). After successful validation, Let's Encrypt sees that everything is in order, issues a certificate, and now you can use the encrypted connection.
A website protected with a free certificate from Let's Encrypt has a corresponding signature
Paid DV certificates are usually the cheapest, and the verification process is similar. There are differences as compared to free certificates:
the certificate will be valid for a year (it used to be as long as 5 years, but the term is getting shorter and shorter);
the owner of the website will have to pay for the certificate and, therefore, will have to somehow identify themselves;
paid certificates have insurance from the certification authority (yes, in case something happens because of the certificate and it is proved, the owner will be reimbursed);
certificates are supported by older devices, unlike Let's Encrypt.
What is in it for an Internet user? If you see Let's Encrypt in the certificate signature, think twice whether to trust the website. If the website does not request your money or personal data, everything is probably fine, your connection is protected. In case they request your phone number or, God forbid, ask to insert your bank card details to pay for something, can even DV certificates from other certification authorities be trusted? After all, the people who launched this website did not verify their identity or company in any way.
OV and EV Certification GigaChads
Real knights are not afraid to show their faces and show where they come from
There are two types of certificates for serious companies: Organization Validation (OV) and Extended Validation (EV). What does it mean? During such validation, the website does not just automatically run through scripts to check if the domain exists and to whom it was provided; the company itself is verified: whether or not it exists in the public records, what it does, and where it is located. OV certificates even show the name of the company. You will find the name of the company that owns the website and its location in the certificate details. Naturally, such verification with certification authorities takes more time. Unlike DV, such certificates can take several days to be issued. Certification authorities can even refuse to issue them if something does not comply with the guidelines. This is especially strict with EV certificates, where there is a whole list of verification criteria. Besides requirements for companies, the certification authority itself takes responsibility and guarantees to pay insurance indemnity in case there is an information leak due to the SSL certificate. EV certificates will have a greater insurance payout than OV certificates. However, certification authorities try their best to eliminate blunders and ensure the highest reliability.
You can buy any type of SSL certificate right now from us. If you can't decide what validation do you need, just ask us. We are always ready to help!
Is it worth paying more and going through the hassle of paperwork for an EV? At the end of the day, the answer is no. Both OV and EV confirm the reliability of the organization, unlike DV. Both types ensure the most important thing: verify the existence of the organization and its legitimacy. The website is already a knight having a beautiful castle, but if it wants shining armor and the title of a Sir, the way to go is to pay for an EV certificate.
You may open the certificate details to see how the company description changes depending on the certificate validation level. Starting with a simple domain name and up to the company's address. The 'Certificate Policies' section also shows what kind of verification was performed by the certification authority
As for the user, both OV and EV-certified websites can be trusted (and so can DV, as we found out earlier). Such websites are insured by certification authorities against data interception or SSL/TLS encryption leakage. This happens very rarely and has serious consequences, so it is in the interest of certification authorities to verify everything thoroughly and keep encryption methods up-to-date.
That's the story about knights with castles and websites with padlocks. Take care of your castle and surf the Internet safely!