What is an SSL certificate?
An SSL certificate (Secure Sockets Layer certificate) is a digital certificate that authenticates and encrypts the communication between a web server and a client's web browser. It establishes a secure and encrypted connection, ensuring that data transmitted between the server and browser remains private and protected from eavesdropping or tampering.
The major certificate vendors (Symantec, Thawte, DigiCert etc.) issue certificates with a maximum validity of 2 or 3 years. In 2020, Google, Apple, and Mozilla announced they would enforce one-year SSL certificates and the industry trend is towards increasingly shorter validity timeframes.
How does an SSL certificate work?
The steps of how an SSL certificate works:
- Authentication: When a client (web browser) connects to a secure website, the server presents its SSL certificate. The certificate contains information about the server's identity, such as the domain name, organization, and the public key.
- Verification: The client verifies the SSL certificate's authenticity by checking if it is issued by a trusted Certificate Authority (CA). Web browsers come pre-installed with a list of trusted CAs, and if the certificate is signed by one of them, it is considered valid.
- Encryption: Once the client verifies the SSL certificate, it initiates an encrypted connection with the server using a secure protocol, typically TLS (Transport Layer Security). This encryption ensures that the data transmitted between the client and server remains confidential and cannot be intercepted or deciphered by unauthorized parties.
- Secure Data Transfer: With the SSL connection established, all data exchanged between the client and server is encrypted. This includes sensitive information such as login credentials, personal details, credit card numbers, or any other data submitted through forms on the website.
- Trust Indication: Modern web browsers display visual indicators, such as a padlock icon or a "https" prefix in the website's URL, to signify that a secure SSL connection is in place. This helps users identify trustworthy websites and provides assurance that their data is being transmitted securely.
SSL certificates play a key role in securing online transactions, protecting user privacy, and establishing trust between websites and their visitors. They are particularly important for e-commerce websites, login portals, banking platforms, and any site that handles sensitive user information. SSL certificates are considered industry standard and best-practice.
What is the difference between a self-signed certificate and a trusted SSL certificate?
SSL certificates can be issued by a public authority or can be self-signed (privately) signed. Especially for applications that are used internally within an organization, IT teams may prefer to use self-signed certificates. In such cases, when accessing such web applications, you will see a “not secure” indication on the browser’s address bar.
So, what impact do private certificates have on web application performance? It is generally believed that while such applications have a lower level of security (because of the self-signed certificate), the performance of the application will be similar to that if the application were to be configured with a public certificate. This is however a myth and self-signed certificates can cause application performance issues because self-signing can affect how browsers handle the caching of CSS and JS scripts, resulting in increased network traffic and in turn poor response time for end users. A detailed case study of such issues is available on our blog, see: Troubleshooting Web Application Performance & SSL Issues (eginnovations.com).
What happens if an SSL certificate expires?
An expired SSL Certificate in an enterprise environment can have severe impacts:
- Lost business and regulatory requirements non-compliance: When an SSL certificate expires, customers will be presented with a warning message, the experience varies based on the browser. If customers visit a website and have any concerns about whether their private data is secure, they will abandon their transaction and stop visiting the website. This may also result in noncompliance with regulatory or other requirements. The resulting impact is that businesses start to lose many customers. The corporate brand and reputation are adversely affected, putting the business at risk.
- Increase in customer support costs: Customers who have concerns about a website’s security and choose to call customer support will increase the burden on your customer support team and divert focus from high-value customer calls.
- Personal information at risk from man-in-the-middle attacks: In a phishing attack, a hacker assumes the identity of your business, taking advantage of expired SSL Certificates and creates a fake website that looks similar to the actual site. Customers will then enter confidential information, such as credit card or social security numbers, on this phishing site thereby feeding data directly to the hacker, who may in turn sell it to other criminals.
- IT departments are put under pressure: Employees who see warnings will often contact IT department staff for help in resolving the issue. This can add a significant burden to IT departments that are already overwhelmed.
Why should SSL certificates be monitored?
Monitoring SSL certificates is critical to application success. Mission-critical systems can crash if SSL certificates expire. IT organizations also need to monitor erroneous or unauthorized changes to SSL certificates to prevent security attacks and system outages. Given the business criticality of SSL certificates, manual tracking is not a viable option.
To learn about how to automatically monitor SSL certificates, protect yourself against erroneous and unauthorized changes to SSL certificates and prevent man-in-the-middle malicious attacks, please see the available whitepaper: Monitoring SSL Certificates in Business-Critical Applications (eginnovations.com).