This lesson discusses the advantages of HTTPS and the differences between the available SSL certificates. Using HTTPS is advantageous because in addition to protecting user-entered data it also keeps the headers, content and URLs of all transferred pages private. HTTPS protects content from being altered or tampered with, web applications using HTTPS load more quickly than HTTP applications because of the use of HTTP/2, and website search rankings are improved.
The first step in using HTTPS is determining which certificate is to be deployed. Nearly all SSL certificates use similar methods to encrypt and validate data, so to differentiate between the certificates the method used for validation should be considered. Several options are available:
All certificates are issued and validated by a “Certificate Authority” or “CA” that ensures that the correct, authorized web application is protected. The verification process confirms control of the domain.
Additional steps can be taken to confirm the existence of the requesting organization or to establish another level of trust through extended vetting.
Self-signed Certificates
For self-signed certificates, an individual/developer is the CA of record that has created the certificate. These certificates are commonly used for small scale intranet applications or for development but is not a viable option for a public web application. This is because the CA root certificate would have to be given to every visitor, and they would be asked to “trust” the root certificate. To learn how to create a self-signed certificate for development use, watch Lesson 4, “Data in Transit,” of the "Security the Basics" course. {LINK}
Domain Validated Certificates
Domain validated or “DV” certificates are the most common type of SSL certificate. This certificate is validated using the DNS WHOIS records of a domain name. Typically, the CA exchanges a confirmation email with an address listed in the domain’s WHOIS record. Alternatively, the CA provides a verification file, which the owner places on the web application to be protected, or the CA asks the domain owner to add a DNS record to confirm that the domain is controlled by the party requesting the certificate.
Organizational Validated Certificates
Organization validated or “OV” certificates require more validation than DV certificates, but they provide more trust because the CA will verify the business that is requesting the certificate by calling the requesting organization. The organization’s name is listed inside the certificate, giving added trust that both the web application and the company are reputable. OVs are regularly used by corporations, governments and other entities that want to provide an extra layer of confidence to visitors.
Extended Validation Certificates
Extended validation or “EV” certificates provide the maximum amount of trust to website visitors. They require the most effort by the CA to validate. Per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate. As with OV certificates, EV certificates list the company name. A fully validated EV certificate also shows the name of the company or organization in the address bar itself, which is displayed in green. This is an immediate, visual cue so that the application user knows extra steps have been taken to confirm the security of web application. Most large companies, banks and organizations use EV certificates.