Choosing the right SSL certificate for your e-commerce site is crucial

SSL certificate featured image

The internet is an ever-expanding world of opportunity, both for legitimate businesses and for criminals. To ensure you get the best rather than the worst of it, you need to protect your website with an SSL certificate. The trick is choosing the right option for your business.

What is an SSL certificate?

An SSL (secure sockets layer) certificate addresses security on your site in two ways:

  1. Data Encryption: It ensures that all communication between your website, it’s server and a visitor is encrypted and therefore secure. This means that customer usernames, passwords and credit card details are encrypted, so it can’t be intercepted or manipulated by anybody.

  2. Authentication: It authenticates the identity of the company that holds the certificate. This gives visitors either an approximate idea or exact data about who they’re dealing with, depending on the level of the certificate.

Customers buying from your e-commerce business can then rest easy, knowing that you are a legitimate business and that their personal information can’t be read or used by a third party. This protects not only the customer but also your business’s reputation.

The way that customers know a site is secure, is when they see ‘https://’ rather than ‘http’ in the search engine results or at the beginning of a website address (URL):

Google search result with enphasis on where to find if the site is SSL secure.

Another way to identify a secure website is to look for the padlock at the beginning of the URL:

Screenshot of plumblink home page with enphasis on where to find if the site is SSL secure

The padlock and https, plus trust seals on your site from your security provider, boosts customers’ confidence in your business. It can also increase your search engine rankings. All of this translates into higher conversion rates and more money in the bank for you.

Without an SSL certificate, visitors to your site will see a ‘Not secure’ message in the URL. Not surprisingly, your visitors are unlikely to stick around to see what you have to offer.

Where to see if a site is not SSL secure

How does an SSL certificate work?

Once you’ve been approved for your SSL certificate, all you need to do is install it onto your web server. Then when a visitor lands on your site their browser checks if your site has an SSL certificate. If it does, an ‘SSL handshake’ takes place during which the browser makes sure the certificate is valid, using public and private keys to communicate securely during this part of the interaction.

Once the validity of the certificate is confirmed, a third ‘session key’ is created which is used to encrypt the rest of the interaction, creating a secure connection. Both parties need to have this session key in order to unscramble the communication.

Types of SSL certificates

There are several different kinds of SSL certificates and it’s important to know which option is right for your business. To help you decide, start by asking yourself these questions:

  1. Encryption: How much sensitive data do I handle and therefore how strong should my encryption be for security reasons?

  2. Authentication: How strong is my site visitors’ need to know that my business is legitimate?

  3. Single- or multi-domain: How many websites am I securing?

A. Encryption: How much security do I really need?

When buying an SSL certificate, note that some products’ encryption strength may vary. The certificate encryption strength is a measure of number of bits in the key used to encrypt data during a sessions. The bigger the number, the longer it would take a computer to decrypt the data.

It is strongly recommended to use 256 bit encryption on your e-commerce website. But it is important to note that this SSL certificate will provide you with up to 256 bit encryption protection as there are many other variables in play such as your server configuration and the visitor’s browser capabilities.

At Comaytics, we use Comodo SSL Certificates and all their products use 256-bit encryption for maximum security and protection of your customers’ private information.

Please note:

Name change: Comodo Certificate Authority was acquired by Sectigo in Oct 2017. Brand changes have been implemented during 2019. There will be no change for visitors of websites protected by legacy Comodo SSL certificates.

Comalytics offers: All information below is directly related to Comodo (Sectigo) – our default SSL choice. However, Comalytics also implements Symantec, GeoTrust, Thawte and RapidSSL if requested. Contact us to discuss your options.

B. Authentication: How strong is my site visitor’s need to know that my business is legitimate?

All SSL certificates encrypt communication, but each offers a different level of authentication.

Let’s look at the options from the most basic level of validation (Domain Validation) to the most complex (Extended Validation):

The different types of SSL Validation.

1. A domain validation (DV) SSL certificate

This certificate encrypts communication and it authenticates the ownership of the domain. From your visitor’s perspective their sensitive data will be secure, and if they know and trust your company, they won’t need to know who is behind the domain. However, if you are a bigger e-commerce site with an unknown brand, you will do well to upgrade your domain validation to an extended validation so that your visitor has trust in the ownership and legitimacy of your business.

  • What it offers: 256-bit symmetric encryption and domain validation

  • What you need to do: Prove ownership of your domain

  • How long it takes to issue: Usually a few minutes

  • Cost: Free with all Comalytics websites

2. An organisation validation (OV) SSL certificate

This is the next level up. It also offers 256-bit symmetric encryption and the level of authentication is higher as only legitimate legal entities can get one. Organisations are authenticated by real agents checking information against business registry databases hosted by governments. Here are the elements that are verified:

An example of an organisation validation SSL certificate

Visitors, clicking on the OV certificate, can see the necessary informtaion to validate your organisation.

The problem is that, at first glance, it’s not easy for the visitor to distinguish between a DV and OV SSL certificate, and not everyone knows where to find the added information that’s available about your company.

In the URL, it looks exatly the same as a Domain Validation SSL certificate:

An organisation validation url

  • What it offers: 256-bit symmetric encryption, light business authentication and display verified organisational information in the certificate details.

  • What you need to do: Provide proof that:

    • You own the domain

    • Your company is a legitimate legal entity

    • Your company is based where you say it is

  • How long it takes: 1 – 2 days

3. An extended validation (EV) SSL certificate

An EV certificate (at Comodo) also includes 256-bit symmetric encryption, but the validation of your organisation is of the highest level. In some browsers, it’s extremely obvious to visitors that your site is secure, as the address bar displays as green and shows your company name, along with the padlock and ‘https’ . However, this differs across browsers and a lot of change and debate is occuring in the industry currently. At the time of writing this blog, an EV SSL certificate displayed as follows across major browsers:

An extended validation (EV) in differemt browsers SSL certificate

Source

This extra level of protection has been proven to boost sales, which means that, although it costs a bit, you get good returns on your investment.

Here are the elements verified in this certificate:

3.	An extended validation (EV) SSL certificate

  • What it offers: 256-bit symmetric encryption and extended organisation validation

  • What you need to do: Provide proof that:

    • You own the domain

    • Your company is a legitimate legal entity

    • Your company is based where you say it is

    • Your company is registered as a business

    • Your company approves the SSL certificate

    • All the business validation documents you need to provide are correct

  • How long it takes: Usually 1 – 5 days but sometimes longer

C. How many websites am I securing?

Once you’ve decided on the level of validation you need, you need to make sure your certificate secures all your domains.

Choose from:

A single domain SSL certificate

Single-name SSL certificates cover only one domain or subdomain.

So if you buy a single-name SSL for a website called www.cheapdeals.com, it won’t cover mail.cheapdeals.com.

This can be useful if, for example, you have added a subdomain after getting your original SSL certificate for your main domain.

A wildcard SSL certificate

A wildcard SSL certificate covers several subdomains that fall under one domain, as long as the url structure flows from the main domain.

So if you buy one for cheapdeals.com, it could also cover mail.cheapdeals.com or login.cheapdeals.com, but not example.shop.cheapdeals.com.

This means you only need to go through the validation process once for all your subdomains, saving you time and money. Note that all subdomains must be listed on your SSL certificate.

A multi-domain SSL certificate

Multi-domain (or SAN) certificates allow you to secure several domains and their subdomains all under one certificate, again saving you time and money.

At Comalytics, we use Comodo as our SSL certificate provider. Here is a highlevel overview of what is included in their certificates:

a highlevel overview of what is included in their certificates from Comodo

Factors to consider when choosing an SSL certificate for your e-commerce site

Before you rush to buy your SSL certificate, there are several other aspects to think through. We’ve already mentioned:

  • The strength of encryption

  • The different levels of authentication – domain, organisation and extended validation – and,

  • The number of domains you have.

Below are a few more factors to take into account when making your choice:

Factors to take into account when making your choice

Warranty

If fraudulent activity does happen on your e-commerce site despite the security you have in place, the certificate authority will pay you out. The amount you get will depend on the level of validation you have.

Reputation

Make sure the certificate authority (CA) you choose is well respected and has plenty of users. They are more likely to have a strong infrastructure and to stay on top of the latest developments in cybercrime.

Issuance time

As we’ve mentioned already, the higher the level of validation, the longer it takes to get your SSL certificate. The EV certificate especially can take a while as all the information you submit needs to be thoroughly checked by the CA.

Price

How much your SSL certificate costs will depend on the CA you use, the level of authentication and number of domains, and the validation period. A multi-year validation can save you time and money, especially if your business is well-established.

Customer support

Your CA should be available to help when you need support. If you can’t get hold of them, that’s not a good sign.

Extra security elements

There are many other security options available and some of these may well come as a package deal with your SSL certificate, especially if it’s an EV option. Investigate what’s included in your package and whether it might be useful for your business.

The bottom line…

If you’re running any kind of e-commerce site, by default you’ll be dealing with sensitive customer information like passwords and bank details. You do get a good basic DV SSL certificate with your Comalytics site. However to protect both your customers and your business, you may need an organisation validation (OV) or an extended validation (EV) one.

Make sure you do your homework before you commit to a certificate or a provider. As you go through the process, keep in mind that your SSL certificate will pay you dividends in customer trust and in sales, so it’s well worth the time and money invested.



Share this content!

Leave a reply

Your email address will not be published. Required fields are marked *

Use us to change your game

Get in touch for a free consultation today