Ecommerce 101: What is an SSL certificate?

This post of part of our Ecommerce 101 series which explores online commerce concepts and practices in plain English.

In this article we are taking a simple approach to explaining what TLS / SSL is and what SSL certificates are. We will look at what they do, how they work and why they are important.

What is SSL

SSL stands for (Secure Sockets Layer) and is a cryptographic protocol which provides encryption to ensure that only the intended recipient can read data sent over a network. SSL is nowadays also referred to by the name of its more modern successor: TLS (Transport Layer Security).

In the case of an ecommerce website, it allows a customer’s browser to communicate with the website servers securely, so that sensitive information like credit card numbers can safely be transmitted. It ensures that data cannot be deciphered during transmission.

What is a SSL certificate?

SSL certificates are used to establish trust. When you purchase a SSL certificate what you are really buying is the ability to tell your website visitors, or more accurately their browser, that they ought to trust the connection to your site as being secure because the company that sold you the SSL certificate, the Certificate Authority or CA, has validated who you are.

Certificate Authorities typically offer different types of SSL certificate. The different types of SSL certificate relate to different levels of trust. These levels of trust are related to how thoroughly the Certificate Authority has investigated and confirmed that the person purchasing the SSL certificate does in fact represent the owners of the website on which the certificate is to be used.

Different SSL certificate types do not affect the quality of the encryption, though they are often marketed by suggesting it does.

Behind the scenes, when a web browser visits a website, if it receives a SSL certificate from the website, it checks to see if the Certificate Authority that issued the certificate is one that it has been told to trust, whether or not the certificate is valid for the website address, if it is valid what level of trust is associated with the certificate, and whether or not the certificate has expired. Based on the results of this checking the browser then decides whether or not it trusts the website.

As one can see in the image above, browsers can display the trust in a given SSL certificate in a number of ways: the address bar changes colour, a little closed/broken padlock is shown, the domain name is preceded with https rather than http, etc. Generally speaking, green means go!

In our next post tomorrow, we will be looking at how to choose a SSL certificate.