Secure communication is an essential part of the internet and gives the familiar HTTPS links while accessing a website. SSL is not limited to accessing website content alone using a browser; it is used when we access emails via clients, FTP when you upload files, and also when a mail server sends data to another server.
We get SSLs in multiple formats. Free SSLs from companies like LetsEncrypt, which come inbuilt in server control panels, are used by SaaS companies to help their customers start their websites quickly. Then comes Cheap SSLs and finally Premium SSLs. This classification is based on the cost aspect. While free SSL helps secure the internet for all, the premium SSL certificates ensure more confidence. The confidence comes from the certificate authority’s comprehensive processes, more robust technical and secure methods to protect the signing keys, same-day issuance, etc.
At a fundamental level, SSL secures the communication between two endpoints, one a server or client and the other between a server to server.
SSL encryption today happens primarily over SSL and TLS standards. There are three versions of SSL, where 3.0 is the latest SSL, and TLS has four versions, of which 1.3 is the latest. The interesting thing to note is that all versions of SSL are retired/deprecated, and TLS 1.2 is the only one that is now recommended to be used. An interesting fact for Linux users on CentOS, CentOS 8 onwards is required for TLS 1.3 version support.
As for algorithms used by SSL and TLS, the most efficient one today is ECC due to its short encryption key length ensuring faster transactions. Other algorithms are DSA and RSA.
More on algorithms can be read here
Now coming to cheap vs. premium SSL certificates,
- There are different types of validation, Domain Validation (DV), Organisational Validation (OV), and Extended Validation (EV)
- Also, there are guarantees offered when an SSL session is compromised. They range from $50,000 to a few million dollars which vary from company to company.
Items 1 and 2 increase end-user confidence as the company they share data with is validated completely. Hence e-commerce sites and transactional sites are better off running EV certificates. On top, many of these companies offer additional services for malware scan and better support, including same-day issuance of the certificate for which they charge a premium. Additionally, secure seals that are dynamic are also issued by the SSL provider, which provides additional confidence to the user making purchases.
To summarise, if you are running a transactional website with a national or international footprint that collects payments and sensitive customer data, a paid SSL with secure logos, and if budget allows, a premium SSL is the way to go. More validations on your business give more confidence to the user as well.