When a business decides to take confidential information online or take credit cards/payments online, they must purchase an SSL (Secure Socket Layer). An SSL encrypts the data transfer that occurs between your website/application/server and the end user. Today’s standard is 128-bit to 256-bit encryption. A decade ago, a 40-bit encryption was sufficient, but as machines have become more powerful, the encryption has also. However, there are some older browsers and machines that cannot support a 256-bit or even a 128-bit encryption; therefore, not allowing your website to show for those users. At the end of the day, the encryption process is the same. So, if it is encrypted… it is encrypted.

An SSL is required because it is the only safe way to protect your customer’s data when they are entering their credit card number, social security number, patient information, etc. into your website. I am often asked, which SSL is best for me? I can get them for $20.00 per year or $1,500 per year; why such a drastic difference?

There are different levels of encryptions and different types of verifications. Based on your website, application, users, and data stored will help you determine what level you may need.

The different levels of encryption, from 40-bit to 256-bit can affect how secure your site is. I would not recommend using anything less than 128-bit encryption to ensure you are protected. However, if you have users that are using older browsers to connect to the Internet and you want to ensure that 99.9% of all users can utilize your SSL connection, unique certificates are available to support the older browsers.

The biggest difference in the SSL’s sold today (beyond price) are the verifications and checks they do to determine the company purchasing the SSL is a legitimate company and the SSL is tied to the correct domain name, and how it can appear to the end users.

The lowest level of SSL’s are cheap, provides encryptions, and just validates that the domain name is legitimate and the person buying the SSL also owns the domain. This is great for intranets. Most new browsers will show an error on these types of SSL’s to notify you that it is not verified and should not be trusted. With the number of phishing scams where you think you are at your bank’s website or a legitimate website and risk giving your personal information to a malicious user, this is the type of SSL phishing scams tend to use for helping them look legitimate. The costs range from $20.00 to $100.00 per year depending on the supplier.

The mid level of SSL’s often take it a step further and also verify the organization is a legitimate organization registered. These are trusted by accredited companies and most of these companies will offer a seal that can be seen on a company’s site, and some even offer insurance (which is often useless, since a 128-bit to 256-bit encryption is unbreakable by today’s standards), but you will pay extra for it. The costs range from $150.00 to $1,000.00 per year.

High End SSL’s with EV (Extended Validation) offer additional levels of verification for your organization, and often offers additional seals, and in newer browsers, offers a colored address bar, which is a nice touch for added confidence for end users. The costs range from $600 to $1,500.00 per year.

Advanced SSL’s and features are available for companies using more than 1 URL, as each SSL is tied to a full domain address, i.e. www.isoc.net, where mail.isoc.net is a second URL. Some advanced SSL’s include:

• Wild Card SSL’s are available so you can have as many sub domains as you would like under one core domain.
• SGC Certificates which support older browsers to use the most secure encryptions.
• Code Signing Certificates allow you to add a certificate to your code/file to ensure it is trusted code and no malware or virus has been inserted.

In conclusion, the things to look for when buying an SSL are:

• Buy from a Certified Authority: Cheapest isn’t always best. You want to make sure the SSL will be trusted.
• Understand Your Needs and Users Needs: Don’t pay for something you don’t need.
  • What type of confidence do you want to ensure in the encryption process.
  • What type of data are you trying to secure.
• Ask a professional: It can be challenging to understand what you need and the differences, so ask your hosting provider or web developer to help you through the process.