Nearly everyone of us have seen the 'https' in the address bar. In-case you have a gmail account or are using any Google service, you will generally see it more than once a day. So what does this 'https' means? It means two things :
- When you see a 'https' in the address bar, and the page opens without any warning etc., it means that website has been verified by a third trustworthy party. Now this verification is SSL industry is taken broadly at two levels - Domain Name verification (e.g. Thawte SSL123
) and Identity verification. When a Digital Certificate is issued with Domain Name verification, it essentially means that the domain name owner has been verified by using the domain name credentials. Thats it. But when a Digital Certificate is issued with Identity verification, it means that apart from domain name, other credentials of the website owner have also been verified. There are many websites and services which run on this notion of Trust.
- The concept of security is most mis-understood in the context of Digital Certificates. Many believe that having a Digital Certificate will make their website safe and will prevent hacks from hackers, malware etc. But that is completely wrong. Security in the context of Digital Certificate means security of transfer of data from the client's browser to the web server. Thats it. When you open any site with 'https', the data from your browser will be encrypted first and then transfer to the web server, where it will be decrypted back again. And same vice-versa. In-fact you do not need to buy a Digital Certificate if you just want to secure your data-transfer. You can always use a self-signed certificate to the same effect. Except that it will throw a warning in the browser that the certificate is not-validated. For deep digging, please visit this Wikipedia article : http://en.wikipedia.org/wiki/X.509
Now we come to the important question, is a Digital Certificate required :
- If you want both Trust and Security of data-transfer. Typical examples are credit-card processing, internet banking, collection of sensitive information, or where it is mandated by law - HIPAA
- If you just want Trust and do not require Security of data-transfer - In this case you can go for a Verisign Seal
I hope this article of mine will help you make an informed choice.