• 2018/12/30

Three grades of SSL (HTTPS)

SSL certificates let you switch a site from http://domain to https://domain, providing encrypted traffic and a safer-looking URL. Even individuals tend to enable HTTPS nowadays. HTTPS is the norm, so do not assume it guarantees safety—it is simply the baseline.

Heroku gives you HTTPS URLs out of the box, and on AWS you can enable it via ACM. But did you know there are three levels of SSL certificates? Let’s recap them. In the near future, any URL that does not start with HTTPS will likely be treated as dangerous, so understand the differences.

Domain Validation (DV)

The easiest and lowest tier. DV is fully automated—no human review—so it offers the least assurance. Pay a certificate authority and most sites can get one. Chrome simply shows the lock icon. Sites that still use HTTP display “Not secure.” ACM issues DV certificates. It is better than nothing, so at least do this.

Organization Validation (OV)

Unlike DV, OV involves human review. When issuing the certificate, the authority verifies the organization’s information, so it is more secure. Because of the additional effort, OV costs more. Chrome shows the same UI as DV (at least it used to—this may have changed). Corporate sites and client portals should use at least OV.

Extended Validation (EV)

This is the most secure option. It includes a stringent review plus “existence” checks to prevent impersonation. When you visit an EV-enabled site, Chrome displays the organization’s name next to the URL. Users can instantly see that the company is real and the site is trustworthy. The process takes more time and costs much more than DV/OV, but it lets large enterprises and sites handling personal data showcase their safety.

Closing

Choose the type of certificate that matches your site’s scale and purpose, and enable HTTPS appropriately.