This is a technical post that provides supporting information for our previous SSL post about the different types of SSL certificates.
When you think about an SSL certificate, you consider the encryption and the level of verification/warranty. Let’s break these down:
Encryption. The encryption for an SSL certificate is a measure of how difficult it would be to “crack the code” if someone were intercepting the traffic between your computer and the website you are visiting. In today’s market you will mostly find certificates with 128-bit and 256-bit encryption, with the idea being that a 256-bit certificate has more possible key combinations vs. a 128-bit certificate, so it’s more secure.
Most new SSL certificates are 256-bit so you probably won’t come across a 128-bit certificate when you go to purchase one for your website. That being said -- practically speaking -- there’s no real difference between the two as a rough estimate of the possible combinations of a 128-bit key is: 339,000,000,000,000,000,000,000,000,000,000,000.
Verification/Warranty. One of the things that an SSL certificate does is to verify that a website is truly the website in question, and part of the cost of certificates is based upon what proof the person or company needed to have in order to acquire the certificate. For example, with a Let’s Encrypt free certificate, there is minimal identity verification required, so it's not an ideal certificate for an eCommerce website.
But because the goal of SSL for a dental or medical website is to prove the transfer of data between the user and the website is encrypted, and not who registered for the certificate, the identity verification doesn’t really matter. Considering that the reason that many of us are using SSL on dental and medical websites is because Google has recommended it – and not because we are selling whitening products online and accepting CC numbers for billing (nb. do NOT use a free certificate for this type of information), complex identity verification is not needed.
However, if you are a company that is using your site for eCommerce transactions, or for customer data that needs to be encrypted (we’re not going into HIPAA here), it pays to have a certificate that requires the company that signs up for it prove who they are by more than just giving their word.
For example, companies that sell SSL certificates will only sell certain high-end certificates to companies who prove their identities with business records such as proof of address, proof of incorporation, and EIN#’s to name a few. It’s the same thing as verifying your identity – a license is ok to prove you are over 21 at a bar – but you need a utility bill and a license and more, etc. to renew your driver’s license.
As the identity requirements become more stringent, the issuing companies offer a higher warranty. For example, there is no warranty on a free certificate if for some reason the website is hacked. However, for a high-end certificate (that requires extensive company identity verification), issuing companies will offer $100,000 or $500,000 or $1,000,000 etc. to the purchaser in case of a breach.
At the end of the day, different certificates are available for different business needs, and the more complex those needs are, the more expensive the certificate. And for dental and medical websites, remember that a free or very low cost SSL certificate is adequate to meet Google’s growing preference for SSL-secured sites.