When you’re dealing with personal or otherwise confidential information, you want to know that snoops can’t listen in on your communications, and that you’re communicating with who you think. On the web, SSL (Secure Sockets Layer) is the standard way to do this.

Converting all or part of a site to run securely isn’t too difficult, but it does involve a number of steps. This article focuses on SSL certificates; follow-on articles will describe how to install the certificate, and how to set up Apache and Rails to use it.

What an SSL Certificate Does for You

An SSL certificate provides two separate functions:

• It certifies, to varying degrees, the identity of the person or business that controls the web site.

• It provides the public and private keys for encrypting communications with the site.

You can create your own certificate to achieve the second of these functions, using what is called a “self-signed” certificate. This gives you the private and public key pair that your web site and your visitors’ browsers use to encrypt the communications.

If you create your own certificate, though, it doesn’t certify anything about who you are. Each browser has a list of trusted authorities, and if your certificate wasn’t issues by a company linked to that list, a visitor’s browser will present a warning dialog asking the user if they want to trust this certificate. If the visitor accepts the certificate, it will work fine, but you probably don’t want to take the risk that they won’t, or raise any confusion in your users’ minds about how secure the communication may be. And if your users will accept a self-signed certificate, then anyone can theoretically spoof your site.

SSL Certificate Types and Suppliers

That’s why most everyone buys SSL certificates from a recognized Certificate Authority (CA), which is known to the visitor’s browser as a trusted source. The CA not only issues the certificate, which after all you can do yourself, but it verifies, to some degree, that you are who you say you are.

Prices vary greatly among certificate issuers, but there are no differences in the encryption, and differences in the identity verification probably aren’t significant (since your visitors almost surely won’t know the difference). VeriSign is perhaps the best known; they charge very high prices ($400/year to $1500/year) for certificates whose added value is the VeriSign seal, which consumers may recognize, and a bunch of other things they throw in to increase the value—insurance, security analysis, etc.

At the other extreme, a “Turbo SSL” certificate from GoDaddy costs $19.99/year, or $14.99/year if purchased along with a domain name. The encryption it supports is just as secure as the expensive VeriSign certificate; it just doesn’t do nearly as much to prove who you are, and it doesn’t come with the VeriSign brand. All you have to do to prove who you are is be able to receive mail at the domain owner’s email address (as listed in the domain registration records).

These low-cost certificates only identify the domain name that owns the certificate. If you step up to a “high assurance” certificate ($89.99/year at GoDaddy), then the certificate also identifies the business name and location. This requires that humans at the certificate issuing authority actually check to see that your business exists, independently of its domain registration; you may have to fax documents to them that “prove” you are who you say.

If you step up to an Extended Validation certificate ($500/year at GoDaddy, $1500/year to VeriSign), then you get to go through even more paperwork to prove who you are, and you must be a corporation. The browser can identify an Extended Validation certificate and indicate in some way that this is a “safe” transaction. Currently, IE 7 provides a green background for the address bar in this case. Other browsers are likely to follow. Is this worth $500 to $1500 a year? If you’re a bank, yes; otherwise, perhaps not.

Once you’ve purchased the certificate, you need to generate it, install it on your server, and configure your software to use it. Stay tuned for details on how to do this.