SSL in brief
SSL (Secure Sockets Layer)—usually referred to as TLS (Transport Layer Security) today—is an encryption protocol that protects data between browser and server. Without SSL, third parties can intercept passwords or card numbers. An SSL certificate verifies the server identity and enables HTTPS—the secure version of HTTP. SSL/TLS is standard for any trustworthy site—as important as choosing the right domain—and central for SEO, privacy, and user trust.
How SSL/TLS works
When you open an HTTPS page, browser and server first negotiate a secure key (handshake). All traffic is then encrypted—only browser and server can read it. The SSL certificate contains the server public key and is signed by a trusted certificate authority (CA). The browser verifies the signature and shows a lock icon for a valid certificate.
- Handshake:Browser and server agree on algorithms and exchange keys. Modern TLS (1.2, 1.3) provides strong encryption.
- Certificate & chain of trust:The certificate lists domain, validity window, and public key. The CA attests identity. Browsers trust a set of root CAs.
- Encryption:After the handshake, data is encrypted with a session key. Intercepted packets stay unreadable.
SSL certificate types at a glance
Certificates differ in validation depth and scope. The right choice depends on your requirements, site type, and budget.
DV – Domain Validation
The simplest level: the CA only checks that you control the domain (e.g. via email or DNS). Issued quickly, often free (Let's Encrypt). Ideal for sites, blogs, and small shops. No business verification.
OV – Organization Validation
Extended checks: besides the domain, the organisation is verified—registry, address, legitimacy. The certificate includes organisation data. Higher trust, longer issuance. Typical for corporate sites and e-commerce.
EV – Extended Validation
Strict validation: thorough vetting of the organisation by the CA. Older browsers showed a green bar with the company name. Highest trust—especially for banks, insurers, and sensitive transactions.
Wildcard certificate
Covers one domain and all subdomains (e.g. *.example.com). One certificate for example.com, www.example.com, shop.example.com. Handy with many subdomains; often pricier than single-host certs. Requires DNS validation.
SSL vs TLS
SSL was the original protocol (1.0, 2.0, 3.0); TLS is the newer, safer successor. SSL 3.0 is deprecated and insecure—today TLS is used in practice. The term “SSL certificate” stuck even though TLS is what runs. Modern browsers support TLS 1.2 and 1.3.
- SSL: Original protocol, obsolete today. Mentioned mainly for history.
- TLS: Current standard (1.2, 1.3). Stronger encryption and security.
- Terminology: “SSL certificate” and “TLS certificate” mean the same—a certificate for encrypted connections. “SSL” remains common.
SSL and HTTPS
HTTPS is HTTP over a TLS connection. The SSL certificate enables HTTPS—URLs start with https:// instead of http://. Browsers show a lock and mark the connection secure. Google has long promoted HTTPS for rankings; many browsers warn on plain HTTP. HTTPS is mandatory for serious sites today.
- HTTP vs HTTPS: HTTP sends data in clear text. HTTPS encrypts with TLS—same features, but secure.
- Port: HTTP uses port 80, HTTPS 443. Servers often redirect 80 to 443.
- SEO: Google treats HTTPS as a ranking signal. Without HTTPS you risk lower rankings and browser warnings.
SSL for websites and SEO
SSL protects user data and builds trust. Search engines reward HTTPS—SSL is an established ranking factor. Many browser features (e.g. geolocation, camera) also require a secure context.
Security and trust
- Protects logins, form data, and payments
- The lock icon signals trustworthiness
- Supports GDPR-aligned data transfer
- Mitigates man-in-the-middle attacks
SEO benefits
- HTTPS as a Google ranking factor
- Avoids “Not secure” browser warnings
- Referrer data is preserved between HTTPS sources
- Prerequisite for modern web APIs
Let's Encrypt and free certificates
Let's Encrypt is a free, automated CA that issues DV certificates. Many hosts integrate it—enable with one click and renew automatically before expiry. Free certs offer the same encryption strength as paid ones; differences are validation depth (domain only, no org review) and support.
- Let's Encrypt: Free, automatic renewal, DV validation. Ideal for most websites.
- Hosting integration: Many hosting providers (IONOS, Hetzner, All-Inkl, etc.) bundle Let's Encrypt—often one-click activation.
- Paid alternatives: OV and EV certs need manual review and yearly fees. Use when higher assurance is required.
SSL best practices
A certificate alone is not enough—configuration must be correct. These points keep HTTPS reliable and secure.
- Current TLS: Use TLS 1.2 or 1.3. Disable legacy SSL 3.0 and TLS 1.0.
- Redirect HTTP to HTTPS: 301 all HTTP requests to HTTPS. Avoids duplicate content and secures every URL.
- Renew certificates: Certs expire (Let's Encrypt: 90 days). Automate renewal or set reminders.
- Avoid mixed content: Do not load HTTP assets (images, scripts) on HTTPS pages—or browsers will warn.
SSL—summary
SSL/TLS underpins secure websites. A valid certificate enables HTTPS, protects data, and supports trust and rankings. Free DV certs such as Let's Encrypt suit most sites; OV and EV add higher assurance when needed. Planning HTTPS from the start avoids gaps and warnings—SSL is baseline for professional sites today.
IVIS MEDIA sets up SSL certificates and HTTPS for your site—from provisioning and configuration to safe redirects. We support GDPR-aligned data transfer and strong SEO foundations. More about web development
Frequently asked questions about SSL
What is SSL?
SSL (Secure Sockets Layer)—usually TLS (Transport Layer Security)—encrypts data between browser and server. An SSL certificate verifies the server and enables HTTPS. Without SSL, traffic can be intercepted; with SSL it is encrypted.
What is the difference between SSL and TLS?
SSL was the original protocol; TLS is the safer successor. SSL 3.0 is deprecated; today TLS (1.2 or 1.3) is used. People still say “SSL certificate” even though TLS runs in practice. The terms refer to the same kind of certificate.
What is HTTPS?
HTTPS (HTTP Secure) is HTTP over TLS. URLs start with https:// and browsers show a lock. HTTPS encrypts all traffic. Google uses HTTPS as a ranking signal; modern browsers warn on plain HTTP.
What does an SSL certificate cost?
DV (domain validation) certificates are often free—e.g. via Let's Encrypt from many hosts. OV and EV certificates typically cost roughly €50–€500+ per year. Encryption strength is the same; validation depth differs.
What is Let's Encrypt?
Let's Encrypt is a free CA issuing DV certificates. Certs last 90 days and can renew automatically. Many hosts offer one-click setup. Ideal for sites, blogs, and shops—with the same encryption as paid certs.
What do DV, OV, and EV mean?
DV (Domain Validation): only the domain is checked—fast, often free. OV (Organization Validation): domain and organisation are verified—higher trust. EV (Extended Validation): strict org vetting—highest trust; older browsers showed a green bar. Encryption is the same; validation depth differs.
Does SSL affect SEO?
Yes. Google treats HTTPS as a ranking factor. Browsers also warn on HTTP, which hurts engagement. HTTPS should be standard for every site.
How do I set up SSL/HTTPS?
With most hosts: order a cert or enable Let's Encrypt (often one click), then redirect HTTP to HTTPS (301). On your own server: obtain a cert from a CA or use Let's Encrypt with Certbot, then configure Apache/Nginx.
What happens if my SSL certificate expires?
Browsers show security warnings—users may be blocked. The site looks untrustworthy. Renew before expiry. Let's Encrypt (90 days) can auto-renew; others need reminders or auto-renewal.
What is a wildcard SSL certificate?
It covers one domain and all subdomains (e.g. *.example.com)—one cert for example.com, www, shop, mail, etc. Useful with many subdomains. Requires DNS validation and is often pricier than single-host certs.
Is SSL required for GDPR?
GDPR expects appropriate technical measures to protect personal data. Unencrypted HTTP is risky—HTTPS/SSL is considered best practice and often treated as essential for compliant sites, especially with forms, logins, or payments.
What is mixed content?
If an HTTPS page loads images, scripts, or styles over HTTP, that is mixed content. Browsers block or warn—the page feels unsafe. Fix by loading everything over HTTPS (relative URLs or https://).