Clients usually have a need to keep their user’s data secure in transit from the end user’s browser to the web server via a SSL certificate. However, there are a number of options available today in terms of different types of SSL certificates which can be confusing. There are free SSL certificates, domain validated certificates, company validated, and also extended validation certificate options. While all of these options offer the same level of encryption, they vary based on the level of validation that is done to determine the legitimacy of the company who’s purchasing them.
Free SSL certificates are sometimes offered by a hosting provider and are typically shared across multiple applications and companies that use the hosting provider. They are free but the hosting provider does not validate that the company using them is legitimate. Therefore visitors to a site with a shared SSL would not likely feel confident about making a purchase (in the case of an eCommerce website).
Domain validated certificates are specific to a domain (or subdomain), and the issuer will validate that the purchaser of the certificate actually owns the domain. However, this is about as far as the validation typically goes, so that it is still relatively easy for a criminal to buy a domain name and then buy a corresponding certificate. There’s no guarantee that the company behind the site is legitimate.
Company validated certificates are issued after the issuer has validated that the company purchasing the certificate is a legitimate company. This instills confidence in the user/buyer of products on the website that the site is who they say they are.
Finally, there’s extended validation or “EV” certificates. These too will ensure that the purchasing company is legitimate, but also contain some bells and whistles such as the ability for browsers to present additional information to the users as to who owns the site – further providing confidence to site visitors.
So which one should you purchase? Well, as most things, it depends. If your site is a company intranet with internal employees using it, then a simple domain validated SSL would probably suffice. If you are running an eCommerce website, then you would likely want either a company validated certificate or an extended validation certificate since you won’t want to lose a sale over a visitor’s concerns about security/legitimacy.