We often hear about Internet scams, data theft or even hacking. It is essential to establish a series of security measures to prevent attacks of any kind. One of these formulas to protect ourselves is the installation of a TLS certificate, especially if your website involves data transfers (whether credit card numbers, usernames, passwords, emails, etc.). In this post we explain everything you need to know to protect you and your users, identifying the certificate that best suits your website.
What are TLS certificates?
TLS (Transport Layer Security) is an updated version of the SSL protocol, which encrypts data transmitted between a browser and a web server to enable secure communications on the network. The information sent is encrypted by a series of algorithms so that, in the event of an attack, hackers cannot read it.
In addition, these certificates authenticate the identity of the website, ensuring that it is not a fake site.
How do I know if a website has a certificate?
To find out if a website is protected by an SSL certificate, several aspects can be checked:
- The URL includes the acronym “HTTPS” (Hyper Text Transfer Protocol Secure or Hypertext Transfer Protocol Secure).
- To the left of the URL there is a padlock.
- By clicking on it, you can access the certificate information.
What types of certificates are there?
There are three types of web certificates:
- Domain Validated (DV): used for transport layer security (TLS) in which the possession of the domain by the applicant is validated.
They are obtained quickly, since it is only necessary to prove possession of the domain. Having a DV certificate not only improves the trust of users, but also improves the position in Google and can increase the traffic to your website.
However, in terms of security they are the simplest certificates and do not help visitors to know who runs the domain so it is not recommended for e-commerce websites.
- Organization Validated (OV): they provide a higher level of security than DV certificates, as they authenticate the identity and legitimacy of the legal entity that owns the domain. Therefore, in addition to proving that they are in possession of the URL, applicants have to prove that they are legally registered companies. If your website involves the collection of sensitive information for your users, you should choose to acquire an OV certificate.
- Extended Validation (EV): this is the highest level of security. Applicants for this type of certificate have to go through a more exhaustive and globally standardized identification process. Among the aspects that are verified are the exclusive right to use the domain; the legal, operational and physical existence of the legal entity; and the authorization of the issuance of the certificate.
EV certificates are the best tool for companies to combat phishing or identity thieves thanks to the absolute identification of the owner of the website and the easy access to this information by the user. High profile domains, more prone to attacks, such as banks, large companies or financial institutions should use EV certificates. But all websites that collect data or involve payments can benefit from the advantages of using a higher level of security.
In addition, there is another variant of certificates depending on the number of domains to be secured:
- Multidomain: these are used to protect several domains or subdomains of the same owner. For example, a single multi-domain certificate can protect the following websites: www.ejemplo.com, www.ejemplo123.com, menudo.ejemplo.org, gran.ejemplo123.com.
- WildCard: allows you to protect all the subdomains of a domain. For example, on the site www.ejemplo.com, a WildCard certificate can protect all the *.example.com subdomains: poor.example.com, for.example.com, shop.example.com…
DV, OV and EV certificates can be purchased in their multidomain variants. However, only DV and OV offer the possibility to purchase a WildCard. Extended Validation certificates cannot be WildCard, only multidomain.
What are QWAC certificates?
QWAC stands for Qualified Web Authentication Certificate.
QWAC certificates are a type of web authentication certificate with the difference that they have been issued by a Qualified Trust Service Provider. That is, they have been issued in accordance with the eIDAS Regulation and must comply with the provisions of Article 45.
This means that the certificates have been issued under strict verification rules to ensure the highest possible guarantee of identity. This ensures that data sent to QWAC-protected websites meets higher standards than those issued by unqualified providers.
Of the three types of web authentication certificates, only Extended Validation and Domain Validated certificates for individuals can be QWAC.
Can I purchase a QWAC certificate for PSD2?
Article 34.1 of the RTS standard requires that, for identification purposes, payment service providers rely on qualified certificates qualified certificates qualified certificates for electronic seals or qualified certificates for website authentication.
A QWAC certificate allows establishing transport layer security with the certificate subject, which secures the data transferred over the channel, while a certificate for electronic seals (QSealC) allows the relying party to validate the identity of the certificate subject, as well as the authenticity and integrity of the sealed data, and also to prove it to third parties.
Therefore, QWAC certificates for PSD2 can only be contracted by TPPs.
What are certificates of Sede Electrónica?
This type of certificate validates the identity of Public Administration websites. In this way, it guarantees that the procedures that citizens are performing on a website are carried out securely with the Administration that owns the domain.
They are a variant of QWAC certificates exclusively for Public Administrations, which have to use qualified web authentication certificates, according to Law 40/2015, of October 1.