What’s An SSL Certificate?
When an internet user enters sensitive data on a website — such as credit card information to make an online purchase — it must travel from the user's browser to the website's host server. This data is vulnerable in two ways: It can be intercepted by bad guys during transmission, or it can be transmitted to an impostor. SSL certificates protect against both vulnerabilities.
The primary purpose of an SSL certificate is to encrypt data during transmission so that, if intercepted, it can't be read. Think of SSL-protected data as a secret code that only the sender (browser) and the recipient (host server) can translate back into a known language. To any third-party that happens to be spying in between, it will look like gibberish.
All new Volusion stores include an SSL. In most cases, we can approve and install this SSL certificate without further action from you. If your site is new or not currently live on your domain name, you may need to follow a special link we email to you.
How It Works
All commercial browsers such as Firefox, Chrome, and Safari keep lists of certificate-issuing authorities, and they trust all certificates issued by those authorities.
If data is entered on a secure connection ("https://" rather than "http://"), the browser will make certain that the certificate is still valid (not expired) and was issued by a trusted authority.
If both conditions are true, it encrypts the data and sends it to the website's host server. This is a powerful level of protection, but it can be abused if it falls into the wrong hands.
Protection Against Recipient Forgery
If you give an SSL to a scammer, it can actually make data theft easier by allowing the scammer to forge the identity of an intended data recipient. This is why a certificate-issuing authority can't simply issue a certificate for any requested domain name without verifying the requesting party's identity first.
If you successfully purchased a certificate for www.paypal.com, for example, you could create a fake PayPal site and collect user account credentials through the encrypted connection. That’s sneaky and bad!
Browsers would automatically allow it before the forgery was discovered and reported, creating a big headache for customers and businesses, and worst of all lost money. This is why it’s super important that certificate-issuing authorities take steps to ensure they don't issue certificates to scammers.
To do this, they must ensure that the individual requesting a certificate for a particular website actually owns the website in question. The issuer sends an email to an address known to be an authoritative address for the website. In it, there is a special link for the owner to click to validate ownership. There are two kinds of authoritative email addresses: the WHOIS email address and approved-format domain addresses.
The WHOIS Email Address
When you register a domain name, you're required to provide your contact info, including at least one valid email address. For some domain names, this email address information is published in a public database called WHOIS, however, in most cases, domain registrar information is private and not viewable.
Depending on the domain authority in the region of the registration, the listing displays certain information about each domain, which may include the
- Dates of registration and expiration
- Name servers of the DNS host
Approved-Format Domain Email Addresses
Since the WHOIS database doesn't typically contain email address information for a particular domain name, a better option for ownership validation is for the certificate issuer to send an email to any of the following addresses:
In most cases, only the true owner of a domain name can create these addresses and receive emails sent to them.
How to Create an Approved-Format Address: Volusion-Hosted Email
If you host your email with Volusion, you can create an approved-format address for domain ownership validation in one of two ways: by creating a new mailbox or by creating an alias for an existing mailbox.
An alias is merely an address that forwards all messages received to an inbox of your choice. For instructions on either procedure, see "Email Account Setup." For acceptable address formats, review the Approved-Format Domain Email Addresses subsection above.
How to Create an Approved Format Address: Third-Party Email Hosting
If you host your email with a third-party email service provider, the process for creating a new mailbox or alias will depend on your provider's requirements. For more information, contact your provider directly. For acceptable address formats, review the Approved-Format Domain Email Addresses subsection above.
By setting up your SSL certificate, you’ll be ready to open your digital doors for business and let your customers know you’re a secure site to shop at!