Different validation methods
When researching SSL certificates, you'll notice a few differences in the type of validation they offer. For example:
- DV (Domain validation)
- OV (Organization validation)
- EV (Extended validation)
There is no difference in the encryption protection these certificates offer, however there is a difference in the validation required to issue them to your site.
The validation method describes how the certificate is verified by the issuing Certificate Authority. This ensures that the site it's being issued to is correct and authorized to use it.
These include 'Let's Encrypt' certificates.
These types of certificates are validated using only the domain name. As such, the name of your website is not included in the certificate itself when viewing it. Anyone with admin rights to the website's panel can add a 'Let's Encrypt' certificate. After adding in the panel, the certificate is added automatically.
These certificates should only be used by smaller sites that do not exchange sensitive information. This would include:
- personal sites
Although they offer the same level of encryption as OV certs, these certificates do not display the actual site name within the certificate, meaning visitors are not able to validate the certificate by viewing it. Additionally, these are potentially vulnerable to phishing attacks. For example, a malicious user could create a similar site with a DV certificate to create a forged copy of your online store. For these reasons, these are not recommended for e-commerce sites that process payment information.
These include paid Sectigo certificates.
On November 1, 2018, Comodo announced that the company is rebranding to Sectigo. For more information about this, please see the following announcement at Sectigo's website:
Any Comodo certificate issued after January 2019 will reference Sectigo as the certificate authority, while any certificates issued prior to that will still reference Comodo. These are still the same company, and the only difference is the name.
These validate everything a (DV) does, while also validating additional organizational information about who is purchasing the certificate such as their Name, City, State, Country. The organization's name is also included in the certificate. This adds an additional layer of trust to visitors in that they can ensure the website and company are reputable.
(OV) certificates may require the user to respond to an email with a verification code which must then be entered into Sectigo's website. However this depends on how the DCV process verifies the certificate. View the following article for all steps required:
These certificates can be used on e-commerce sites to process payments.
Extended validation certificates
EV certificates ensure the highest amount of trust to visitors as they require the most information to be validated in order to be issued to the site.
They can be noted by the green URL bar displayed in the browser when visiting the site. This is a quick visual confirmation to the user that the site they are visiting has taken the maximum steps to ensure to confirm to users the site they're visiting. An example of a site with this type of certificate is bestbuy.com:
DreamHost does not currently offer these types of certificates.
What type of certificate should I use for my e-commerce site?
You can use either a 'Let's Encrypt' or professionally-signed 'Sectigo' certificate for your e-commerce website. Both use an RSA 2048 bit key to encrypt the connection, so the security is the same for both options.
What's the difference?
The primary difference is the type of validation. 'Let's Encrypt' certificates are 'Domain Validated' (DV). This means the domain is only validated by 'Let's Encrypt' based on the domain name itself. No further credentials need to be provided to obtain this type of certificate.
A paid 'Comodo' certificate offers 'Organization Validation' (OV). This can be thought of as a step up in validation as this requires the business/organization that is requesting the certificate to be validated first. After validation, the certificate then includes the organization's name in the certificate information. This additional validation can appear more trusting to customers, which is why this type is recommended for e-commerce sites.