SSL/TLS and Domain Security

## SSL/TLS and Your Domain SSL/TLS (Secure Sockets Layer / Transport Layer Security) certificates serve two purposes for domain owners: they **encrypt** traffic between your server and visitors, and they **authenticate** your domain — confirming to browsers that they are talking to the real server behind your domain name, not an impersonator. For visitors, HTTPS with a valid certificate provides confidence that their connection is private and that the site belongs to the domain shown in the address bar. Without it, any network intermediary — a coffee shop router, an ISP, or an attacker — could read or modify traffic in transit. For domain owners, the certificate acts as a public assertion of your domain's identity, backed by a trusted third party called a **Certificate Authority (CA)**. ## Certificate Types There are three main certificate validation levels: **Domain Validation (DV)**: The CA verifies only that you control the domain. Issued in minutes, often free (Let's Encrypt). Suitable for most websites. The padlock appears in the browser. **Organization Validation (OV)**: The CA verifies domain control plus confirms the organization's legal existence. Provides slightly stronger assurance. Shown in certificate details. **Extended Validation (EV)**: The most rigorous vetting — identity, legal status, physical address. EV certificates historically displayed a green bar with the company name in browsers, though modern browsers have moved away from this visual distinction. Still used by major financial institutions for brand signaling. For most domains, DV certificates (especially from Let's Encrypt) provide adequate security at no cost. OV or EV may be worth considering for high-trust financial or institutional sites. ## Wildcard and Multi-Domain Certificates A **wildcard certificate** (e.g., `*.yourcompany.com`) covers all subdomains of your domain — `www`, `mail`, `app`, `api` — with a single certificate. Useful for complex deployments. A **multi-domain (SAN) certificate** covers several distinct domain names in one certificate, which can be efficient for managing multiple related domains. ## HTTPS Best Practices for Domain Owners ### Enable HTTPS on All Domains and Subdomains Any page that accepts user input — login, registration, checkout, contact forms — must be served over HTTPS. But best practice is HTTPS everywhere, including static marketing pages, because mixed-content warnings and redirects from HTTP erode user trust. ### Enforce HTTPS with HSTS HTTP Strict Transport Security (HSTS) is a response header that instructs browsers to connect to your site over HTTPS only, for a specified duration. It prevents downgrade attacks where an attacker intercepts the initial HTTP connection before the redirect to HTTPS occurs. ``` Strict-Transport-Security: max-age=31536000; includeSubDomains; preload ``` - `max-age=31536000` — One year. - `includeSubDomains` — Applies to all subdomains. - `preload` — Allows submission to browser HSTS preload lists, which hardcode the HTTPS requirement in browsers before any connection. Submit your domain to the HSTS preload list at hstspreload.org once you are confident in your HTTPS configuration. ### Use CAA Records to Restrict Certificate Issuance A **Certification Authority Authorization (CAA)** DNS record specifies which CAs are permitted to issue certificates for your domain. An attacker who manages to trick an unauthorized CA cannot issue a fraudulent certificate if CAA is in place. Example CAA record: ``` yourcompany.com. CAA 0 issue "letsencrypt.org" yourcompany.com. CAA 0 issuewild "letsencrypt.org" yourcompany.com. CAA 0 iodef "mailto:[email protected]" ``` - `issue` — Permits the named CA to issue standard certificates. - `issuewild` — Permits wildcard certificate issuance. - `iodef` — Contact address for violation reports. Add CAA records via your DNS provider. Check using DNS Record Helper. ### Monitor Certificate Expiry An expired certificate throws a browser security warning that almost all users will not click through, effectively taking your site offline. Set up monitoring for certificate expiry: - Enable **auto-renewal** if using Let's Encrypt (certbot or your hosting provider handles this automatically). - For purchased certificates, set calendar reminders 60 days before expiry. - Use an uptime monitoring service that alerts on certificate expiry. ### Certificate Transparency Monitoring All publicly trusted certificates are logged in **Certificate Transparency (CT)** logs, a public, append-only ledger. You can search CT logs for certificates issued to your domain or look-alike domains. Unexpected certificates may indicate an unauthorized issuance or phishing infrastructure targeting your brand. ## DNSSEC and SSL/TLS Together DNSSEC and SSL/TLS address different threats and complement each other: - **DNSSEC** protects the DNS lookup — ensuring that when a browser queries your domain's IP address, the answer is authentic and has not been tampered with in transit. - **SSL/TLS** protects the connection to that IP address — ensuring traffic is encrypted and the server's identity is verified by a CA. An attacker who can poison DNS without DNSSEC can redirect visitors to a server they control, even if the real server has a certificate — because the attacker can obtain a certificate for their own server too. DNSSEC prevents the redirect. SSL/TLS prevents eavesdropping on the legitimate connection. Use both. See DNSSEC: Why You Should Enable It and Domain Security Checklist to confirm your configuration.