Comparing ECC vs RSA SSL certificates — how to choose the best one for your website

If you’ve been working with SSL certificates for a while, you may be familiar with RSA SSL certificates — they’ve been the standard for many years now. But ECC certificates, or elliptic curve cryptography certificates, are a bit of a new player on the block. What’s the difference between ECC vs RSA? Which should you choose? Let’s compare RSA vs ECC certificates…

What is an RSA Certificate?

RSA is one of the earliest public key cryptosystems around, and it’s currently the backbone most SSL certificates operate on. Named after its creators (Ron Rivest, Adi Shamir, and Leonard Adleman), RSA is to this day a solid, secure encryption scheme used across the world by websites.

How it works: RSA is based on calculating very large prime numbers. With a large enough key, RSA is currently unbroken. Most SSL certificates use a 2048-bit private key for RSA certificates.

What is an ECC Certificate?

ECC certificates, based on elliptic curve cryptography, are the newer players on the block. They’ve been in use for around 15 years. They typically require a smaller key size to provide the same level of security — meaning that ECC is more efficient.

How it works: Rather than being based on prime numbers, ECC is based on calculating specific points along an elliptic curve.

ECC vs RSA Certificates: Which Is Best?

So, now for the million-dollar question: Should you use ECC certificates or RSA certificates?

Elliptic curve cryptography offers several benefits over RSA certificates:

• Better security. While RSA is currently unbroken, researchers believe that ECC will withstand future threats better. So, using ECC may give you stronger security in the future.
• Greater efficiency. Using large RSA keys can take a lot of computing power to encrypt and decrypt data, which can slow down your website. ECC, however, can scale up more efficiently without eating up computing resources.
• Perfect forward secrecy. In simple language, this means that session keys (which are actually used to encrypt the data exchanged between the user and the server) remain secure even if the private key is compromised. This can be useful if a website is under surveillance by third parties.

The main drawback to ECC certificates vs RSA certificates is that ECC simply isn’t supported by some web server software. For example, cPanel (the most widely used web hosting control panel) doesn’t include support for ECC certificates. A bummer, right?

However, RSA certificates are still much more common than ECC certificates. Here’s why:

• Incumbent advantage. Many people are accustomed to using RSA certificates — they’ve been doing so for years, so people may not see any reason to switch.
• Strong security. As of yet, RSA remains unbroken, so RSA certificates are a very strong option to choose for your website.
• Wide support. RSA certificates are supported by every popular browser, web server, hosting management platform, and other software out there. Whether you use cPanel, IIS, Apache, or any other software, RSA is supported.

ECC vs RSA: Conclusion

In short, if your website platform supports ECC, use it. On the other hand, if your system only supports RSA, an RSA certificate offers more than sufficient security and performance for any website!