HTTPS, SSL, EV SSL, TLS, Certificates, Browser Padlock, the Green Padlock — you may have heard these terms used interchangeably or even used together, and they all ultimately mean the same thing. At their simplest, these terms describe the means for providing a secure connection between a user's web browser and a website.
Secure websites use the HTTPS protocol, while non-secure websites use the HTTP protocol. Browsers show the status of a connection in different ways. Below is an example of browsing wikipedia.org securely — you can see a padlock is usually used to denote a secure connection and the HTTPS protocol is shown.
Secure connections were traditionally used only to protect highly confidential transactions like online banking and online shopping order forms, however it is becoming the norm for even simple websites for reasons of security, privacy and giving the impression of trust and safety. It has even become a ranking factor for Google, so it can have SEO benefits too.
Accessing a website using a secure connection means the data transmitted is ‘protected’. To understand the protections offered you must understand the basics of how a browser and a website communicate and the problems and threats faced when browsing insecurely.
Image credit:Greg's Cable Map
When you load a webpage in a browser each request travels over several networks, starting at a computer running the browser all the way to a server running the website. You may have a computer in a coffee shop in the UK connecting to a website hosted in the USA. It is over these networks that the connection is vulnerable (when browsing insecurely) because the data is transmitted in the clear. When data is sent in the clear it means anybody that has access to any of the networks can intercept and either read the contents of the data or even modify it.
To protect against eavesdropping, encryption is used to prevent the data being read while in transit and means that the only parties who can ‘read’ the data are the sender (browser) and final destination (website). Nor can the data be modified in anyway, which means you can trust the data being sent or received.
When accessing a website, data can travel in either direction. Below are some example actions you might perform on a day to day basis, and the potential issues:
Browser requests data from the website
- Viewing a page, for example http://www.bbc.co.uk/news/uk-37969538
- Why is a secure connection important?
- Personal/Sensitive details could be contained in the page — think personal information, like National Insurance numbers
- Ensures you’re connecting to the right website and not an imposter one
- Ensures that a malicious third party can’t hijack the connection and insert malware
- Prevents censoring of information
Browser sends data to a website
- Logging in – username and password
- Purchasing items — credit card details, address etc
- Registering — disclosing personal/sensitive information
- Why is a secure connection important?
- Passwords should remain secret, as often people use these across multiple services (Stop doing this!). So if someone can read your password while logging in, they could potentially access other services
- Credit card details — this one should be obvious. If somebody obtains your credit card details, they could use them to make purchases
Important Upcoming Browser Changes
Two of the most popular web browsers — Google Chrome and Mozilla FireFox — are changing the way insecure websites are conveyed to users.
The current plan for FireFox is to limit the features available when browsing insecurely.
Chrome is taking this further, initially by showing a warning to the user when browsing an insecure website which has certain functionality on the page - namely pages which ask for passwords or credit card information. However eventually they plan on blanket warning while browsing insecure websites:
“Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”
Google Chrome will be making these changes on January 2017, so it is important to be prepared!
How do I secure my website?
Securing the connection to a website comes in a few parts:
- The HTTPS request (Seen in the URL i.e. https://www.selesti.com)
- The secure connection (TLS/SSL protocol)
- The digital certificate (Enables the padlock seen in some browsers).
- A digital certificate authenticates the identity of a website. Anyone can make a certificate, but the reason you buy a name brand is because browsers recognise and trust the name brands (Thawte, Symantec, Comodo etc). A no-name SSL certificate will cause a pop-up warning message in a browser for your visitor.
- Certificates expire after a period of time, you can purchase 1,2 or 3 years at varying costs from different supplies
- Extended Validation (EV) Certificates offers the highest available levels of trust and authentication to your website.
- Green padlock shown with company name
- Requires extra validation of your company to prove that it exists
Unfortunately like most technical systems securing a website is not typically a simple process and involves several elements and considerations.
Mixed content and how to check for it
You can verify that all resources are loaded securely using the online tool here: https://www.jitbit.com/sslcheck/.
Image credit: How To Geek
SEO / 301 redirects
HTTP and HTTPS are treated as separate sites by Search Engines so you must ensure redirects are setup to point to one version of the website. Here’s a great article which explains in a bit more detail all of the considerations you should take https://www.branded3.com/blog/seo-considerations-moving-http-https/.
Testing the strength of SSLs
SSL Certificates come in different ‘strengths’ and the configuration of your server can effect how secure the connection actually is. Using a tool such as https://www.ssllabs.com/ssltest/ you can test and ensure you site is as secure as possible.
There can be an associated cost involved securing a website and there are many different SSL Certificate Providers, carry on reading below for the various options.
Option #1 - Certificate Authority
This option involves purchasing a certificate from a certificate authority (See options below) and installing the certificate on the server hosting the website. This means you have to order and pay for the certificate once a year (or so), and go through the administrative process to update the server before the certificate expires. This hassle in itself drives people to just skip SSL and use cleartext.
Option #2 - Cloudflare
Cloudflare is a company that provides free SSL protection along with a content delivery network, Internet security services and distributed domain name server services. Being part of the Cloudflare network protects, speeds up, and improves availability for a website or mobile application with a change in DNS.
This SSL offering is totally free, however it’s worth noting although the connection appears encrypted the connection is only encrypted between the visitor and Cloudflare. The diagram below shows this working:
Image credit: Cloudflare
Selesti also recommends Cloudflare for added security and performance.
Option #3 - Let’s Encrypt
They’ve created automated tools to ease the process of certificate renewal, as opposed to the manual processes detailed in option #1.
Let’s Encrypt requires full administrator access to the server hosting the website, so may not be suitable for some hosting solutions - shared hosting for example.
Option X - Combo
You can actually use both Option #2 and Option #3 together in parallel. This provides the ultimate security benefit as the connection is fully secured and also from a cost point of view this solution is free.
This is the Selesti recommended solution.
To wrap up
Having secure websites by default is a critical step toward building a safer, better Internet and should be the norm for 2016. All in-progress and future Selesti projects will be secure by default and we are actively working on enabling secure connections for all of our previous projects as well.
Any questions? Contact us today!