If you are a website owner, your hosting provider has probably attempted to upsell you on securing your site. They likely use terms like SSL, SSL Certificate, HTTPS, but why do you need one of these?
As a website owner you should always use a secure connection as one of the most necessary security features for an ecommerce site. Maybe you don’t do any ecommerce on your site, so an SSL isn’t necessary, right? Technically, yes; however, there are now some real disadvantages for not implementing a secure website.
It was announced back in 2014 that Google was going to start giving better SEO ratings to secure websites and now they will take the next step in the Chrome browser to persuade websites to go secure. Starting at the end of January 2017, Chrome will now label non-HTTPS sites as “Not Secure”. As the article states, this may cause visitors confusion and general distrust of your site and it’s only the beginning. Google plans to go even further to isolate “non-secure” sites in the future, and when Google does something, others follow.
So what does it mean to secure a website, how does it work, and how do you do it? Securing a site means protecting the information between the visitors’ web browsers and your website. How do you do this or are you doing this already? If the address of your site to the outside world starts with “https://” and, depending on the browser, you see a green padlock (or no red X) in the address bar, your site already uses secure connections. If access to your site starts with “http://” (missing the “s”) or there is no padlock in the address bar, the connection is not secure and could potentially be snooped by hackers. Establishing HTTPS (secure site) requires purchasing a digital certificate from a trusted provider like a dedicated digital certificate firm or from your hosting provider that partners with one (this is what they are trying to sell you). This is commonly called a SSL (Secure Socket Layer) certificate and once implemented correctly, your site is protected by SSL/HTTPS.
That’s all great, but what are you buying? What does it actually do? What exactly are you getting? SSL/HTTPS or securing a website and its connection comes through cryptography or specifically, encryption. Encryption is a mechanism to scramble information so that only the right people or machines can actually read it. If you look it up, almost every book or article about encryption uses the imaginary actors Alice and Bob to explain how encryption works. Not sure where they originated from, but I will explain it without cryptos two favorite imaginary people in the steps describing the graphic below, and try not to geek out too much:
- The first thing that happens is someone navigates to the website from a browser or clicking a search result link. This could be from a standard PC/Mac or from a tablet or smartphone—doesn’t matter, the process is the same. Many secure sites allow you to navigate (type address in browser address bar) to an unsecure (http) site address, but then automatically redirect to the secure (https) site. This is usually automatic and just makes it easier for visitors. Try it with Google: type in http://www.google.com and see where you actually end up.
- The website responds to the browser with its SSL Certificate. This is what you actually buy from a hosting provider or digital certificate provider. A SSL certificate supports two major pieces of information: first it proves your site is who it says it is since a trusted higher level authority (certificate provider) has vetted and vouches for you. (There is a variation called self-signed certificates where this is not the case, but this is not as common on the internet anymore with current advancements and availability by certificate providers.) The browser will verify a website once it receives the certificate from the site to make sure it trusts it. Secondly, with the certificate, the website gets two keys, a public key and a private key, that are tied to the certificate. Anyone can have the public key, but only the website has the private key, and that is very important. The two different keys make something called asymmetric encryption possible. The core fundamental of asymmetric encryption is that anyone can encrypt (lock) information with a public key, but the information can only be decrypted (unlocked) with the private key, which only the web site or destination possesses.
- After the client has verified and trusts the site’s identity, it generates a new, random symmetric key and encrypts (locks) it with the website’s public key. Symmetric keys are yet another type of encryption key that are much faster and efficient for computers to use, but must be known (shared) by both sides, unlike public and private keys. By encrypting this new key with the website’s public key, it is guaranteed that only the website can decrypt (unlock) it so the website and the browser are the only ones who know what it is.
- The website then uses the new key to encrypt the website data and sends it to the browser who also has the key since it was the one that created it. This key then creates a secure pathway that encrypts any back and forth communication between the browser and the website across the Internet.
With the understanding of what SSL and encryption are and how they work, now the question is how do you implement it? This varies from website to website. As stated in the beginning, some hosting providers offer securing a site as a simple add-on service and can be set up simply with a couple of mouse clicks (and a credit card). Other ways require purchasing a digital certificate from a trusted provider like a dedicated digital certificate firm separately, and then manually installing and configuring the website to use HTTPS/SSL with the new certificate. This is the more complicated scenario.
Regardless of your situation, aJuxt can help you choose and execute the right solution for you and your website, so you can avoid distrust or confusing your visitors.
Written by Seth Hellbusch — Site Security Specialist