A Beginners Guide to SSL Security – HTTP to HTTPS

This week on the blog we’re answering your questions about SSL – or in simpler terms http:// vs https://. You know, when you’re browsing a site on Chrome and a little exclamation mark pops up in your website address bar letting you know the site is not “Secure”? What SSL stands for is Secure Sockets […]

This week on the blog we’re answering your questions about SSL – or in simpler terms http:// vs https://. You know, when you’re browsing a site on Chrome and a little exclamation mark pops up in your website address bar letting you know the site is not “Secure”?

What SSL stands for is Secure Sockets Layer. It is a cryptographic protocol that provides secure communications over a computer network. It is an industry standard security technology used by millions of websites in the protection of their online customer privacy.

SSL is a must-have for websites taking online payments and good-to-have for websites collecting personal information via forms. While there is an increasing demand for any website to have SSL; many website owners with forms received Google’s reminder to install an SSL certificate before October 2017 released Chrome 62.

[source: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html]

How does it work?    

SSL establishes an encrypted link between a web server and a browser, and this link ensures that all data passed between the web server and browsers remains private and integral.

HTTP, the protocol of the web, is unencrypted by default. In other words, any computer in between you and the server can see your credit card numbers, personal details, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate.

Early research efforts towards secure network programming started around 1993 at the dawn of the net. Netscape was first to develop the original SSL protocols with v2.0 publicly released in 1995.

Web server requires an SSL certificate to create an SSL connection via a pair of cryptographic keys – Private Key and Public Key. They are basically long random numbers: data that has been encrypted with a Public Key can be decrypted only with the corresponding Private Key and vice versa. When an SSL certificate is used, the information becomes unreadable to everyone except for the server receiving your information. At best, an attacker will be able to see which IP/port is connected and roughly how much data is being sent.

 

Diagram

 

SSL certificates are issued to companies or legally accountable individuals. HTTPS (Hyper-Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate – users will see https:// for the web address instead of http://. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar. The complexities of the SSL protocol remain invisible to users. Depending on what level of validation a certificate is given to the business, a secure connection may be indicated by the presence of a padlock icon or a green address bar signal.

Google Chrome marks HTTP pages as “Not secure” if they have password or credit card fields. Since October 2017, Chrome now shows the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito (private viewing) mode.

Do search engine favour HTTPS?

Google has been the forefront of advocating SSL for all websites, and since 2014 the search engine has been rewarding secured websites with improved web rankings.

[source: https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html]

The trick here is that the Google search boost for using SSL applies to all sites, whether you collect personal information or not. Therefore, even if your site does not have checkout/login pages, you can still benefit by installing an SSL certificate on your site!

How do I get an SSL certificate?

You can purchase an SSL certificate from a trusted Certification Authority, typically your domain or hosting provider.

Not all SSL certificates and certificate providers are made equal with varying security stringencies and associated cost. Key determining factors include if the site has multiple platform content (single, multi-domains/subdomains or wildcard) and if it’s for financial institutions i.e. the prime targets for phishing attacks. Another key consideration to make is the validity period of a certification; most standard SSL certificates are available for one to two years by default, but there may be longer term options.

Most hosting providers will install and configure SSL for you once you purchase the certificate, so visitors are automatically directed to the “HTTPS” version. For WordPress site owners, there are few plugins to help install SSL. Here at Matter we will manage this process for you to make your website secure via HTTPS.

What is TLS?

Transport Layer Security (TLS) is the successor protocol to SSL v3.0 with TLS v1.0 introduced in 1999. The terms SSL and TLS are often used interchangeably and the differences between the two protocols are very minor and technical. It used to be believed that TLS v1.0 was slightly more secure than its predecessor SSL v3.0. There is a general trend towards deprecating the older protocols in favour of the newer.  

What is PCI regulatory compliance?

SSL is a key component in PCI compliance. Short for Payment Card Industry, PCI Security Standards Council (SSC) determines the security standards, PCI Data Security Standard (DSS), designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. Launched in 2006, it is administered and managed by the major card brands including American Express, Discover Financial Services, China UnionPay, Japan Credit Bureau, MasterCard Worldwide and Visa International.

PCI SSC has announced the deadline for disabling early SSL/TLS by June 30th, 2018 for safeguarding payment data. Websites that accept credit cards must have TLS v1.1 or higher to meet PCI DSS past this date.

SSL for email?

Major email providers use SSL encryption by default for standard POP or IMAP connection to download your email.

If your company is setting up their own email service, the IT team may need to check with their provider that they are also secured by SSL. This will eliminate security problems when sending out mail.

SSL for mobile?

Websites alike, SSL certificates add security and trust to mobile applications. The first step in protecting mobile apps and their users is to choose an appropriate SSL certificate security measure. Given the mobile app industry is still very young, as a user you should always check the level of security implemented in the app and think twice before rushing into entering personal information.

 

If you’re looking to make the switch to HTTPS and need some assistance, or if you have any questions about SSL certificates contact us and we’ll be happy to assist.