By this point you surely have noticed the little padlock that appears next to a website’s address bar when browsing the web – and perhaps even gotten a security warning when that’s not configured correctly. What does it mean, why should you want it and how can you get it on your own website?
This padlock guarantees two things. First, it ensures that any content you send or receive is not visible to anyone but you and the server. Second, it reassures you that the information you’re receiving is actually coming from the correct server (in this case liquidweb.com) and not from someone else pretending to be them. Both of these are accomplished with the help of an SSL certificate.
But what even is SSL?
When the internet was originally designed, all data that crossed the network was readable to the devices it passed through, in the same way as a paper note travels hands across a classroom. Each of the messengers could read – or even worse, modify – any messages in transit. SSL (Secure Sockets Layer) is a technology designed around 25 years ago to encrypt web traffic to prevent any eavesdroppers from reading or changing it.
You may also see the term TLS, or Transport Layer Security, which is a newly-designed protocol that serves the same purpose; but fixes some critical flaws with the SSL protocol. While TLS is the most up-to-date option, the term SSL is still used today since the TLS protocol uses the same certificates as SSL.
Going a bit deeper into the theory
A valid SSL certificate is composed of three parts:
- Information about the website you’re visiting.
- A public key from the server, which is used to encrypt the traffic
- A signature from a Certificate Authority, which ensures that the certificate is legitimate.
The first part is pretty basic – it simply says the domain name and organization that the SSL certificate is issued in behalf to. Things get more interesting when we get to the public key.
A public key is a string of numbers that can be used to scramble a message, in such a way that it can only be unscrambled by the person who has the corresponding private key. It helps to think of the public key as a padlock, and the private key as the actual key to this padlock – by sending the padlock to all visitors, they can use it to encrypt their data in such a way that only the server, which owns the key to that padlock, can read it.
In modern SSL implementations, the very first thing a visitor does when receiving this public key is encrypting a session key generated by the browser, which works the other way around – once the server has this session key (which was sent securely using the public key from the SSL certificate), they can use it to reply back to the visitor with messages that only the visitor can read.
Image source: https://www.internetum.com/en/what-is-ssl-certificate-and-how-it-works/
With only the website information and the public key, we wouldn’t have a full SSL certificate, but what’s known as a Certificate Signing Request, or CSR. To actually have a valid SSL certificate, and guarantee visitors that they’re talking to the right server, a signature from a Certificate Authority is needed.
You can think of a cryptographic signature as the opposite of encryption, where the padlock used to encrypt data is kept secret, while the key to decrypt it is shared widely. This means that when the public key from the Certificate Authority successfully “decrypts” a message’s signature, we know for sure that this signature cprivate key held by the Certificate Authority.
A Certificate Authority’s job is to check that you actually own the domain before issuing the certificate, usually by asking you to place some piece of information on the site so they can see you have control over it. Once they’re confident you’re the right person, they bundle the certificate information with their digital signature to create the final SSL certificate. This also means that an SSL certificate can only be issued for a domain that’s active.
Of course, if you’re just testing a site on your end, you don’t need to go through the work of contacting a Certificate Authority – a self-signed certificate works just fine for personal use.
“Self-signed” means that instead of having a globally-recognized authority sign the certificate, the server adds its own signature to it. A self-signed certificate will still encrypt the connection (so it’s not readable to any eavesdroppers), but it cannot guarantee that you’re talking to the person who actually owns the domain, so you will receive a security warning on your browser – in a sense, it’s as if the server was saying “just trust me”. If you have verified that you’re talking to the correct server (for example, by checking the IP address), it’s safe to bypass this warning.
The practice
We’ve already mentioned that using SSL/TLS makes your site private and secure, but what we haven’t mentioned yet is that it only takes just a few minutes to get all these benefits.
If you have a managed control panel or hosting solution, you can usually get a free SSL certificate completely set up by contacting your hosting provider. Otherwise, it’s not very difficult to issue one manually.
The exact methods to order an SSL certificate vary depending on what hosting and SSL provider you choose, but there’s three general steps:
- Generating a Certificate Signing Request, or CSR. This CSR includes information about the website and your organization, which will be displayed to visitors of the website when using the final certificate. This is what you’ll see when clicking on the padlock icon, and then viewing the certificate details. On this step you’ll also be generating a public key that’s saved in the CSR, and a private key that will be stored in a separate file – make sure to store this private key securely, since it’s required for the installed certificate to function.
- Signing the certificate. This involves taking the CSR to a Certificate Authority, or CSR, which validates that you own the website. Common methods of validation are adding a DNS record, creating a specific file on the website, or running a script on the server that takes care of it.
Some certificate authorities charge a fee for signing your certificate to provide a stricter level of validation, and additional features – this is desirable if, for example, you’re an organization or e-commerce website that needs the extra security, wildcard subdomains or simply a longer-lasting certificate. In most cases you should be fine with the available free options.
- Installing the certificate. Once you have the signed certificate, you simply need to place it along with its private key wherever your web server expects them to be, and then set it up to serve the site over HTTPS.
Even in servers that don’t have a control panel, there’s options to automate the issuing of free certificates – Certbot, by the EFF is a very popular option for use with Let’s Encrypt certificates, since it carries out all three steps of the process in one go.
If you already have a website and are not yet using SSL yet, you’re missing out – contact us and we’ll help you get up and running with one in no time, or point you in the right direction if you need a particular setup.
If you don’t have a website, start one in minutes with StoreBuilder. Built on a platform trusted by experts, StoreBuilder by Nexcess allows you to reap all the benefits of our Managed WordPress and WooCommerce without the complexity. No coding experience? No problem. There’s no reason to start from scratch or feel overwhelmed by a blank screen. Just answer a few questions, and in minutes, you’ll have your own online store with an intuitive, easy-to-navigate homepage that’s optimized to convert your visitors to customers. Check it out!