What is https?
Hyper Text Transfer Protocol Secure is an advanced and secure version of http protocol. Whenever you try to open a webpage like google.com or facebook.com, you make a request to a server. This request transmission happens over http protocol. This request when leaves your browser and reaches to the server can be intercepted as it is traveling in clear text format. In early days, data was not that sensitive and hacking was not much advanced, this http was Ok to have. But in present world http needs an upgrade and result is https. This additional S in https, is secure. Whole story short, it is used to encrypt communication between end user and server.
How does https work?
All https websites use either of 2 protocols to encrypt communication between user and server, SSL aka Secure Socket Layer or TLS aka Transport layer Security. Both of this SSL and TLS uses an asymmetric public key Infrastructure system. Yes, I am aware that some readers don’t know about PKI (public key Infrastructure). Basically, 2 keys are used, public key and private key. Anything encrypted with a public key can only be decrypted with a private key and vice versa.
In a case of websites, private key remains securely at a web server and public key distributed to all users of the website that need the ability to decrypt the information. I really can geek out a lot on public key and private keys but for now, that’s enough.
What is https certificate?
This is the hero of this story. When a request is made to https website, server/website sends it’s certificate to the browser. This certificate contains public key needed for the secure connection. Based on this initial exchange, your browser and server start a SSL handshake. This handshake involves the generation of shared secrets to establish a secure connection between your browser and website/server.
When a trusted SSL digital certificate is used during a https connection, a user sees a lock icon in a browser and when an Extended Validation Certificate, then you see a complete website name in green. This extended SSL certificate is common to see in banking websites.
What type of attacks does SSL protect?
SSL or https encrypts the whole data as it gets transferred to the web server. This means all the eavesdropping is avoided. So, if anyone is trying to intercept a request, also known as Man in the Middle attack, this is usually avoided by the use of https.
What https/SSL does not protect you from?
End letter in https stands for secure but this doesn’t mean that your entire website is secure now. Attacks like SQL injection and cross site scripting are still immune to https. Https has nothing to do with web logics design and processing of data. Https means you are avoiding Man in the middle attack and that’s it. You have to take care of rest of attacks via other methods.
Does everyone need SSL?
The answer to this question is tricky and there is no YES or NO answer to this question. SSL is a great thing to have but it does cost and adds to the budget of your website. SSL certificate needs you to have a DEDICATED IP. Not every plan of hosting that you have purchased from GoDaddy or HostGator are capable of installing SSL certificate. So before you buy a SSL, make sure to reach out to your hosting provider and clear things about it.
If your website is more like a brochure website you can avoid having SSL but if your website is having transaction then having an SSL is a good idea. Now there are ways to avoid the need of SSL even with a transaction. There are payment gateways that can take care of the whole transaction over a secure connection and can pass you a token that you can use for further process and then destroy that. But let’s keep it simple as of now, Payment means get a secure connection.
Also, recently Google has made it clear that websites with https are going to rank higher and will be given more priority as compared to http websites. Browsers are also displaying a “not secure” message with a website not having SSL. Now, I say that it’s good to promote security but displaying a message like that is not good either. Displaying a message like encrypted communication and the regular connection would have been a better choice.
How to install SSL?
First, you need to have a DEDICATED IP in order to install SSL certificate on your site. Also, in some hosting, having a plan to park unlimited domain might work but first be clear with hosting about the acceptance of SSL certificates. Now, this is getting longer and I will link a pdf that includes the step by step instruction with screenshots to install SSL certificate.
Verify the successful installation of SSL?
Here is a great website link that you can visit and just enter your website name to check the installation success for SSL. it usually takes 12-24 hour to reset all things in DNS but might be quicker, as it depends on hosting.
I know this was a long post but this is now a one stop for a reader to know about SSL. Recently, everything is moved to SSL aka https at learncodeonline.in, check out https://courses.learncodeonline.in/learn