It pays to be secure - the rise of SSL and HTTPS
By Nick Harding - Web Developer.
In this modern world of the Internet, it can feel like everyone is out to get your details, be it hackers, phishing emails or rogue websites. This is why ensuring your personal data is safe online has never been so important.
One large aspect of keeping the Internet safe is ensuring that "web pages" are secure when transferring data between your device and the host server, as the chances are the data would have passed across multiple networks and servers before it reaches its destination.
As developers, the way we achieve this is via Secure Socket Layer Encryption, also known as SSL. Using SSL ensures the data sent between servers is encrypted, therefore significantly reducing the chance of that data being intercepted and read by some rogue element.
The Enigma of encryption
Think back to World War II and one of the most famous pieces of equipment, the fabled Enigma Machine. The Enigma machine was actually invented before WWII by German Engineer Arthur Scherbius, who in 1923 envisioned interest for it in commercial communications. The Enigma machine worked by scrambling a message using three to five notched wheels which displayed different letters of the alphabet. The operator chose a set-up for the wheels (the Key) and typed the message normally, but the scrambled letters meant the resulting message would be gobbledygook. This "encrypted" message was then sent to its destination where it would be typed into another Enigma machine set up with the same key to decrypt the original message. Without knowing the key, the message would be useless to anyone intercepting it.
In cryptology, people use the analogy of Alice and Bob. If Alice and Bob want to talk privately on a public channel, they decide on a private key and use this to encrypt their messages before sending them publicly, safe in the knowledge that the message can only be decrypted by someone in possession of the key.
SSL works in much the same way, although with more complex algorithms and of course, in a much faster way. In simple terms, the host server and domain have a certificate that verifies that a website or application is genuine. When you browse a secure website, files called from the server are encrypted before being sent to your computer, which also gets the certificate from the server; this enables it to decrypt the files using the certificate’s key.
All this happens in the blink of an eye and the only difference you see is that there is a small padlock in the browser address bar, and rather than http:// the address is https://, indicating the site you are visiting is secure.
Setting up SSL
Setting up SSL is fairly straight forward and there are various providers you can use such as:
It is important to ensure that you obtain a 2048-bit key certificate as this is now the industry standard. If you are purchasing a new certificate then it should be 2048-bit but if you have a certificate purchased before January 2014 then you may need to migrate.
When setting up a certificate the process is as follows:
- Generate a Certificate Signing Request (CSR)
- Purchase a certificate with your chosen provider
- Install the certificate on your server
It is important to consider the domain(s) and sub domain(s) you need your certificate to validate for. Often a single domain certificate will be sufficient but you should be aware of some potential pitfalls. For example if your website can be accessed at yourdomain.com and www.yourdomain.com then your certificate will need to be valid for both to avoid a dreaded certificate validation error, a sure way to scare away visitors!
The guys in our digital marketing department wouldn’t recommend allowing your website to be accessible via 2 URLs as above, as this leads to duplicate content issues, but even if you put a 301 redirect on yourdomain.com to www.yourdomain.com your certificate will need to validate for both because the certificate validation will occur before the 301 redirection. Some certificates, such as GeoTrust’s QuickSSL Premium certificate, cover both www and non-www (be sure to include www in your certificate request as it only works this way around) but otherwise you may need to purchase 2 certificates or a wildcard certificate that covers any subdomain.
Data is Valuable
Websites and businesses have a responsibility towards their users or customers to protect their data, ensuring that any personal information passed across the Internet is as secure as possible. Having an SSL certificate and securing your website is a way to reassure your clients and to show you care about their data and their online security.
If you needed another reason to make your website secure other than your customers’ online safety, how about to improve your SEO (Search Engine Optimisation) efforts? Google has recently announced that having a secure website now counts towards your ranking in their search results, with secure sites being favoured over non-secure ones. This doesn’t replace any of the other things you can do for SEO, it’s just one more way of gaining Google’s favours. Google’s main goal is to show relevant, quality results, so it makes sense to favour secure websites over non-secure ones, and although we may not like everything Google do, if they contribute to make the web safer then we’re all for it!