With the web in an uproar over privacy and encryption, the newbie webmaster might get overwhelmed with all the acronyms, technical details and server configurations. Deciphering the content on popular wikis such as Wikipedia just makes it more frustrating when descriptions get too technical. Here is a breakdown of SSL, what it can do for you, why it’s important and some simple steps to get your own website encrypted.
What is SSL?
SSL stands for “secured sockets layer.” Whenever you prefix a domain address with “HTTPS,” you’re sending encrypted communication across the Internet to a web server. SSL encrypts the communication between the website and your browser, which means that any information you pass over the Internet is jumbled in a way that only the recipient can decipher.
Importance of SSL
Understanding the mechanics of SSL is difficult, but it helps to understand why SSL is important and how your Internet communications transfer to a recipient. Once you understand these basic concepts, you’ll understand why SSL is an important part of Internet communication.
When you type a website name into your browser, your browser first does a lookup for the domain’s IP address. Once the IP address is found, the browser makes a request to the server for a connection. The server accepts, and then it sends you the website’s HTML for your browser to display. Let’s say you find a contact form on a website and want to send the owner a message. You type your information into the contact form and the information is packaged according to communication protocols and sent to the server. This is when SSL is important.
Your computer packages all that contact information and directs the package to the web server. However, the information must be routed from your computer to the web server that is likely hundreds or thousands of miles away. Look at the Internet as a bunch of pathways just like a normal traffic system. The packaged information takes a pathway to the web server and stops at each traffic light as it makes a “turn.” The traffic light in this example is a router. Your communication package must stop at several routers before it reaches its destination. What happens if the owner of that router decides to read your information? Since the information you sent to the web server is unencrypted, the router owner could read the data without any limitations. This type of hack is called a man-in-the-middle attack. The router owner reads the information and then passes your data to the web server you’re communicating with. In this type of attack, you don’t know that someone is eavesdropping on your communication.
As the data is sent and the eavesdropper is “listening” to the communication, the information passed back from the web server is also hijacked. Neither the web server nor you have any idea that the data is stolen. If your communication package includes sensitive information such as credit card numbers or social security numbers, the hacker now has your information.
This type of attack can be used for standard Internet activity, email, transferring files, or any type of communication that passes over the Internet without any security.
Encrypting Your Communication
What happens when you encrypt the data? The data still travels in the same way as unencrypted data. However, when you apply SSL, you encrypt data and make it useless for the attacker to read. The hacker could try to crack the encryption, but that’s a different topic altogether.
Let’s use the same example, except instead of standard HTTP communication, we’ll assume that the web server requires HTTPS when communicating across the Internet. The information is packaged in the same way, but now the information is encrypted with the web server’s public key.
What is the server’s public key? Public and private keys add another layer of complexity when working with encryption. The server has a public and private key. The public key, as the name suggests, is open to the public. Anyone can encrypt a message with someone’s public key. However, only the web server can decrypt the message with its own private key.
For instance, you want to send a message to your friend “Paul.” Paul has a public key. You use Paul’s public key to encrypt the message and send it to him. Only Paul can decrypt this message, and Paul uses his private key to decrypt the public key’s encrypted message. Only Paul knows his private key password, so only he can decrypt it.
The same methodology is used when you communicate with a web server that uses HTTPS. You encrypt the data with the server’s public key, and the web server uses its private key to decrypt it. The hacker used in the previous section is still eavesdropping on your communication, but it’s encrypted and unreadable for him.
How Do You Get SSL for Your Website?
Interserver offers $19.95 SSL certificates available for sale inside https://my.interserver.net.
Interserver will also setup your SSL certificate free of charge on your Web hosting, VPS or Dedicated server.
How to Set Up a Certificate
The way you apply and set up a certificate depends on the operating system of your server, your access control on the server itself, and the type of certificate you buy. There are general steps for installing a certificate on your server, so this article will discuss some of the basics.
The first step is to create a CSR (certificate signing request). The operating system during this step will ask you for several pieces of information including your organization’s name, your address, the official domain name, and your passkey (remember the public and private key discussed earlier). Ensure that you use the official information you entered when you registered your domain. The certificate authority will verify that this information matches the official WHOIS record, which is the record of information for the owner of the domain.
Some certificate authorities check the validity of your business also. The certificate authority will verify that the business is registered to the person requesting the SSL certificate, because an SSL certificate is supposed to give users peace of mind that they are at the official website for the business.
Once you finish this step, you now have a CSR text file with encrypted information that you just entered. The certificate authority uses this file to generate your SSL certificate. It takes a few days to get your SSL certificate, so give yourself some time if you need to upload a new website with SSL installed.
Once you receive the certificate, you need to install it on your server. This can be done a number of ways depending on your operating system. The certificate authority usually has instructions for the type of operating system you’re using, and the installation is only a few steps similar to generating the CSR. Instructions usually come with the new certificate sent by the certificate authority.
In summary, it’s important to have encryption installed on your web server especially if you take any type of credit card information from customers such as the case with ecommerce stores. While encryption doesn’t guarantee that you’ll never be hacked, it does guarantee that your customers’ data is protected and private.