About Secure Certificates (SSL) - Montana Webmaster
About Secure Certificates (SSL)
What is a secure certificate: the simple version?

“They” say that you should have a secure certificate for your website, but what is a secure certificate? A Google search for SSL or secure certificates can lead a person to various bits of technical information, but it’s difficult to get a clear picture from the bits of information. A recent question to StackOverflow provided a clear purpose for SSL, “The real function of SSL is to protect the data in transit.”

To a website owner, a secure certificate is another service provided by the company that hosts a website. Some companies provide access to a free SSL called Let’s Encrypt. Others have limited your options to an additional charge. There are levels of certificates to explore for larger sites with heavy traffic.

How Do I Know Whether my Site has a secure Certificate

Your browser address bar will tell you.

Screenshot of Firefox browser - no SSL
If you use the Firefox browser, this is what the address bar will look like if there is no secure certificate.

If you use the Chrome browser, this is what the address bar will look like when there is no secure certificate on the domain.

Sometimes, you will get different results, if you re-type the address with https://
If you don’t have a secure certificate, but type the address with an https into the address bar, this is what you will see in Firefox.
If you don’t have a secure certificate, but type the address with an https into the address bar, this is what you will see in Chrome.

What is SSL: the More Complicated Version

The goals of SSL and how it happens are two different things. For SSL to work, the dangers to data in transit have to be identified. One problem to solve is sending the information to the wrong people. Like the phone caller who claims to be from the IRS, but is really a scammer, a website may look like a trusted site, but may actually be a fake site with programming to steal your login and other private information. GlobalSign identifies this problem with this description of an SSL function.

“SSL Certificates bind together:

  • A domain name, server name or hostname.
  • An organizational identity (i.e. company name) and location.”

~ https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate/

That same article jumps to telling about encryption, without tying encryption to the description of the first task. So the explanations can be a little confusing. Is SSL a way to be sure that you are on a trusted site or a way to encrypt data moving between your computer and a web server or both? Symantec ties the two functions together somewhat.

“As well as encryption, Certificate Authorities (CAs) can also authenticate the identity of the owner of a website, adding another layer of security. The SSL certificate is then used as proof of the company’s identity.”

~ https://www.websecurity.symantec.com/security-topics/what-is-ssl-tls-https

The history of SSL provides a better overall understanding. And, we find out that SSL has been around for a long time, and with a lot of changes!

“Netscape develops SSL v2, an encryption protocol designed to support the Web as a hot new commerce platform. This first secure protocol version shipped in Netscape Navigator 1.1 in March 1995.”
~ https://en.wikipedia.org/wiki/HTTPS

Setting Up a Secure Certificate

There is a yearly charge for a secure certificate. And your web page addresses will change from http to https. Secure certificates may be issued through your web hosting company, but the (SSL) system and code itself is actually provided by a third party. That means that your web host has several options as to who they provide your SSL through.

After your certificate is issued, you have to change those addresses on your site. That affects all addresses, even images, scripts, etc. You don’t want to have any http addresses left anywhere. Otherwise, the certificate will show a problem when people load your site.

If your site is a database driven site, such as WordPress, Drupal or Joomla, you can run a script or add software to your site that will change all the addresses. If your site is static, you can run a global search and replace on the files.

I usually use a script called Database Search and Replace Script***. It only takes a few minutes to upload the script to the website, run it and then remove it from the website. If you are running software to fix the addresses, be careful not to switch all addresses, but only the ones with http://yourdomain.com. If your site has links to other sites, those addresses might not work with https://.


How does a secure certificate work?

Each website with an SSL certificate has a public key and a private key. The public key goes out with the website when someone clicks a link or types an address. The browser uses that key to check the site’s source. The server holds the private key which it uses to check whether the public key is valid.

I Added a Secure Certificate to my Site but the certificate is broken

Different browsers react differently to the public keys they receive because they all have their own software and security rules. The screenshots are from Firefox.

The Firefox help site describes this specific situation as, “This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is.”

Situation 1: A common situation is when the certificate is actually for a different address for the same site. For example, you may have visited https://example.com, but the certificate is for https://www.example.com. In this case, if you access https://www.example.com directly, you should not receive the warning. ”

Situation 2: Links to your images, PDF files or other resources are still coded with addresses that start with http://, instead of https://. That means that when the browser asks for each of those resources, there are no security checks. I generally run into this problem when the steps described in setting up the secure certificate haven’t been followed.

Situation 3: Sometimes a certificate has expired.

Situation 4: If a redirect in the .htaccess file is sending the address to http, especially if it’s for a resource that is not a page address, the code will still show the https:// address, but the actual address for that item will be http://. Because a resource that is part of a page, or linked from a page in the case of a PDF file, you may only find the problem through a scan of the .htaccess file.




Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.