About Secure Certificates (SSL) - Montana Webmaster

About Secure Certificates (SSL)

What is a secure certificate? – the simple version?

“They” say that you should have a secure certificate for your website, but what is a secure certificate? A Google search for information about SSL or secure certificates leads a person to along list of pages with complicated technical information, but finding a simple answer is not so easy.

“The real function of SSL is to protect the data in transit.” This gem of an answer to a  recent question to StackOverflow provided a clear purpose for SSL,

To a website owner, a secure certificate is another service provided by the company that hosts a website. Some hosting companies provide access to a free SSL called Let’s Encrypt. Others have limited your options to certificates that carry an additional charge. And, there are levels of certificates to explore for larger sites with heavy traffic.

Note: Out of respect to the privacy of my readers, I generally won’t post links to sites without a secure certificate.

How Do I Know Whether my Site has a Secure Certificate?

1. Your browser address bar will tell you.

Screenshot of Firefox browser - no SSL
If you use the Firefox browser, this is what the address bar will look like if there is no secure certificate.
If you use the Chrome browser, this is what the address bar will look like when there is no secure certificate on the domain.

2. Sometimes, you will get different results, if you re-type the address with https://

If you don’t have a secure certificate, but type the address with an https into the address bar, this is what you will see in Firefox.
If you don’t have a secure certificate, but type the address with an https into the address bar, this is what you will see in Chrome.

 

Setting Up a Secure Certificate

Step 1: Buy or order the certificate

While secure certificates may be issued through your web hosting company, the (SSL) system and code itself is actually provided by a third party. That means that your web host probably has several different options available. Your choice will depend on the size, traffic and services offered on your website. Once you purchase the certificate, your site is sometimes moved to a different server with the extra security. But, that process is transparent, and you and your viewers won’t notice any difference.

Step 2: Make sure the URLs on your site use https://

Everything that is linked on your website contains an address (URL) in the code. You may have to change the addresses to your images and links on your site. You don’t want to have any http addresses left anywhere. Otherwise, the certificate will show a problem when people load your site.

The main place where I have seen this problem is with addresses to images. When you see an image on a website, it is not actually embedded into the site, like adding an image to Microsoft Word is. Instead, the code includes an address to the location of the image, and the server ships it to the viewer along with the website. Then the browser puts it in place. If the image address doesn’t have https://, your browser will consider the whole page as insecure. This is why one page on your site could show up as having a problem, but others not.

Screenshot of WordPress Dashboard URL Setting
How to change your site address in the WordPress dashboard

If your site is a database driven site, such as WordPress, Drupal or Joomla, there is often a setting that determines the main address of your site. For example, in the WordPress dashboard, you can go to Settings -> General. Even if you have a secure certificate, you will have to change the main address or all the links will still show http://, instead of https://.

If your site is static, you can run a global search and replace on the files. The main thing is that all the URLs in the code need to start with https://, not http://.

I Added a Secure Certificate to my Site but the certificate is broken

Different browsers react differently to the public keys they receive because they all have their own software and security rules. The screenshots are from Firefox.

The Firefox help site describes this specific situation as, “This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is.”

Situation 1: A common situation is when the certificate is actually for a different address for the same site. For example, you may have visited https://example.com, but the certificate is for https://www.example.com. In this case, if you access https://www.example.com directly, you should not receive the warning. ”

Situation 2: Links to your images, PDF files or other resources are still coded with addresses that start with http://, instead of https://. That means that when the browser asks for each of those resources, there are no security checks. I generally run into this problem when the steps described in setting up the secure certificate haven’t been followed.

Situation 3: Sometimes a certificate has expired. If your site uses paid SSL, there is a yearly charge. It will be important to make sure that the certificate bill is paid. One way to do that is to put it on an automatic renewal.

Situation 4: If a redirect in the .htaccess file is sending the address to http, especially if it’s for a resource that is not a page address, the code will still show the https:// address, but the actual address for that item will be http://. Because a resource that is part of a page, or linked from a page in the case of a PDF file, you may only find the problem through a scan of the .htaccess file.

What is SSL: the More Complicated Version

The goals of SSL and how it happens are two different things. For SSL to work, the dangers to data in transit have to be identified. One problem to solve is sending the information to the wrong people. Like the phone caller who claims to be from the IRS, but is really a scammer, a website may look like a trusted site, but may actually be a fake site with programming to steal your login and other private information. GlobalSign identifies this problem with this description of an SSL function.

“SSL Certificates bind together:

  • A domain name, server name or hostname.
  • An organizational identity (i.e. company name) and location.”

~ https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate/

That same article jumps to telling about encryption, without tying encryption to the description of the first task. So the explanations can be a little confusing. Is SSL a way to be sure that you are on a trusted site or a way to encrypt data moving between your computer and a web server or both? Symantec ties the two functions together somewhat.

“As well as encryption, Certificate Authorities (CAs) can also authenticate the identity of the owner of a website, adding another layer of security. The SSL certificate is then used as proof of the company’s identity.”

~ https://www.websecurity.symantec.com/security-topics/what-is-ssl-tls-https

The history of SSL provides a better overall understanding. And, we find out that SSL has been around for a long time, and with a lot of changes!

“Netscape develops SSL v2, an encryption protocol designed to support the Web as a hot new commerce platform. This first secure protocol version shipped in Netscape Navigator 1.1 in March 1995.”
~ https://en.wikipedia.org/wiki/HTTPS

How does a secure certificate work?

Each website with an SSL certificate has a public key and a private key. The public key goes out with the website when someone clicks a link or types an address. The browser uses that key to check the site’s source. The server holds the private key which it uses to check whether the public key is valid.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.