The complete guide to SSL
SSL or Secure Sockets Layer, in its basic understanding is essentially a mechanism that allows websites or web applications to be serverd on https:// rather than http://.
Originally web traffic was sent between computers using the Hyper Text Transfer Protocol (HTTP). This protocol does not provide a secure medium, in that the data is visible to the owners of the networks it passes over, your home/office network, your ISP, the ISP of the site you are accessing, their host and many other networks in between.
To overcome this issue, HTTPS (HTTP Secure), an extension to HTTP was developed where the data sent has a form of encryption applied – originally, Secure Sockets Layer (SSL) and now TLS (Transport Layer Security).
How it Works
An encryption key, which is a long random piece of text is agreed upon by the browser and the server, which is kept secred between them. The key is used to encrypt the transmitted data so it cannot be accessed while it is transmitted over the internet. Once the data is received at the server, the key is used again to decrypt the data allowing data to be shared back and forth between the browser and the server without any one else being able to access it.
Previously, SSL certificates would be applied to a website or web application but only enforced on specific pages where users may exchange data with the website server. Typically these were pages such as the login page, payment checkout pages etc. where users would be entering sensitive information such as passwords or card details. Most websites did not include SSL. The 2 main reasons, they were implemented this way was because:
1. there was no need to protect non-personal data being relayed between the user and the server
2. added an unnecessary performance overhead on the server for the decryption
Since a few years ago, Google took up a cause to get website administrators to update their entire website to use SSL with the goal of protecting users from websites that didn’t treat personal data with the level of security it deserves. In order to enforce this, Google started prioritizing websites with SSL higher in their rankings with non SSL sites being pushed down in search results.
Most recently in July 2018, Google Chrome has started to mark websites as “not secure” if there is no SSL certificate for the website. Other browsers have followed suit and implemented their own rules to highlight un-secured websites.
The ultimate aim of these activities is to make sure that SSL websites are the norm.
SSL Certificates are issued by authorized providers and are issued to organizations only after their identities have been validated. The differences in the types of certificates issued are down to the level of validation carried out by the certifying authority.
Domain Validation Certificates
The certificate authority verifies that the organization has control over the concerned domain.
Organization Validation Certificates
The certificate authority investigates the organization making the application to ensure that the certificate is being issued to the correct organizational authorities.
Extended Validation Certificates
The certificate authority validates the ownership, organization information, physical location and legal existence of the company before approving a SSL certificate.
SSL certificates issued by the certificate authority can be limited to a single domain name, wildcard domain name or multi-domain name. For instance a single domain name certificate issued for www.xyz.com will only be applied when accessing www.xyz.com and not if accessing mail.xyz.com. A wildcard domain name certificate will apply to all combinations of xyz.com and a multi-domain certificate will apply for all domain extensions of xyz, such as xyz.com, xyz.net, xyz.org etc.
At BizBooster, we take security seriously hence all of the websites and web applications we develop include SSL security at no additional cost. Contact us for building your security enabled website or web application.