HTTPS for the faint of heart
Welcome back, my HTTPS encrypted Reader,
Today we’ll talk about HTTPS, or HTTP Secure, or SSL-applied-to-HTTP ; it’s an overlooked Subject , at least for the carefree average End User, but SSL to HTTP matters a lot, especially where money or relevant information are.
We can’t assume what you know about the HTTPS before reading this Article , so we’ve decided to cover its Basics; this will make room for further Articles down the road and hopefully still offer some nuggets of knowledge to the savvy. We’ve all heard about latest Hacks into SSL Certificates, so it’s time to make up our mind and at least know what these latest Hackers are all about, don’t you think so?
HTTPS and SSL Certificates
The subject of Security is gaining unprecedented importance because of all too many good reasons. Hacking of Websites has become almost rampant leading to unacceptable consequences. Google, one of the largest Search Engines has incorporated Encryption of Websites as one of the factors for SEO Ranking. It has specifically indicated HTTPS as “Industry-leading Security.”
It is important to note that most of the drop-offs in transactions for E-Commerce Sites occur at the payment stage. This is primarily due to the lack of faith which End Users have on Web Services leading to a perceived threat to their private credit card information. A SSL certificate can mitigate if not completely allay the fears of the online User Community.
If you’re going to open a Website for commercial purposes or an E-Commerce Store, you should be aware of HTTPS and SSL.
Difference between HTTP and HTTPS
HTTPS or Hypertext Transfer Protocol Secure ensures that transmitted data is encrypted and not sent in normal text format. Since the data is encrypted, it becomes less vulnerable to attack. Fortunately HTTPS uses the same internet channel and resources as normal HTTP.
There are two main differences between HTTPS and HTTP. Firstly, HTTPS uses Port 443, while HTTP works on Port 80. Secondly, HTTPS encrypts data with SSL, while HTTP sends and receives plain text.
Setting up HTTP via SSL
In practice, setting up HTTP via SSL is a simple process. To host Secure pages you must ensure that your Webserver supports SSL Encryption. Your Website must have a unique IP Address. Once you meet both these conditions, you must obtain a SSL Certificate from an authorized provider (referred to as Certificate Authority).
Once you have setup SSL, all Web Pages will be sent to the Secure Server. Remember that not all Pages on your Website are directly accessed by Visitors. Webpages which use forms for obtaining information however provide access which must therefore be secured.
You can secure all your Webpages but this may add to the cost. You must use relative paths instead of absolute paths to images which are on your Webforms, otherwise all End Users will get an error message while accessing your Webpages.
What are SSL Certificates?
Let’s look a bit deeper into the working of a SSL Certificate. A SSL (Secure Sockets Layer) Certificate is essentially a process by which a Website is authenticated by encrypting data and later decrypting using a Decryption Key. It is a Digital Certificate which accesses User information, like data entered in a form and authenticates or verifies the credentials of this User and then establishes a Secure connection to the Server. To enable this process, a SSL certificate has the following features –
1. The SSL Certificate Holder’s Name
2. The Serial Number and Expiration Date of the Certificate
3. Copy of Public Key Certificate Holder
4. The Digital Signature of the Authority issuing the Certificate
The following is a typical transaction involving a SSL Certificate:
1) A https:// request is made to a Browser for a Secure Page.
2) In response, a Public Key along with the Certificate is sent back by the Webserver.
3) There are three operations which are validated by the Browser at this stage :
– Certificate Authority has issued the Certificate
– Validity of the Certificate and that the Certificate is related to the Site contacted.
– The Site and Certificate are related.
4) Once the Certificate is validated, using the Public and Symmetric Encryption Key, the Browser sends the encrypted URL and other data to the Server.
5) The Webserver decrypts the Symmetric Encryption Key using its Private Key and uses the Symmetric Key to decrypt the URL and HTTP data.
6) At this stage the Webserver sends back the requested html document and HTTP data encrypted with the Symmetric Key.
7) The End User can now see the data which is decrypted by the Browser with the use of the Symmetric Key.
So what is Encryption anyways?
The Encryption process consists of a Private and Public Key pair. If the data is encrypted using the Public Key, it can only be decrypted by the Private Key. The reverse is also true. A Root Certificate has all the information pertaining to the Owner of the Website along with the Public Key except the Private Key.
Certificate Authority (CA)
The Certificate Authority is a Provider who enables provisioning of SSL or Digital Certificates. Typically while choosing your Certificate authority you must evaluate their Data Encryption level. Their Certificate must be compatible with all Browsers. Price is also an important consideration which depends on the number of transactions.
What’s a Common Name?
All SSL certificates are associated with one or more Hostnames, called Common Names. While choosing a Certificate you must mention the Hostnames which will be covered by it. The number and typology of available Hostnames to cover widely depends on the Type of Certificate you are going to purchase.
Types of certificates
The Single Name Certificate can only be used with a Single Hostname specified in the Certificate and is therefore rarely used. It’s the simplest form of Certificate available on the Market.
With Wildcard Certificates you can secure multiple Subdomains with a unique FQDN (Fully Qualified Domain Name). Due to this reason, the cost of maintenance reduces whilst the management of Certificates becomes simpler. With a Wildcard Certificate which you obtain for a Single Domain Name, you can also secure all of its future Subdomains (Third Level onwards).
While a Wildcard Certificate is used in by a Single Domain Name with multiple Subdomains, a SAN or Subject Alternate Name Certificate is used when you need to manage multiple FQDNs (Fully Qualified Domain Names) via a single Certificate. SAN Certificates can be used only for Fully Qualified Domain Names which are provisioned in the Certificate.
There are limitations in the use of SAN Certificates. You cannot use them “á la” Wildcard Certificates unless each of your Subdomains is also registered as a Unique Domain name when the SAN Certificate is issued. Luckily , SAN Certificates generally allow for 40 or even up to 100 Hostnames on them.
Extended Validation Certificate (EV)
These Certificates are similar to other Certificates and offer the same cryptography. However, Extended Validation Certificates are used along with EV-aware Software and are costlier and follow a lengthier process to be obtained.
Shared SSL and Private SSL
The shared SSL Certificate is a common practice used by Hosting Service Providers (amongst the rest; CDNs also generally offer them as the cheapest way to SSL). These are used for secure Login to the Administrative area of the Hosting Service Provider, or as the easiest way to let Secure Traffic flow when adopting a CDN. They cannot be used by individual Websites or Domain Names., as their very nature is shared: if you inspect one, you will notice it generally is a SAN and aggregates the most diverse Businesses “under the same roof”.
On the other hand, Private SSL Certificates use a Specific Domain name for Security and are therefore preferred by Commercial Websites dealing with their own Users’ trust on a daily basis.
We intended to present the Audience with a high level journey in the world of SSL Certificates; there are more technical meanders which we didn’t explore to the very effect of keeping it easy.
We will follow up on this ground foundations in later Articles on our Blog better describing the different available Certificates, further Security concerns related to their cryptography level, as well as explain what exactly is going on in the Hacking Community with SSL.
Did you enjoy the Article?