You may have noticed while browsing the web that every site you visit is preceded by HTTP, or in some cases HTTPS.
Most people know that HTTP or Hypertext Transfer Protocol specifies the underlying information exchange method by which nearly all websites are accessed over the web. HTTPS is an extension of HTTP with the S standing for Secure.
Modern HTTPS uses Transport Layer Security, or TLS, in order to encrypt all information exchanged between a client and a web server thereby ensuring a secure connection.
In order for a website to utilize HTTPS, the web master must acquire an SSL certificate from a trusted certificate authority.
To understand the process of obtaining an SSL certificate, how TLS works and what implications enabling HTTPS could have for your website, keep reading!
Why Is An SSL Certificate Necessary?
An SSL certificate enables your website to communicate through HTTPS, which is fundamental in protecting sensitive information sent between your web server and clients from being exposed to malicious parties.
The full URL being requested, all data (be it plain text or binary), cookies and other headers are all encrypted when using HTTPS.
The most typical scenario HTTPS prevents would be a “man in the middle” attack where the information is intercepted in transit, and eavesdropped upon or in some cases altered. If your website deals in any sensitive client information, HTTPS is a must.
This could range from accepting payment information for an ecommerce transaction to simply collecting contact information from a standard inquiry form.
There are important implications of a website being HTTPS capable beyond securing sensitive information. Modern browsers now actively warn users against using any unsecured website, labeling it as un-trusted.
There are also serious consequences of forgoing HTTPS for your website’s SEO and search rankings.
In 2014 Google announced their ranking algorithms would be updated to favor websites supporting HTTPS, with the intention of strengthening the impact of HTTPS in their ranking algorithms as time went on.
In 2015 Google stated HTTPS would be a tie breaker if the quality metrics for 2 sites were the same in every other regard.
According to the latest metrics from Moz although just over 1% of all websites are secured through HTTPS, ~40% of Google’s first page organic search results are HTTPS.
How To Acquire An SSL Certificate
A certificate authority is an entity responsible for issuing verified and trusted SSL certificates.
Some of the most popular certificate authority organizations are IdenTrust, Comodo, DigiCert and GoDaddy.
They are responsible for verifying the identification information from an organization’s Certificate Signing Request and providing a digital signature onto any SSL certificate they issue. This digital signature enables site visitors to validate the server’s SSL certificate.
The first step of acquiring an SSL certificate from a trusted certificate authority is to generate a public/private key pair that will be used in the encryption process that we will discuss in detail later on.
The public key is sent to the certificate authority as part of a Certificate Signing Request or CSR along with the associated company’s name, address, sub-organization within the company making the request if applicable and the domain name the certificate is intended to secure.
The private key is never disclosed, secrecy of the private key is paramount to ensuring the integrity of any secure connection.
The certificate authority will then validate the identification information provided in the CSR typically using a combination of government bureaus, databases and services from third parties and in some cases custom heuristics.
Once the identification information has been verified, the certificate authority provides the requesting organization with an SSL certificate bearing the certificate authority’s digital signature.
The are three main types of SSL certificate:
- Extended Validation (EV SSL) certificates verify the right of the applicant to use a specific domain name in addition to a thorough investigation of the organization. This gives visitors to a website a high degree of trust that the identity of the organization listed on the certificate is genuine.
- Organization Validated (OV SSL) certificates is essentially the same as an EV SSL but with less vetting of identification information.
- Domain Validated (DV SSL) certificates only validate domain ownership and no organizational details are verified or displayed.
In most cases a business will want to obtain an OV SSL or EV SSL in order to be able to provide visitors with some identifying details to establish a higher level of trust. The cost of these certificates goes up with the amount of information verification, making EV SSLs the most expensive and DV SSLs the least expensive.
Certificate Authorities And Server Identification
A server’s ability to identify itself to you through its SSL certificate begins with verifying the validity of its SSL certificate with the issuing certificate authority.
This process is facilitated through the digital signature of the certificate authority on the server’s SSL certificate. When your browser attempts to make a secure connection to the server, it must verify that the SSL certificate was procured from a trusted source.
Luckily all mainstream browsers come prepackaged with a list of trusted certificate authorities and their corresponding certificates which contain a public cryptographic key. Your browser uses this key to verify the digital signatures originating from that certificate authority.
The SSL certificate lists the encryption algorithm and hash function used in the digital signatures generation, typically sha256RSA and sha256 respectively.
Along with the digital signature of the issuing certificate authority, other important identifying information on the SSL certificate includes the company’s name and address.
There will always be a date range listed on the SSL certificate going from the date it was issued to the date when it expires.
TLS Protocol And The TLS Handshake
In addition to the identification information and the digital signature of the certificate authority, an SSL certificate also provides all the information needed for a client to engage in secure communication with the server over a network.
Most important of this information is the server’s public cryptographic key. The actual encryption protocol used in HTTPS communication is called TLS, or Transport Layer Security.
The predecessor of TLS was SSL, and the nomenclature stayed the same when used in related terms such as SSL certificate. If you’re familiar with the network stack, TLS operates above TCP/IP and under HTTP.
The process of using TLS for secure communication between a client and server over HTTPS begins with the TLS handshake.
The handshake uses an asymmetric cipher to communicate cipher settings as well as a session specific shared key. This shared key is used for all following communication through encryption via a symmetric cipher.
During the handshake the parameters pertaining to the cryptographic algorithms and methods used between the client and server are agreed upon.
The TLS Handshake
- The client connects to a TLS enabled server and requests a secure connection. This request provides the supported TLS version as well as cipher suites (cipher algorithms and hash functions) the client is capable of using.
- Upon receiving the request, the server will choose a cipher and hash function from the client’s list that the server also supports. This decision is sent back to the client.
- The server will now provide the client with its SSL certificate.
- Upon receiving the SSL certificate the client will verify the validity of the SSL certificate, in the case of a web request through a browser using the stored list of trusted certificate authorities and their digital signature information.
- If the server’s SSL certificate is verified, the client will generate secure session keys using one of the following methods:
- The client will encrypt a random number with the server’s public key and then send the encrypted information to the server, which the server will decrypt using its private key. The client and server will generate a unique session key to be used for secure communication going forward using this random number.
- Diffie-Hellman key exchange will be used to generate a random session key. This method has the added advantage of forward secrecy, meaning in the event the server’s private key is revealed to a third party, that party cannot use the server’s private key to decrypt the current session.
Once the handshake has been completed, the connection is secured and communication between the client and server will commence in secrecy over HTTPS until the session ends.
If any step of the TLS handshake fails, the secure connection is not created.
It is important to note that having a valid SSL certificate does not mean a website is entirely secure. It simply ensures that any communication between the server and a client over HTTPS is secure.
Additional steps will need to be taken beyond just having an SSL certificate to fully secure a website.
If your website deals with any sensitive client data whether it be payment information for ecommerce or simply collecting contact information from interested customers, you have a responsibility to secure their information by having your website HTTPS enabled.
Beyond building trust with your visitors, HTTPS is an important factor on how your site performs in SEO and search rankings.
If you’re thinking about building a website for your business or already have a website that would benefit from upgrading to HTTPS, we can help. Contact us to discuss your options.