Securing Your Website
When you load a website, the browser tells you whether or not you should trust it. Why? And how does the browser decide? Today, I am going to talk about something called an SSL Certificate, what it means, why you need one, and the massive movement to hand them out freely, making it easier for you to secure your website. So let’s get started…
What is an SSL Certificate?
When you are in your browser and looking at a website, behind the scenes, the browser is connecting your computer to the website’s server.
Originally, this connection was wide open, with the messages between the server and your computer in plain text and completely insecure. This made it far too easy for malicious software to sit on the connection and grab those messages as they went by.
Then came along encryption and SSL Certificates.
Luckily, the only thing we really have to understand about encryption is what it does, not how it accomplishes it through its complex math.
Let’s take a moment to talk about the lingo involved here. When you secure your website through your hosting provider, they are going to use one of the following terms:
- SSL Certificate
- TLS Certificate
- Security Certificate
All three mean the exact same thing.
Once a website has been secured, it guarantees to the website visitor:
- Confidentiality - meaning it is not possible for messages to be grabbed and read by malicious software while in transit
- Authenticity - the website in which you are interacting is the expected website
- Integrity - since the connection is secured, the data passing between your browser and the website is exactly as each side intended it
Why your website needs a certificate
The Internet is going through a big change. For example, on September 8th, 2016, Google published an article, “Moving towards a more secure web”.
In it, Google announced its overall plan to change the way it tells visitors about the security of the website they are visiting.
For pages that had no sensitive data, there was only an information icon, which you could click to drop down a panel that stated it was an insecure page. But recently, Chrome moved to the next stage where it has the words “Not Secure” up at all times.
The big news was that in the near future, Chrome will show “Not Secure” in red along with a red triangle to get your attention. This will be done for all insecure pages, no matter the sensitivity of the data involved.
At the same time, it is going to retire the lock that we are all familiar with. Originally, when a page was secure, there was a green lock and the word “Secure”. Currently, the lock is still there, but gray, and the Secure word has disappeared. Then in the near future, that lock will disappear. The idea here is that it is expected that all web pages will be secure, so the browser will only show indicators when that is not the case.
To show how all of this works, let’s look at a website I built for demonstration purposes, 1securewebsite.com. This is a simple static website, with a home page, and a fake login page.
Even though it looks like a secure website, Chrome is informing me that it is, in fact, not secure. But it is also not too fussed about it because we are looking at static page that doesn’t do anything and Chrome is letting it slide.
But notice if I move to the login page. Chrome still says it is insecure, but still not to fussed. But if I start to type in the username field, Chrome starts to warn me. This is that middle stage of the overall plan. In the future, this red warning and icon will happen on all the pages of a website without an SSL certificate installed.
If we move to 1happyplace.com which is secure, you can see how different it looks in the address bar. It has a gray lock and shows https at the beginning of the web address
So, how do you secure your website?
For websites that are still not secured, there is some good news. In May of 2013, the Internet Security Research Group or ISRG was founded, with its stated mission to help websites secure their information. It was sponsored by many companies, including Google and Mozilla, and launched a massive undertaking - Let’s Encrypt.
Thanks to Let’s Encrypt, website owners can now acquire a security certificate easily, efficiently, and for free. You start the process by working with your hosting provider. Most hosting providers will do this automatically or require change of a setting The important thing to remember to look for those three names, SSL, TLS or Security Certificate.
I wish you the best as you dive into securing your website knowing that it will reassure your website visitors and add to the overall goal of securing the Internet.