SSL Certificate and Website Security
If your website performs any e-commerce or asks website visitors to submit any kind of sensitive information, then you will want your website to be secure. Let’s explain how security and SSL works and then what your options are.
What is SSL?
SSL stands for secure sockets layer. Yeah, that clears things up, right?
It’s encryption. There’s a private key on the server and a public key that’s given out. With some mathematical magic, all communication between the web server and someone’s web browser can be made private and secure. Technically, you only need SSL on the page that a form on a website submits (posts) to but the industry standard is to have the form (page where people enter information) secure as well. People feel better seeing it on that page. If a secure page posts to a non-secure page or script, then SSL is not being used correctly.
Using SSL prevents anyone else in the middle of the web server and web browser from sniffing network traffic and grabbing data. The Internet is a shared network and most information is sent in the clear. The chance that information is being sniffed is low but there’s always a chance.
Where to Use SSL
As we mentioned, any page that asks for sensitive information such as credit card information, social security numbers or any other personal data should be secure. Also, if a website is holding this kind of information behind a login, then login pages, which provide access to that information, also need to be secure as well.
Once SSL is set up on a website, any page on that website can be made secure by changing the URL from “http://” to “https://” (notice the “s” that was added). You set it up once and then it can be used on any page. You just have to be careful about how you link to that page or make sure that the internal programming of the website does a check to make sure that a page that is supposed to be secure does have “https” in the URL before sending the sensitive data. If not, then it can reload the page in “https” mode automatically.
Getting SSL Certificates
With Webstix website hosting, we get a 2048 bit encrypted certificate that’s very secure. They are fairly easy to get and work well. We take care of providing the CSR (certificate request) to this Certificate Authority. You may have to verify that you want the SSL certificate generated. This is usually done by sending a confirmation email to the Administrative Contact on the domain record. It’s best to make sure that the Administrative Contact for your domain name is up to date before the certificate is purchased.
If you would like to provide your own SSL certificate, such as Verisign, then you are welcome to get that on your own. We will need to give you the CSR to give to them. That’s no problem. You will then take care of purchasing the SSL certificate yourself and doing any other verification that they require. Sometimes, with the higher level of security that you are ordering, you need to provide very extensive proof of domain ownership or articles of incorporation for your business, etc. and this can delay you receiving your SSL certificate until all that investigation is done.
Here is a synopsis of how to get an SSL certificate:
When a cert is made, the first thing you need to do is create the private key on the server. This is never shared. The result of creating it generates a CSR, which is the certificate request. You then take this CSR to the third party company (GoDaddy, Verisign, etc.) who is the Certificate Authority (CA) (this means they’re trusted) and they get you the public key. Sometimes the public key also contains a supplementary key called the CA certificate. When the public key is combined with the private key (which never left the server), the SSL certificate is complete.
When an SSL certificate is needed, the website host often needs to become involved. They have to allocate the dedicated IP (since a separate port 443 is needed) and often they generate the CSR, request the certificate and then install the certificate.
Some hosts, like GoDaddy or Hostgator, give you a control panel where you can do this yourself for the most part. We’ve seen on GoDaddy that if you want SSL hosting, then your website has to be moved to another server. This process usually takes 24-48 hours and often results in your website being down while that transfer happens.
Most of our clients are not experts on this process, so we help them by offering SSL certificates on websites that we host.
Installing SSL Certificates
One thing that is required when you want to use an SSL certificate on your website is a dedicated IP address. Basically, how this works is that all secure traffic moves to port 443 on a server (normal web traffic that’s not secure is on port 80). You can only have one port 443 per IP address. If your website is not secure, then it can share a common IP address with other websites. The web server takes care of seeing which website is being requested and then serves up that website. With port 443, it cannot be shared like that.
All this means is that you need a dedicated IP address. With our hosting, there is an extra charge for a dedicated IP address. There may also be some SEO benefits from having your own, dedicated IP address.
Renewing SSL Certificates
When a certificate is purchased, it’s usually good for 1 year or a few years. For the certificates that we purchase, we also including managing them and renewing them. If you bring your own SSL certificate, then you are responsible for managing them yourself. Make sure that you set a reminder to renew it or else people that come to your website to purchase something might see an ugly error message come up in their web browser that the SSL certificate is expired and that their information might not be secure. If this happens, you could see a dramatic decline in orders and lose revenue.
Getting an SSL certificate is not too difficult if you know what to do. There are some steps to follow. We’re experts at getting SSL certificates purchased and set up. If you have any questions, please let us know.