SSD Grow

Understanding HTTPS | Functionality and Importance

Google has pioneered changes and advancements in developing, hosting, and populating websites with content. One of their latest areas of interest is HTTPS. As a website owner, regardless of the type of website you host from your VPS, it’s crucial to understand how HTTPS functions and why it’s essential.

 

Chrome will flag all websites that operate on HTTP as insecure. Even before this, Chrome was already marking sites that used HTTP and had forms where users could input data as insecure, causing concern among users and frustration for business owners.

 

Now, Google is taking a stricter approach. If your website does not have HTTPS enabled, you may lose SEO ranking since it will be marked as insecure in the URL bar. All your efforts in content marketing and keyword targeting could vanish overnight if Google begins to de-prioritize your content, thus making it visible to fewer people. Your users might even start looking for alternatives.

Website owners need to start taking HTTPS seriously, especially now.

HTTPS is a secure version of HTTP, where the security is provided by Transport Layer Security (TLS). Although SSL (Secure Sockets Layer) and TLS are often used interchangeably, SSL is the older security protocol, while TLS is the newer and more secure version. Most websites use TLS version 1.2 while transitioning to version 1.3. However, some websites still support older versions of TLS. Now that we better understand the acronyms and versioning, let’s move on to the critical question at hand.

HTTPS Introduction

Data travels over the internet through various interconnected servers, some of which are maintained by governments or businesses, while others may be set up by individuals with malicious intent. Even if your web server is secure, there is no guarantee that the data it sends to a client over this network of untrusted entities will not be intercepted by a third party along the way. This is called a “man-in-the-middle” attack (MITM).

 

To solve this problem, HTTPS establishes an encrypted channel between the client (web browser) and the server. Encryption ensures data security by upholding the fundamental principles of data integrity, privacy, and authenticity. Data integrity means ensuring that the data received was not tampered with by an uninvited guest who intercepted it on its way. Privacy means that even if someone listens in on or copies the traffic as it flows through, they cannot make sense of the data because it is encrypted, and only trusted parties have the key to decrypt it. Authenticity means that websites are what they claim to be, and HTTPS certificates help the web browser verify the website’s authenticity.

 

The first two principles are upheld by cryptographic techniques implemented in most browsers and web servers through the OpenSSL/LibreSSL libraries. However, there is still much to be said about authenticity.

Authenticity via HTTPS

The initial step of establishing a secure communication channel is the most vulnerable aspect of the process. For example, when Alice visits a website (let’s say URL_1) for the first time, encrypted content and the keys needed to decrypt that content must be sent over an insecure channel. Otherwise, the communication cannot begin. Since Alice’s browser does not have the keys for URL_1, they must be sent over an unencrypted connection.

However, if a Man-in-the-Middle (MitM) attack occurs during this critical first exchange, any communication from that point onwards cannot be trusted. An attacker could intercept Alice’s connection to URL_1 and serve malicious content instead. This content could be encrypted and secured with a key, but it would still be malicious.

For Alice, the malicious server would appear to be a legitimate website. This would be a severe problem if the attacker impersonated Alice’s online banking dashboard or a trusted retailer requesting her credit card information.

 

To solve this trust issue, we use certificates and a Certificate Authority. Digital certificates are used to prove identity, similar to real-life certificates. However, the internal mechanism of how a certificate helps establish identity is beyond the scope of this post.

1. Certificate authorities and HTTPS

The Certificate Authority (CA) is a trusted party on the internet that everyone relies on. Your web browser and operating system come with a pre-installed list of CAs that can never be visited for the first time, even on a new device. This is because every major OS vendor and browser, such as Chrome, Firefox, Edge, or Safari, knows exactly what certificates the CA would use and cannot be fooled by a third party.

 

With the trusted CAs in place, we can prove the trustworthiness of our own website. When requesting a certificate for your DOMAIN.TLD, the CA asks you to perform certain challenges. This may include setting up a DNS record, which you can only do if you own that domain name, or making a unique string available at the web root http://DOMAIN.TLD/special_resource to prove to the CA that the domain name is pointing to the correct web server. Once this is done successfully, the CA issues a TLS certificate to the web server.

 

Now, when a browser tries to visit your website and sees that it is offering an HTTPS certificate, it can check against all the CAs and verify that one of them has indeed issued that specific certificate to your domain name. If the browser cannot verify the certificate, it will warn the user that the website may not be what it appears to be and display a “Deceptive Site Ahead” warning.

LetsEncrypt and CloudFlare

TLS certificates were once a paid commodity, and additional costs were incurred by paying a Certificate Authority for the TLS certificate, on top of your VPS subscription and domain name subscription. These certificates are expected to expire after a specific time due to security concerns, so continued subscription was necessary.

However, Let’s Encrypt and CloudFlare have changed the game by offering free TLS encryption. You can use these services to secure your website and user data, and browsers display a green padlock icon in the URL bar to indicate that it’s an encrypted connection backed by a CA.

But which one should you choose? Let’s Encrypt may be technically challenging, as you need to know how to renew certificates, configure web servers like Nginx to use the certificates, and redirect HTTP requests to HTTPS. However, tools like Certbot make obtaining certificates relatively easy.

On the other hand, CloudFlare offers a nice GUI to enable SSL (TLS) within minutes, and you can choose between a Full Strict policy, which offers a certificate-key pair to add to your server, or a Flexible policy, which enables encrypted communication between just the CloudFlare DNS service and the clients visiting your site. The latter is a good option for starters, as it gets you the green padlock in browsers and is reasonably secure.

Although CloudFlare offers four different SSL setups, that’s a story for another day.

Certbot for LetsEncrypt

Certbot is a well-known software that automates the process of installing and renewing TLS certificates. This software is best used in conjunction with Let’s Encrypt as the Certificate Authority, but it is also compatible with any CA that supports the ACME protocol. ACME protocol is a system that verifies that you have control over a domain name and can rightfully request certificates for it.

 

The Certbot website assists with installing certificates and configuring them to work with popular web servers such as Apache and Nginx without requiring knowledge of the ACME protocol or other technical details. If you are specifically interested in Let’s Encrypt, you might want to check out the Caddy web server, which integrates with it automatically.

 

This means that you no longer have to worry about manually modifying the configuration files of Nginx or Apache2. This is a great relief for many users.

 

As Google is going to make some changes and the demand for privacy and security increases, it is highly recommended that users switch to HTTPS—no need to worry if you are not comfortable with Linux administration. You can use the free plan from CloudFlare to maintain your DNS records, which also provides free SSL certificates. 

 

SSL is not only essential for e-commerce websites but also for static web pages. It helps to protect your business and the visitors to your website. Now is the perfect time to adopt the encrypted future of the web and take advantage of the benefits of encryption.

Conclusion

In conclusion, HTTPS is not merely a technical protocol but a critical safeguard for online security and trust. By encrypting data transmission between users and websites, it protects sensitive information from unauthorized access and tampering. Understanding its functionality and importance empowers individuals and organizations to prioritize online safety and build credibility with their audience. Embracing HTTPS is not just a best practice but an essential step in today’s digital landscape, ensuring secure and reliable communication across the web.

Related Articles