Guide to Moving On Up with SSL

Posted on

  • email
  • twitter
  • facebook
  • share this

share this


There are numerous reasons for websites to start using HTTPS over HTTP.

Not only does using HTTPS improve and increase security for consumers during the course of their digital experience, but the presence of a secure connection is also considered by Google as a ranking signal (although there doesn't seem to be much evidence of this yet). Let's take a look at HTTPS and how it differs from HTTP.

HTTP vs HTTPS

HTTP (Hypertext Transfer Protocol) is the foundation for communicating over the Web - a distributed, collaborative, hypermedia information system. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when you enter a URL in your browser, this actually sends an HTTP command to the Web server directing it to fetch and transmit the requested Web page.

HTTP is called a stateless protocol because each command is executed independently, without any knowledge of the commands that came before it. This is the main reason that it is difficult to implement websites that react intelligently to user input. This shortcoming of HTTP is being addressed in a number of new technologies, including ActiveX, Java, JavaScript and cookies.

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure.' It means all communications between your browser and the website are encrypted.

Now that you know the difference between the two, and see the benefit of moving a website to HTTPS, how do you get started? 


 SUBSCRIBE to Website Magazine & Accelerate 'Net Success


Moving On Up With SSL

The first step is to acquire an SSL Certificate, small data files that bind (digitally) a cryptographic key to an organization's details. When installed and activated on a Web server, the HTTPS protocol allows for secure connections between a Web server and a browser.

There are numerous providers of SSL certificates and a quick search on Google or Bing will bring up current offers and pricing from the likes of well-known brands including GoDaddy, Network Solutions, DigiCert, RapidSSL and others.

It is very important however to select the right SSL, because they are most definitely not all created equal. There are three different types of SSL (in general) an enterprise can consider:

Extended Validation (EV) SSL Certificates: where the Certificate Authority (CA) checks the right of the applicant to use a specific domain name PLUS it conducts a thorough and detailed vetting of the organization. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines, as formally ratified by the CA/Browser forum in 2007, that specify all the steps required for a CA before issuing a certificate.

Organization Validation (OV) SSL Certificates: where the CA checks the right of the applicant to use a specific domain name PLUS it conducts some vetting of the organization. Additional vetted company information is displayed to customers when clicking on the Secure Site Seal, giving enhanced visibility of who is behind the site and associated with it - to enhance trust.

Domain Validation (DV) SSL Certificates: where the CA checks the right of the applicant to use a specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.

Prices will vary depending on the type of SSL certificate requested, as well as how it will be used. For example, is the SSL intended for a single domain, multiple sub-domains or several domains concurrently? Understanding how an SSL will be used in the future will ensure you choose the right option for your enterprise.

Once the right type of SSL certificate is chosen, and you're ready to move forward securing a website, the CA (certificate authority) will need what is called a Certificate Signing Request (CSR).

A CSR is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

If you're unsure where to get your CSR, check with your current hosting provider or with your IT staff. Those using CPanel can actually generate their own CSR by going to the SSL/TTL Manager and generating a new request. 

Once the CA (certificate authority) uses the CSR to create the SSL certificate, the next step is to activate the SSL. Providers will give what is known as a .CRT file and a string key. This information must then be sent to the Web host or installed manually. In the case of Capen, head back to the SSL Manager and click on the "Generate, view, upload or delete SSL certificates" option. You will be able to upload the .CRT file or paste the actual certificate key in the available text box. Once that is done, everything is ready for the most crucial part - redirecting HTTP to HTTPS.

One of the reasons more websites aren't using the HTTPS protocol is likely the fear associated with making such a major change in relation to their search rankings, warned repeatedly by search engines about the dangers associated with content duplication between protocols. Fortunately, making the actual switch is not nearly as challenging as it once was. Those running on Apache can simply modify their .HTACCESS file while those on IIS/Windows servers can use the < httpredirect > element in their configuration.

Monitor Transition Carefully

Count on a few things breaking during the switch from HTTP to HTTPS. One of the most common mistakes is using the wrong protocol with URLs, linking to the HTTP version instead of the HTTPS option. That results, as you might imagine, in some pretty terrifying error messages and browser warnings about loading unsecured resources. 

Using SSL isn't terribly expensive for most digital enterprises. While the benefits are well documented (search rankings and a more secure user experience) there is a risk if an SSL certificate is set up hastily. Check with your IT and development teams as well as hosting providers to ensure a smooth transition.

Login To Comment


Become a Member

Not already a part of our community? Sign up to participate in the discussion. It's free and quick.

Sign Up

5 comments

KevinB 02-18-2016 3:59 PM

Peter,

Although a secure web protocol has its place, it is is not  a good choice for everyone. Sites that benefit from SSL encryption are public e-commerce sites or private content served to a limited audience (such as government, law enforcement etc.) Most web sites are public informational sites with none of the requirements I just mentioned. Encryption security comes at a very high price because content must be transmitted encoded in a bi-directional manner for EVERY page or request. That adds up. Visitors on a site like this will wait sometimes much longer for their content to load. Why is this necessary for every web site? - It's not. It is overhead that has very limited benefit to the user experience. Most web sites if they are attacked can survive nicely with a routine backup plan and re-installation of lost files. Regular password changes also ensure the web site will not be unusable or off line if hijacked or otherwise attacked by some nefarious 3rd party. In summary, not everyone needs the overhead and expense of SSL on their web site!.

MichaelG 02-18-2016 8:20 PM

Google wants the ENTIRE WEB to use SSL

googlewebmastercentral.blogspot.com.au/.../https-as-ranking-signal.html

What Google wants, Google gets. End of story :)

John MacDonald 02-19-2016 3:10 AM

Long overdue post and right on the money - mostly. To be honest with over 50 websites paying for 50 SSL certificates gets costly so I am testing a free method that took me no more than 15 minutes to set up and for Wordpress users there are a couple of plugins that can be used. My main reason for doing this was the added SEO benefit as I am not running any e-commerce websites and so don't need the extra security - When Google speaks (or whispers) it's always good to listen if you benefit from good organic listings

Nrekha 02-23-2016 5:46 AM

this actually sends an HTTP command to the Web server directing it to fetch and transmit the requested Web page.

al3ab4kids 02-23-2016 1:53 PM

i have a e-commerse website and i want to add a ssl certification to secure the information but i cant activate in my server

Add to the discussion!

999 E Touhy Ave
Des Plaines, IL 60018

Toll Free: 1.800.817.1518
International: 1.773.628.2779
Fax: 1.773.272.0920
Email: info@websitemagazine.com

Facebook


Twitter