Guide to Moving On Up with SSL
There are numerous reasons for websites to start using HTTPS over HTTP.
Not only does using HTTPS improve and increase security for consumers during the course of their digital experience, but the presence of a secure connection is also considered by Google as a ranking signal (although there doesn't seem to be much evidence of this yet). Let's take a look at HTTPS and how it differs from HTTP.
HTTP vs HTTPS
HTTP (Hypertext Transfer Protocol) is the foundation for communicating over the Web - a distributed, collaborative, hypermedia information system. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when you enter a URL in your browser, this actually sends an HTTP command to the Web server directing it to fetch and transmit the requested Web page.
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure.' It means all communications between your browser and the website are encrypted.
Now that you know the difference between the two, and see the benefit of moving a website to HTTPS, how do you get started?
Moving On Up With SSL
The first step is to acquire an SSL Certificate, small data files that bind (digitally) a cryptographic key to an organization's details. When installed and activated on a Web server, the HTTPS protocol allows for secure connections between a Web server and a browser.
There are numerous providers of SSL certificates and a quick search on Google or Bing will bring up current offers and pricing from the likes of well-known brands including GoDaddy, Network Solutions, DigiCert, RapidSSL and others.
It is very important however to select the right SSL, because they are most definitely not all created equal. There are three different types of SSL (in general) an enterprise can consider:
Extended Validation (EV) SSL Certificates: where the Certificate Authority (CA) checks the right of the applicant to use a specific domain name PLUS it conducts a thorough and detailed vetting of the organization. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines, as formally ratified by the CA/Browser forum in 2007, that specify all the steps required for a CA before issuing a certificate.
Organization Validation (OV) SSL Certificates: where the CA checks the right of the applicant to use a specific domain name PLUS it conducts some vetting of the organization. Additional vetted company information is displayed to customers when clicking on the Secure Site Seal, giving enhanced visibility of who is behind the site and associated with it - to enhance trust.
Domain Validation (DV) SSL Certificates: where the CA checks the right of the applicant to use a specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.
Prices will vary depending on the type of SSL certificate requested, as well as how it will be used. For example, is the SSL intended for a single domain, multiple sub-domains or several domains concurrently? Understanding how an SSL will be used in the future will ensure you choose the right option for your enterprise.
Once the right type of SSL certificate is chosen, and you're ready to move forward securing a website, the CA (certificate authority) will need what is called a Certificate Signing Request (CSR).
A CSR is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.
If you're unsure where to get your CSR, check with your current hosting provider or with your IT staff. Those using CPanel can actually generate their own CSR by going to the SSL/TTL Manager and generating a new request.
Once the CA (certificate authority) uses the CSR to create the SSL certificate, the next step is to activate the SSL. Providers will give what is known as a .CRT file and a string key. This information must then be sent to the Web host or installed manually. In the case of Capen, head back to the SSL Manager and click on the "Generate, view, upload or delete SSL certificates" option. You will be able to upload the .CRT file or paste the actual certificate key in the available text box. Once that is done, everything is ready for the most crucial part - redirecting HTTP to HTTPS.
One of the reasons more websites aren't using the HTTPS protocol is likely the fear associated with making such a major change in relation to their search rankings, warned repeatedly by search engines about the dangers associated with content duplication between protocols. Fortunately, making the actual switch is not nearly as challenging as it once was. Those running on Apache can simply modify their .HTACCESS file while those on IIS/Windows servers can use the < httpredirect > element in their configuration.
Monitor Transition Carefully
Count on a few things breaking during the switch from HTTP to HTTPS. One of the most common mistakes is using the wrong protocol with URLs, linking to the HTTP version instead of the HTTPS option. That results, as you might imagine, in some pretty terrifying error messages and browser warnings about loading unsecured resources.
Using SSL isn't terribly expensive for most digital enterprises. While the benefits are well documented (search rankings and a more secure user experience) there is a risk if an SSL certificate is set up hastily. Check with your IT and development teams as well as hosting providers to ensure a smooth transition.