Table of Contents
What Is HTTPS
From a purely technical point of view, HTTPS is a protocol for secure communication across a computer network. It is communication via HTTP within a TLS or SSL encrypted connection (the latter is considered vulnerable and now being discontinued). From the user’s point of view, HTTPS is the solution that ensures the integrity and confidentiality of the data exchanged between computers and sites. Communication is encrypted using a certificate that the server sends to the client, which the client examines to determine that the server is who it claims to be. There are three types of certificates:
This is the simplest type of certificate, and we will see later that it is possible to obtain one for free. From a cryptographic point of view, it is equivalent to the other two. The difference is that a DV certificate does not contain any information relating to the owner of the website, but only the name (or names, in the case of a SAN – Subject Alternative Names), the so-called Common Name (CN).
An OV certificate allows the client to obtain a series of additional information about the owner of the website, in particular the country, the state/province, the city, and the name of the company. To issue an OV certificate, the Certification Authority (the so-called CA ) must carry out, in addition to the verification of ownership of the domain by the applicant, also the check on the actual existence of the latter’s legal entity.
This is the certificate containing the most information, and it is also the most expensive and complex to obtain. The CA must carry out a series of in-depth checks on the applicant. The Guidelines define the criteria for issuing the EV certificates for Extended Validation, currently (as of January 1, 2017) at version 1.4.2.
The guidelines are produced by the CA / Browser Forum, an organization of major CAs and companies that develop browsers and representatives of the legal and auditing professions. Also known as “Green Bar certificate” since browsers have adopted the convention of showing the name of the entity associated with the certificate next to the address bar with a green font.
Foot On The Accelerator
About two years ago, the vendors of the main browsers started a path that should gradually lead the billions of sites that populate the network to adopt HTTPS on all pages, beginning with those that contain elements that allow the user to enter their data (for example, authentication and credit card payment forms).
In recent weeks this path has seen a first important milestone, with the release of the latest versions of Google Chrome and Firefox, which have begun to report pages containing forms that are not under HTTPS as unsafe. At the same time, search engines have long stated that they consider HTTPS-protected pages in a privileged way.
How To Keep Up
It, therefore, seems clear that in order not to risk being penalized (by search engines but above all by its users), this is the right time to equip your site with an HTTPS certificate. The first question we must ask ourselves is what type of certificate we need. There is a debate regarding the more expensive OV and EV certificates’ added value compared to the simpler DVs. Some usability studies conducted in recent years show that users who do not have specific training regarding navigation safety do not notice the validation indicator next to the address bar, effectively nullifying the advantage in terms of trust towards users.
True, these studies were based on user tests conducted using IE7, the most popular browser and browser UIs (thankfully!) Evolved widely since then. If you still opt to get an EV certificate, you can buy it from one of the many CAs on the market, such as Symantec and Comodo (to name the best known). It is advisable to keep all the documentation regarding your organization ready. If, on the other hand, you realize that a DV certificate is sufficient for the needs of protecting traffic to your site, then – as anticipated at the beginning – there are some solutions now within everyone’s reach to obtain a valid SSL certificate recognized by the vast majority of browsers.
Let’s Encrypt is a CA that provides free TLS Domain Validated certificates and provides a fully automated mechanism for issuing and renewing. The project is run by a non-profit organization, the Internet Security Research Group (ISRG), sponsored by numerous companies, including Mozilla, Google, and Facebook. And is also a Linux Foundation project. The declared goal of the project is to provide free certificates in the most user-friendly way possible to spread the use of HTTPS and thus contribute to creating a safer and more privacy-friendly Web. The issue and renewal of a certificate occurs through the use of the ACME protocol and, in particular, using the official and open-source client certbot.
Furthermore, Let’s Encrypt has been integrated on numerous hosting management platforms such as Plesk, cPanel, and WordPress.com, making the request and installation accessible to anyone. WordPress. Com, making the request and installation of a certificate accessible to anyone. WordPress. Com, making requests and installation of a certificate accessible to anyone. The certificates issued by Let’s Encrypt have a concise duration (3 months), but the possibility of completely automating the renewal process makes this limitation surmountable.
AWS Certificate Manager
Use AWS, particularly the Elastic Load Balancer service. You can use the Certificate Manager service to request 20 free DV-type certificates issued by Amazon Trust Services, Amazon’s own CA. At the time of writing, it is impossible to link a certificate obtained through ACM directly to an EC2 instance, but only to an ELB. It is possible to do this now from the ELB configuration or via Elastic Beanstalk. The certificates issued by ACM are also SAN-type, plus they support the wildcard ( * .example.com example . com example . com). The duration of the certificates is one year.
There seem to be no more excuses. It’s time to move to HTTPS en masse. Users are now starting to expect it, and browsers will do nothing but feed this expectation. As for a site that starts its activity today, it is certainly worth considering the hypothesis of starting from day zero completely under HTTPS. While for sites already active and indexed, it is necessary to pay a little attention in case of the passage regarding the SEO aspect, ensuring that the URLs already indexed in HTTP are correctly redirected in HTTPS.
Also Read: What Do You Mean By HTTP Protocol