Internet privacy is serious business, so it’s important to pay attention to the security of our websites. SSL can help with that.
Generally, when we browse on the internet, reading our favorite blogs *ahem, the Jexan Blog*, watching videos, etc., we don’t take note of the transfer protocol that these sites are using because we just want them to load correctly and quickly.
If you are curious, even if you are not an IT nerd, you may have noticed that big websites like Google (and all its sites/services), eBay, Facebook, Amazon, PayPal, among others, have URLs that contain something a little special:
A green lock and URL with an “s” added onto the end of HTTP protocol. But, what it mean? How does it work? How can I get it? Why do big sites use it? Why doesn’t my site have that beautiful green part of the URL? Let’s see.
What does HTTPS mean?
HTTPS stands for Hypertext Transfer Protocol Secure , in other words, it is the secure version of HTTP. This protocol is responsible for facilitating encryption in the transfer of hypertext data between the client and server (bidirectionally).
But to enable the HTTPS protocol successfully for our site, we need an SSL certificate. So before we explain what the HTTPS protocol does for us, let’s talk about SSL.
What is SSL?
SSL stands for Secure Sockets Layer, which is a cryptographic protocol that provides communications security over a computer network . There are a lot of technical things involved in this, but for now, let’s keep it simple.
The digital SSL certificate is, indeed, used to certify the ownership of a public key by the named subject (that is usually the domain name when we intend to use it on a website) of the certificate. This way, you are reassuring your visitors that the site has encrypted connections (therefore private), which are based on assertions made by the private key that corresponds to the certified public key. In other words, you have an encrypted connection (by the keys) to the server, because the SSL certificate approves it.
Now that we know what SSL is and why it’s necessary to enable HTTPS, let’s get back to HTTPS.
How does it work?
I always like to explain using examples, so let’s see some scenarios:
Scenario #1: Without HTTPS
Let’s imagine two people talking; one of them (let’s name him Chrysostomus) will play the role of the user/visitor/client/customer and the other one (Cortana) will play the role of the server. They are located at a considerable distance apart from each other, so they need to scream what they want to communicate so that the other can hear:
Chrysostomus: Hey! I want to do a transaction.
Cortana: Sure! Please, give your information to start the transaction.
Chrysostomus: Ok! My name is Joannes Chrysostomus Wolfgangus Theophilus Mozart, my address is 116 Hilltop Dr. Beckley, WV 25801 and my credit card number is 0001 2565 5555 8787
Cortana: Received. Your transaction code is NOTASECRET, don’t share it with anyone.
Now imagine that a third guy passed by and listened to everything. This guy is the one we call man-in-the-middle, MitM or JANUS. He will be able to understand everything and use all the information he overheard if he chooses to. Because everyone speaks the same language, they can decipher the message in no time.
Scenario #2: With HTTPS
The same guys talking, the same transaction, but different protocol:
Cortana: 0dfb8ba756aa887127dc4e37a0548ff3466f1ced0dfb8baKCIezD8Dl wAv4dlx8lcBjfCtMdxOIw
Chrysostomus: 812272ee7r39VQXQyANcc0c5172bdfe1bc812272ee691e8341c70e37846cc0 c5172bdfe1bc812
Cortana: 1fe668b028d6e4532da7e9566da1e383lk69Rp6B/wBArFdy8lfY0scjaCGhISzWvL ydQkIDBk
This is just an example, ciphers work on a pretty much different way.
Here, the man-in-the-middle won’t understand anything. Depending on how the message is coded, it can take up to centuries to decrypt.
However, Chrysostomus and Cortana can understand everything perfectly because they’re speaking in a language that only they can understand. So, if an eavesdropper appears, the information that they hear will be useless because is coded and protected. By the time it is deciphered, it will be too late and the decoded information will be useless.
Who uses it?
Generally: banks, online stores / e-commerce, and any site that has user’s personal information. That’s why big companies use it, because if a nefarious person has access to user’s information, that will be chaos.
The use of this protocol is not limited only to large companies. In my opinion, we all should use private connections no matter what kind of services we provide.
Who does not use it?
There’s no rule that says that mere mortals and small players cannot use a certificate. However, there are those who do not use it for undefined reasons, but we can point the popular ones:
- Unaware of the existence of SSL.
- Lack of interest in investing money in security (bad excuse).
- They don’t know how to install and configure SSL certificates, either due to lack of knowledge, or they’re using a non-optimized hosting service.
Why should I use it?
If everything I already explained doesn’t makes you want to use it, let’s discuss some advantages:
- Search Engines will give your site a little bit more priority over those not using SSL.
- Your visitors will trust your site, dude! Private connections! Come on! How can you not love that?
- Everything (slowly but surely) is moving towards SSL, even WordPress
- Isn’t that green lock on your URL beautiful?
- Do you need more reasons?
Hopefully, after reading this post, you understand HTTPS a little better, and you’re convinced switching to SSL is a good move for your website. As a developer, I’m working toward making the Internet a safer, more private, and secure place.