Should sites deploy SSL? SSL in detail· Время на чтение: 7мин · - · Опубликовано · Обновлено
Short answer: yes. Without SSL, the chances of people visiting your site are slim. So, what gives SSL? What is this? How do they work? How will visitors to my site know that I have it? do i really need it? What are the options? I hope after reading this post you will have answers to all these questions and more. Let's start from scratch...
The content of the article:
- What is SSL?
- How it works?
- How to apply on your site?
- How will visitors know it's on my site?
- Do I need SSL?
- How to choose the right SSL?
What is SSL?
In recent years, SSL has become a requirement for websites and online businesses. SSL stands for Secure Sockets Layer and is used to secure the information that other users enter on your website. In particular, SSL protects your customers from malicious hackers looking to steal sensitive data and use it to their advantage. Plus, it verifies website ownership so customers can be sure that your website is legitimate. When visitors sign up for yours or enter their credit card details to make a purchase on your website, having an SSL certificate ensures that their details are safe and your website is protected.
How it works?
Simply put, SSL encrypts information as it travels from the browser to the web server. In the so-called SSL handshake, encryption keys (public and private keys) are used to encrypt and decrypt data as it is transmitted over the network.
For example, let's take your credit card number: if you use SSL, instead of " 1111 1111 1111 1111 ", only random combinations of letters, symbols, and numbers will be displayed on the web, such as "t3dW" $s5R+ n1AxV4j ".
The public key is used to create this encoded number, and it can only be decrypted using the private key stored on the site's server. After it reaches the server, the number is decrypted so that the order can be processed.
Basic functions of the certificate
Once the SSL certificate is deployed, the server can ensure that the sensitive information entered by the user in the browser and the sensitive information requested from the server are transmitted with highly secure encryption over the transmission channel between the user's computer and the server, and are unlikely to be tampered with and stolen. At the same time, the real identity of the server is confirmed to website visitors, and this real identity is verified by a third party authority. In other words, there are two main functions: data encryption and identity authentication.
Website Authentication (Website Authentication): Users need to log into the correct website for online shopping or other transactional activities, but due to the breadth and openness of the Internet, there are many fake and phishing websites. Internet, how users can judge the authenticity of a website, how to trust the website you visit, a reliable website will help you authenticate a website. When a user needs to verify the identity of a website, all they need to do is click on the padlock symbol in the browser's address bar.
Confidentiality of transmitted data over an encrypted channel
Guarantee the confidentiality of information transmission: when users enter the website to make online purchases or conduct various transactions. In this case, it is necessary to repeatedly transfer information to the server, and many of this information is private and confidential user information that directly affects the economic sphere, confidential interests. How to ensure the security of this information? A trusted website will help you establish a secure, encrypted channel for the transmission of information.
Encryption 40 bit 128 bit
When the SSL session is generated, the server will transmit its certificate and the client browser will automatically parse the server certificate and generate a 40-bit or 128-bit session key according to different browser versions that is used for the transaction information in order to encrypt it. All processes will be performed automatically and transparently to users. Therefore, the server certificate can be divided into two types: 40 bits and 128 bits (meaning the length of the encryption key generated during the SSL session, the longer the key, the more difficult it is to crack) certificate.
The minimum 40-bit server certificate can generate a 40-bit or 128-bit SSL session key upon session establishment, depending on the browser version, to establish a secure channel between the user's browser and the server. The minimum 128-bit server certificate is not limited by the browser version and can generate a session key longer than 128 bits to achieve a high level of encryption strength. Whether it's IE browser or Netscape, even if you use brute force attack method to decrypt the password, you need 10 years.
The process of the certificate
- The user connects to your website, which is secured with a server certificate. (This can be determined by checking if the URL starts with "https:" or the browser will provide you with the appropriate information).
- Your server responds and automatically passes your website's digital certificate to the user to authenticate your website.
- The user's web browser program generates a unique "session key" to encrypt all communications with the website.
- The user's browser encrypts the chat key with the website's public key so that only your website can read the chat key.
A secure communication process has been established. This process only takes a few seconds and the user does not need to take any action. Depending on the browser program, the user may see the key icon become completed or the lock icon become locked, indicating that the operating phase is secure.
How to apply on your site?
To apply for an SSL certificate, you need to go through the following three steps:
- Create a CSR file:
CSR is a Certificate Signing Request Certificate Request file. This file is created by the applicant. At the same time, the system will generate 2 keys, one is the public key, which is the CSR file, and the other is the private key, which is stored on the server. To generate CSR files, applicants can refer to WEB SERVER documents, common APACHE, etc., use OPENSSL command line to generate KEY+CSR2, Tomcat, JBoss, Resin files, etc. use KEYTOOL to generate JKS and CSR files, IIS creates one through the wizard's pending requests and the CSR file.
- CA Certification:
Submit the CSR to the CA and the CA usually has two authentication methods:
1. Domain name authentication, usually through administrator mailbox authentication, this method is fast, but the issued certificate does not contain the company name;
2. An enterprise business license is required to certify enterprise documents. It usually takes 3-5 business days. There are also certificates that need to authenticate the above two methods at the same time, which is called an EV certificate. This certificate can make the address bar of browsers above IE7 green, so the authentication is also the strongest.
- Certificate installation:
After receiving the certificate from the CA, you can deploy the certificate to the server. Generally, APACHE file directly copy KEY+CER to file, and then modify HTTPD.CONF, TOMCAT, etc. file, you need to import CA-issued CER certificate into JKS file, copy it to server, and then change SERVER.XML; IIS needs to process the pending request and import the .cer file.
How will visitors know it's on my site?
There are several visual indicators that let customers know that they are visiting a secure website. For example, take a look at the URL of this blog.
See that little padlock icon? This is a sign of a secure connection. Also, see how it says "https://" in front of the website address? The letter "s" after "http" means that the site is secured with an SSL certificate. If you click the padlock icon, you can find more detailed information about the certificate being used.
Do I need SSL?
Since 2014, Google has taken SSL so seriously that it rates sites that use HTTPS higher than those that don't. More recently, in 2018, the Google Chrome browser began marking HTTP sites as "not secure". Thus, SSL has basically become a requirement for online businesses, especially if you accept online payments. In fact, it is one of the Payment Card Industry (PCI) compliance requirements to ensure that merchants use the latest technology to establish a secure connection.
How to choose the right SSL?
Three common types of SSL are currently available: Domain Validated (DV), Organization Validated (OV), and Extended Validated (EV). The main difference between the two is the amount of work required to validate your business. For example, when using SSL with Domain Validation, users only need to prove to the CA that they own the domain name. (A certification authority or CA is simply a trusted entity that issues digital certificates.)
Having SSL encryption is an important part of gaining the trust of your website visitors.
Reading this article:
- 10 Essential Steps to Improve Your Website Security
- SSL certificate - what is it? All you need to know
Thanks for reading: SEO HELPER | NICOLA.TOP