Ultimate Guide to SSL for the Newbie
- Introduction to Hacking
- History of Cryptography
- Why Privacy Matters
- Supercookies in the Wild
- Ultimate Guide to SSL for the Newbie
- How Internet Security and SSL Works
- Man in the Middle Hacking and Transport Layer Protection
- Cookie Security and Session Hijacking
- What is Cross Site Scripting? (XSS)
- What is Internal Implementation Disclosure?
- Parameter Tampering and How to Protect Against It
- What are SQL Injection Attacks?
- Protection Against Cross Site Attacks
Privacy issues have forced many bloggers, businesses, and even search engines to encrypt all communication over the Internet. Newbie site owners might be overwhelmed with the amount of technical information needed to understand what SSL is, so I put together this SSL for Newbies guide.
UPDATED: 10/10/2014 - SSL is now slowly becoming a requirement for websites, and Google have announced that SSL is now, unfortunately, an SEO ranking factor
What is SSL / Secure Certificate?
Secure Socket Layers (SSL) provide security for your website by encrypting communications between the server and the person visiting the website. This helps prevent eavesdroppers listening in on your communication. In order to use SSL, you need to have an SSL certificate (also known as a Secure Certificate) installed on your server and dedicated IP address.
There are various levels of encryption, the higher the number the more secure it is. The levels are called key lengths and are analogous with passwords. A 128-bit key is analogous with a 128 letter password. There are also 256-bit, 512-bit, 1024-bit and 2048-bit certificates on offer. The number of possible key combinations for a 256-bit key is 2255 (lots) and would take the current world's fastest supercomputer (Tianhe-2 at the time of writing) 5.452 years to crack. That's a lot longer that the age of the universe (1.3812 years).
You can usually tell if a site is secure and running with an SSL certificate or not because there will be a padlock icon, or a green highlight on, or near the address bar in your browser. Clicking on this padlock will usually give you information about who issued the certificate and who it was issued to.
What is it used for?
The primary purpose of SSL is to encrypt the information transmitted between the website visitor and the server. It should be understood that SSL does not verify or guarantee the identity of the remote server, only that the data transmitted between the two is encrypted and relatively secure from eavesdropping. The higher the key length the more secure it is.
Do I need one?
✔If you are accepting credit card payments online via a merchant account, the credit card associations and networks require that you use SSL whenever you transmit credit card information, such as the card number, cardholder's name, expiration date, CVV code, etc. Without SSL these companies will not allow you to process transactions. If you are using a payment processor such as PayPal, Google Checkout or Amazon Payments, you do not need an SSL certificate, since you are not transmitting or storing credit card information.
✔SSL should also be used when transmitting personal information, such as names, addresses, account details, passwords. So login forms, account settings, user management forms should also use SSL.
✔Non-transnational websites, listings sites, sites with no user information and personal blogs do not currently require SSL. HOWEVER there is a movement to phase out non-secure communications entirely, forcing the entire web to become encrypted. This movement is supported by the likes of Google and Mozilla so there is a high chance of this happening.
Should this transpire, it is conceivable that every website will be required to use SSL in order for a web browser to show the site without warnings. SSL may also become an important SEO ranking factors (Update: It has now become an important factor).
You have already noticed that when clicking through to a login page, that page takes a little longer to load than the rest of the site. Adding secure certificate and SSL to your website is adding an extra layer of security, but it is also an extra layer which needs to be processed at all levels. Initially, the client and the server will need to establish a "handshake" to identify each other. The browser then needs to be able to decrypt and display the encrypted content, the server needs to encrypt and decrypt as well. These all have performance ramifications.
What are the types of SSL
There are several different flavours of SSL certificates, each varying in cost, support and features.
- Self Signed Certificates - The least secure, and should not be used in production environments. You can generate your own SSL certificate to use for developing and testing. Most Internet Browsers will give warnings about self-signed certificates.
- Shared Certificates - Often installed on shared servers, you share a certificate with other users on the same server. Less secure.
- Domain Validated Certificates - Secure for websites, this certificate is tied to your domain name and can only be used on that one domain.
- Company Validated Certificates - Similar to domain validation, except that the issuing authority verifies the company requesting the SSL.
- Extended Validation Certificates - EV certificates provide secure connections, verify the business' identity, and help to prevent fraud through a thorough set of checks and validations. EV is the most secure, and also the most expensive.
- Wildcard Certificates - A Wildcard SSL Certificate enables SSL encryption on unlimited subdomains using a single certificate.
- Multi-Domain Certificates - Multi-domain certificates make it possible to secure up to 210 domains with a single certificate.
How Do I Obtain an SSL Certificate?
SSL certificates can usually be supplied through your hosting provider, or you can purchase directly from an issuing authority such as Comodo or Verisign. There may be additional installation costs if you need your host to install the certificate for you.
Now that you've read this SSL for Newbies guide, I hope you know understand the importance and benefits of a secure connection. Whether you are the owner or a website, a marketer, or a developer, I wouldn't go rushing out to buy certificates if it is not essential for your site. I'll be waiting to see how the phasing out of HTTP and non-secure sites goes if anything happens at all, and is the cost of an SSL certificate on a personal blog worth the expense? Will companies start offering low-cost certificates?
What are your views on the speculation that SSL will be a requirement for all websites, and what will companies and individuals who cannot afford SSL certificates do?