How does SSL/TLS work and why you need it for your domain name?
7 minutes reading
Hearing the term SSL definitely rings a bell, especially to people who have some experience online with either website hosting or any other service that transmits data over the internet. What is it? How does it work? More importantly, why would someone need it? Well, the answer is – Security. An often underestimated aspect that can cause severe headaches if not implemented accurately or skipped altogether.
SSL stands for Secure Socket Layer and is a security protocol that encrypts and, in that process, secures information between two machines using the internet. This encryption becomes possible because of TLS(Transport Layer Security) handshake, which we will discuss later in this article. Millions of websites use SSL, even more so after the 2018 announcement by Google, which stated that websites using the HTTPS protocol would rank higher than their insecure counterparts. Having an SSL does not necessarily mean that your website will utilize HTTPS, and even if you think that you are safe – you may not be. Another critical matter in this article is the potential dangers that await your website should it lack SSL. Without further ado, let’s dive right into it.
Why do you need an SSL, and how does it help your website?
The benefits of having an SSL certificate are quite a few – the primary being security. The mere fact that you have it will show up in the browsers with a padlock right next to your domain name, giving visitors peace of mind when browsing your pages, registering accounts, and submitting credit card information. If you want to run a successful online business, SSL is one of the first things you need to consider implementing. Another benefit of having an SSL is search engine ranking. Websites working over the insecure HTTP protocol will be deemed harmful to users, and search engines(Google, Bing, Yahoo) will penalize them for that, bringing them down in search results. Last but not least is that an SSL certificate makes your website and business, in general, look a lot more professional. This look assures visitors that you, as an online entrepreneur, take security very seriously and are more likely to register on your website, make purchases, and bring prospects to your service.
Why did the internet need encryption?
When we first conceived the internet, it wasn’t the most secure place in the world. This fact was not a problem since very few people were using it, and the demand for security was not there yet. As time went on, people started doing all sorts of activities on the internet like online banking, online shopping, and pretty much everything that involved money. Suddenly, transmitting credit card information and sensitive details was not the most fantastic idea, especially in the state it was at the time. So the internet engineers sat down and thought – How can we prevent this?
Thus, the idea of an encrypted connection was born, which aims to transform all internet data into an unreadable cipher, which will look like complete gibberish to anyone that is not supposed to see it. This idea did not only make people a lot more confident when browsing, but it got expanded into pretty much everything broadcasted online. They called this concept TLS, and in its initial iteration, it was doing the job right, however, it had various bugs, and smart hackers could exploit it to achieve their goals and intercept your sensitive data.
As it improved with time, it became a staple in online security and a golden standard applied to any form of online communication you can imagine.
A brief overview of how TLS works
Before we get into web encryption and how to achieve it, let’s first get a bit into how TLS works. Now, you are possibly familiar with the term HTTP. You can consider any data transferred over the browser (web data) as an HTTP request. These HTTP requests are TCP packets containing specific information that the browser and server work with to exchange information and practically show you the website in the browser. TLS is a cryptographic protocol that introduces an additional layer to the TCP stack, encrypting the link between TCP and HTTP headers, turning HTTP into HTTPS. That way, all the critical data held within the HTTP header will not be readable for people that are not authorized to look at it.
To use HTTPS, the so-called “TLS Handshake” must occur. These are rules that the client(web browser) and server hosting the accessed website must establish before exchanging the data. As TLS will encrypt the information, a few things have to be verified beforehand:
- Which ciphers(encryption algorithm) will the client and server use? This information is critical, otherwise, the two sides will not understand each other. Typically, many browsers and servers support multiple ciphers, and they need to coincide with at least one so that the connection can work.
- A secret key that both entities (server and client) will exchange and decrypt to ensure that they have the correct public-private key combination.
- Which version of TLS will the client and server use. TLS version is essential as if either the server or client is incompatible in terms of the versions they support, they cannot communicate.
- Authentication using public-key cryptography. When the client connects to the server, he encrypts the data that ONLY the server can decipher using the other piece of the puzzle – the private key.
- It needs to be fast and secured against various exploits that are aimed to bypass the security.
Now that the server and client confirm that above, here is how the actual communication happens:
- The client sends the “hello” message, which contains information such as the TLS version, list of cipher suites supported, and the “client random” – an arbitrary string of characters.
- The server sends back a “hello” response, presenting its SSL certificate, the cipher suite he will use to transport data, and the “server random“, which is analogical to the one mentioned above.
- Once the above entities exchange the “hello” messages, the authentication can start taking place. The client will first verify the SSL certificate that the server sent and ensure that a CA(Certificate Authority) issued it. If the server has a CA-signed certificate, then the client can start interacting with the server.
- The client generates a random byte-sized string encrypted using the public key – the “premaster secret“.
- The “premaster secret” is then forwarded and decrypted by the server. If that is not the case, communication is interrupted.
- Both sides create session keys that derive from the traded “premaster secrets“.
Both sides then exchange “finished” messages that they encrypt with the respective session keys, establishing secure symmetric encryption, thus concluding the TSL handshake.
Now that you understand the concept of TLS, you know how important it is to use this technology. Unfortunately, should you be unfamiliar with how to set this up, you could end up having your website accessed through HTTP and allow hackers to intercept your connection. This will enable them to get a hold of your sensitive details or your visitors’ credit card information. You should read the following lines to familiarize yourself with the process of getting an SSL certificate and configuring HTTPS for your domain.
What are the risks of not using SSL/TLS?
Many exploits were created throughout the years to bypass the highly insecure HTTP connection. These exploits target user’s credit card details and login credentials and ultimately disrupt online businesses. Imagine falling victim to such an attack these days and people learning about it. Recovery is almost impossible, and you would have to rebrand, start over and waste a lot of time, money, and nerves.
A notorious attack used a lot in the past was the infamous MITM (Man In The Middle) attack. The attacker entails an impersonation of one of two communicating parties (server or client) and controlling the entire flow of information. The attacker then injects whatever they want to achieve their goals, while both sides believe that they communicate with one another. Under this circumstance, the attacker can obtain all the information exchanged in the communication without anyone noticing. An excellent example of such an attack is an unencrypted WI-FI network in which a hacker can embed himself as the Main In the Middle.
This attack was one of many used to steal and counterfeit sensitive data. Therefore the Internet needed a robust way of battling this ever-growing thread, and thus, cryptography came to save the day.
How can you get an SSL certificate?
SSL certificates come from SSL Vendors or CA(Certificate Authorities). These merchants put their digital seal on the certificate itself, guaranteeing that it will provide the right encryption level, ensuring a secure connection between the client’s browser and the server hosting the site.
The process of getting an SSL involves contacting this CA and requesting it using a CSR(Certificate Signing Request). They will then research your business and domain name, making sure it is legitimate. Finally, the CA will provide you with the SSL certificate, which you can install on your domain.
To save all the hassle explained above, we at HostArmada take care of this for our customers. They need to purchase the desired hosting service, add the domain on the server, and our systems will take care of everything. In addition to handling SSL installation and HTTPS redirection, we offer Fully Managed Hosting Services. Suppose you want to focus entirely on running your website without worrying about all the tech-related stuff happening in the backend. We highly recommend signing up for a web hosting solution with us and leave it to the professionals!
How can you be sure that you are using an SSL certificate?
Installing an SSL certificate for a domain name could be insufficient. Although you have it installed for your domain name, it may still be accessible via the HTTP protocol and provide an unencrypted connection to visitors.
To make sure your domain name uses an SSL certificate, you can visit your browser and check the bar. If the browser does not use HTTPS, you will see the “Not secure” sign. This sign does not necessarily mean that you do not have an SSL – it just means you are not using the secure protocol. All you need to do is force HTTPS redirection, and you are all set.
Sometimes your website will use HTTPS, however, you will receive a warning when you visit it, notifying you that you are not using SSL. In that case, you have set up HTTPS redirection, however, the website lacks an SSL certificate. To resolve this, please issue and install an SSL certificate for your domain name, and voila – you are all good!
If the domain has an SSL and HTTPS redirection exists, then you will notice a pretty little padlock on the browser bar, left of your domain name. This padlock is what you should always strive to see for your domain when visiting it through a browser.
Not using encryption in today’s modern online world is absolutely unimaginable. You should never compromise security no matter what kind of internet endeavor you take on, and setting up SSL/TLS for domains is just one part of the equation. It is a robust method of ensuring that your visitor’s sensitive data and credit card information are protected, and they can feel confident visiting the site regularly. If you wonder why your website is insecure and why it has no padlock, please contact our sales team over the live chat. They can recommend the best hosting plan that will ensure full encryption and security for your special project!