Last week, saw the relaunch of a long-standing client site, as Constable Burton Estate had us rebuild their Constable Burton Hall Caravan Park website in…
SSL
SSL (Secure Sockets Layer) is the standard security technology to encrypt a connection between a web server and a browser.
All data passed between the web server and browsers remain private.
SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
HTTPS and the little padlock
Sites which are secured by SSL will usually begin with the HTTPS protocol. Visitors to sites secured with SSL should also see a small padlock displayed in the browser to indicate the site is secure.
Certificate required
To create an SSL connection a web server requires an SSL Certificate. Webmasters are asked questions about their website, their business, and their identity, and this information is used to create two cryptographic keys – a Private Key and a Public Key.
The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) – this is a file, and it also contains the details provided.
The CSR is then submitted to a Certification Authority.
During the SSL Certificate application process, the Certification Authority validates details and issues an SSL Certificate containing these.
Web servers match the issued SSL Certificate to the Private Key, and can then create an encrypted connection between the website and visitors’ web browsers.
SSL Certificates are issued to either companies (legal persons) or legally accountable individuals.
Information in SSL Certificates
Usually, an SSL Certificate contains domain name, company name, address, city, state and country.
It also contains the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate.
What happens when browsers connect
When a browser connects to a secure site it retrieves the SSL Certificate and checks it has not expired; it has been issued by a trusted Certification Authority; and that it is being used by the website for which it has been issued.
If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.
Let’s Encrypt
There are different Certification Authorities available, and different levels of security certificate – up to and including “Green Bar” Extended Validation (EV) certificates, (which are more complex and involve more vetting) – but for most purposes, Let’s Encrypt provide free certificates, which are trusted by major browsers, and Silicon Dales recommends them.