When navigating the internet with a web browser like Google Chrome or Mozilla Firefox, you may notice a padlock icon which appears in the top address bar next to the URL of the page you are viewing. This symbol is an indication that the current website is secured with Secure Sockets Layer protection, better known as SSL. Seeing the padlock icon provides assurance that all communication between your device and the website will be fully encrypted, which is especially vital when transmitting passwords, credit card numbers, or other private information.
As a web designer or systems administrator, you should strive to secure all of your public-facing websites with Secure Sockets Layer protection. Read on to learn about the history of web security certificates, how they work, and the steps needed for installing one on your own.
What is Secure Sockets Layer?
Secure Sockets Layer is a digital protocol that has spread broadly over the internet since its creation in 1994. The concept was first developed by the Netscape group in an effort to secure data transmissions between web browsers and web servers. The protocol was offered publicly in version 1.1 of the Netscape Navigator application. Issues discovered with the initial release of SSL forced Netscape to update the protocol and push a more secure update in late 1995.
The Internet Engineering Task Force (IETF), an independent group who works on web standards, made improvements to Netscape’s protocol and announced a new standard in January 1999. They referred to the new protocol as Transport Layer Security, or TLS, which remains the primary standard today.
How Does Secure Encryption Work?
The foundation of Secure Sockets Layer technology is the concept of a security certificate. Each individual website owner, from large company pages to small personal blogs, is responsible for generating a certificate based on the domain name in their URL. This certificate is a very small file which contains the owner’s name and physical location. It also stores a set of two encrypted keys, one known as the public key and the other being a private key.
Security certificates are typically issued by organizations known as certificate authorities. Certain hosting providers have preexisting arrangements with authorities, so you may want to consult a hosting review site in order to find a good match. Once the authority has validated your identity and domain name, the certificate will be issued and can then be installed on your web server.
From a user’s perspective, the encryption process begins when they navigate to a secure URL from their browser. All sites with Secure Sockets Layer protection will begin with “HTTPS” in their address. Then the browser requests a copy of the site’s security certificate and checks that it is valid. If this is confirmed, the browser uses the certificate’s public key to start encrypting the user’s session. From that point on, all data sent between the browser and the web server is secured. The private key is used by the server for decrypting each transmission and loading the full web request.
Why is Secure Encryption Important?
Accessing a website which is not encrypted with Secure Sockets Layer protection can be a major risk to your private information. As a web designer or systems administrator, you should strive to encrypt all of your servers prior to going live with any site or application. This will ensure your visitors and customers that their sessions are secured and that your organization is trustworthy.
When a website lacks a security certificate and uses an “HTTP” address instead of an “HTTPS” one, no padlock icon will be displayed in the browser and all data will be transmitted over a plain-text connection. Clever hackers can intercept these messages without your knowledge and read the contents being sent back and forth. For a simple blog with generic content, this may not be a major concern. But if you are using a website to purchase goods, store financial information, or create a personalized account, you must ensure that a secure session is always used.
How to Install a Security Certificate for Free Using Let’s Encrypt
Most Certificate Authorities charge a substantial fee for generating an initial certificate and renewing it on a regular basis. However, an organization called Let’s Encrypt offers a security solution which helps individuals and small companies use Secure Sockets Layer technology for free. As long as you have full ownership of a registered domain name, you can use Let’s Encrypt to install a valid security certificate on your website.
The Let’s Encrypt authority uses what is known as the ACME protocol (Automated Certificate Management Environment) to validate an applicant’s identity and domain name. Your website must pass one of the ACME challenges by either updating your DNS record with a key provided by Let’s Encrypt or by uploading a .txt file to the root of your web directory.
To actually install the Let’s Encrypt certificate on your web server, a tool called Certbot is the recommended solution. Certbot works with the most popular hosting providers and platforms, including Apache and Nginx. Consult a hosting review site to find out what web platforms they offer and whether they support the Certbot tool.
The Certbot tool should always be run by a systems administrator with root-level access to the server hosting your website. Using Apache as an example, the following commands will download the necessary installation and setup packages for using Let’s Encrypt:
sudo apt-get update
- sudo apt-get update
sudo apt-get install software-properties-common
- sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
- sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
- sudo apt-get update
sudo apt-get install python-certbot-apache
- sudo apt-get install python-certbot-apache
After the downloads have completed, a single command will launch the certificate generation process with Let’s Encrypt:
sudo certbot –apache
- sudo certbot –apache
Your web server will now make a direct connection to the Let’s Encrypt authority. Once the ACME challenge is passed, a certificate will be issued and SSL will become enabled on your site.