Security isn’t an option on today’s websites. It’s a necessity. Google confers on sites that use HTTPS a higher search ranking. And who doesn’t want a higher PageRank?
But, wait there’s even more reason to lock down your site. Google will soon start marking websites that don’t use HTTPS first as insecure, then as broken. You so don’t want to go there.
To be exact, Google stated: “To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labeled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.”
Then, as 2017 progresses Google will increase the severity of its HTTP warnings, beginning with labeling HTTP pages as “not secure” in Incognito mode. Eventually, Google will label all HTTP pages as non-secure and change the HTTP security indicator to the red triangle that it uses for broken HTTPS.
Besides, even if you bristle at the idea of Google being the boss of you, securing your website just makes good common sense. We’ve known since 2010 when Firesheep showed your login could be stolen over Wi-Fi that the only way to have reliable security is for every website to have an encrypted connection.
To do that you need to add Secure Sockets Layer (SSL), and its far safer successor, TLS (Transport Layer Security), to your site. Both encrypt communications with public key encryption between your server and your end-users’ devices.
To make this happen, you need an X.509 Digital Certificate — generically called an SSL certificate — on your server. A digital signature from a trusted third party, a Certificate Authority (CA), guarantees the Digital Certificate’s authenticity so that your site’s visitors know the server is really the site it purports to be.
There are many CAs. Some of the best commercial ones are Network Solutions; Symantec, now owners of Verisign; and Thawte. Prices for certificates from a major provider range from $50 to $200. You can also get a free certificate, that’s every bit as good if you’re not doing e-commerce, from the non-profit Internet Security Research Group’s Let’s Encrypt.
The big difference between the commercial CAs and Let’s Encrypt is that the commercial businesses back up their security with a warranty of between five-hundred thousand and a million dollars. With Let’s Encrypt, you’re on your own.
You can also self-sign your own certificate. This is fine if it’s just you connecting to your site, but your visitors won’t be certain your site is really the one they intended to visit. As a stopgap security method, self-signed certificates are fine, but no one thinks self-signed certificates are really that secure.
Before deploying any certificate, you must know there are three different kinds of SSL certificates. These are, in order of least to most secure: Domain Validation (DV) SSL Certificates; Organization Validation (OV) SSL Certificates; and Extended Validation (EV) SSL Certificates.
A DV states that the domain is registered by someone with admin rights to the website. If the certificate is valid and signed by a trusted CA, a web browser connecting to the site will inform you that it has successfully secured an HTTPS connection. A DV would be all you’d need to secure a blog or simple website. Typically, self-signed certificates are DVs.
An OV validates the domain ownership and includes related information like the site owner’s name, city, state, and country. It’s the middle tier of certificates, but it’s not often used.
Anyone staging an e-commerce website needs to use an EV SSL certificate. It validates not only the domain ownership and organization information, but the site’s legal existence as well. Sites with an SV SSL certificate can be identified by their green address bar.
So, now that you know why you should do it and some of the technology behind what you’re doing, how do you add SSL/TLS to your site? Cloud host Linode has the answers in a series of useful articles:
- Obtain a Commercially Signed SSL Certificate on CentOS and Fedora
- Obtain a Commercially Signed SSL Certificate on Debian & Ubuntu
- Install Let’s Encrypt to Create SSL Certificates
- Create a Self-Signed Certificate on CentOS and Fedora
- Create a Self-Signed Certificate on Debian and Ubuntu
- Provide Encrypted Resource Access Using SSL Certificates on Nginx
- Multiple SSL Sites Using SubjectAltName
Nowadays, the internet can be a dire place. Fortunately, you can make your website a safe and trusted port in the storm for your users while improving your Google PageRank. So, without further ado, secure your website with TLS and start enjoying the benefits today.
Please feel free to share below any comments or insights about your experience using TLS and/or acquiring an SSL certificate. And if you found this blog useful, consider sharing it through social media.
About the blogger: Steven J. Vaughan-Nichols is a veteran IT journalist whose estimable work can be found on a host of channels, including ZDNet.com, PC Magazine, InfoWorld, ComputerWorld, Linux Today and eWEEK. Steven’s IT expertise comes without parallel — he has even been a Jeopardy! clue. And while his views and cloud situations are solely his and don’t necessarily reflect those of Linode, we are grateful for his contributions. He can be followed on Twitter (@sjvn).