HTTPS — The Truth About Safe Browsing

As we already know, web security is a paramount concern in today's digital world. As users traverse the internet, exchanging data, making transactions, and sharing sensitive information, the invisible web of security ensures our digital journey is safe. At the heart of this security are two protocols: HTTP (Hypertext Transfer Protocol) and HTTPS (HTTP Secure). These protocols are the foundation upon which data is sent between our browser and the website that we are connected to. However, the advent of HTTPS, with its added layer of security through SSL (Secure Sockets Layer) certificates, marks a significant evolution in ensuring a sager web experience. This article continues our previous article, “SSL Certificate to Secure Users Data.”

The HTTPS Protocol in Real Life

Imagine walking into a room to have a private conversation. HTTP is like speaking in a room with thin walls, where anyone outside can listen in. HTTPS, on the other hand, is akin to having the same conversation in a soundproof room, where the discussion remains confidential between the parties involved.

HTTPS works by establishing an encrypted connection between your browser and the website, ensuring that the data transferred remains secure and tamper-proof. This secure connection is made possible by SSL certificates, which serve as a digital passport for websites, confirming their identity and enabling encrypted connections. It’s a fundamental technology that underpins the secure internet as we know it, safeguarding information from potential eavesdroppers and ensuring that when you see the padlock icon in your browser, you are in a safe space to share, browser, and transact.

TIP!
Beware of unsafe websites, especially those that look like official sites (like your bank’s website) but are set up for phishing. These sites usually don’t have SSL certificates, meaning they can’t create a secure connection. Always avoid entering personal info, like your email or password, on these sites.

Good News! Modern browsers will often tell you if the website you are visiting is safe or not. But why is this HTTPS stuff so important? Well, think about when you use public Wi-Fi, like at an airport or school. Have you ever worried that someone might be spying on your online activity? What if they could see or even steal the information that you send out, like passwords or credit card details? This is known as a “Man-In-The-Middle Attack”, and it’s a lot easier for hackers to do if you are not using secure sites with HTTPS. Basically, when you use HTTPS, the data you send online is packed up securely, making it tough for anyone to sneak a peek. The image below shows how your information travels through the internet differently with HTTP versus HTTPS.

HTTP request inspection using Wireshark

HTTPS request inspection using Wireshark

In summary, here are the key advantages of HTTPS over HTTP:

• Encryption: HTTPS encrypts data in transit, protecting it from eavesdroppers trying to gather information or tamper with data.
• Data Integrity: It prevents data from being corrupted or modified during transfer, unintentionally or maliciously.
• Authentication: Provide assurance that users communicate with the intended website, building user trust and confidence.

Note: Chrome 84 introduces important updates including the removal of third-party cookies and the deprecation of AppCache in non-secure contexts. For details, visit the Chrome Developers blog.

Understanding SSL Certificates

We talked a lot about HTTPS in the section above. Now, you might wonder how this HTTPS stuff relates to SSL Certificates. You might wanna have a look at our article SSL Certificate to Secure User’s Data for more details about SSL Certificates.

For you who are not familiar with the HTTPS flow, please check the picture below:

The steps for establishing secure communication. [1]

1. Initiation: The client (web browser) requests a secure connection to the server by sending a “hello” message indicating the intention to establish an SSL session.
2. Certificate Presentation: The server responds with a “hello” of its own, presenting its SSL certificate to the client. This certificate contains the server’s public key.
3. Validation: The client verifies the server’s certificate using the chain of trust. It checks the certificate’s validity by ensuring is signed by a trusted Certificate Authority (CA). If the certificate is valid, a verification mark (like a checkmark) indicates this.
4. Encryption with Public Key: The client then creates a session key, which is used to encrypt the data sent during the session. This session key is encrypted with the server’s public key and sent back to the server.
5. Secure Session: Upon receiving the encrypted session key, the server uses its private key to decrypt. Now, both the client and server have the same session key and can communicate securely. The session key encrypts all data transmitted during the session and the private key decrypts it on the server side. This ensures that the data remains private and unaltered during transmission, as only the server’s private key can decrypt the session key, and hence, the data is encrypted with it.

SSL certificates play a crucial role in the HTTPS ecosystem. They are digital certificates that authenticate a website’s identity and establish an encrypted connection. In other words, we use SSL Certificates to establish a secure connection with the HTTPS protocol. There are several types of SSL certificates catering to different levels of security needs. In the previous article, we mentioned the SSL certificate type based on how many domains could be linked to a certificate. Below is the certificate type based on how the certificate is being validated:

• Domain Validated (DV) Certificates: Verify the ownership of the domain. They are the quickest to obtain and are suitable for blogs and personal websites.
• Organization Validated (OV) Certificates: In addition to domain ownership, these verify the organization’s information, adding an extra layer of trust.
• Extended Validation (EV) Certificates: Offer the highest level of validation, including through examination of the organization’s legal, physical, and operational existence.

Checking and Generate SSL Certificates

Checking SSL Certificates
Verifying the SSL certificate of a website is straightforward and can be done directly from your browser.

Another way is to use third-party tools such as https://www.sslshopper.com/ssl-checker.html [2]

Generate SSL Certificates
Generating an SSL certificate typically involves the following steps:

1. Generate a Private Key: The first step is to create a private key on your server. This key will remain secret and is used to decrypt information sent to your server.
2. Create a CSR (Certificate Signing Request): With the private key, you then generate a CSR. A CSR is a file that contains details about your domain and your organization.
3. Submit the CSR: You will need to choose a Certificate Authority (CA), submit your CSR to them, and possibly provide additional documentation to verify your domain and business.
4. Validation: The CA will then validate your details. For domain-validated certificates, this can be as simple as responding to an email. For more rigorous validations, the CA may check business records.
5. Receive the SSL Certificate: After validation, the CA will issue the SSL certificate. You will receive a file, usually in .crt format, containing your public key and identity information.
6. Install the SSL Certificate: You’ll need to install the certificate on your web server. The process will vary depending on your server software.
7. Configure Your Server: After installing the certificate, you may need to adjust your server configuration to ensure that HTTPS is used for connections.
8. Test Your Configuration: Finally, test your website to ensure everything is configured correctly and securely.

Did you know you can get a free SSL certificate that lasts for 90 days? There are many certificate providers that offer such a certificate. But keep in mind, once the 90 days are up, your website won’t be seen as secure, and visitors might get a “Not Trusted” warning in their browser. You can always get a new free certificate and install it again.

If you’d rather not worry about renewing certificates, consider using a CDN service like Mlytics. We offer free certificates and take care of the renewal for you so your website stays secure with HTTPS without the extra hassle. You could check our help center to get more details about what is ZEROSSL and how easy to get it (https://help.mlytics.com/en/knowledge/what-is-zero-ssl-and-custom-ssl)

As digital spaces become increasingly integral to our daily lives, the importance of web security cannot be overstated. HTTPS and SSL certificates form the backbone of secure online communication, protecting data integrity, ensuring privacy, and fostering trust on the internet. By understanding and implementing these technologies, website owners and users alike can contribute to a safer digital environment for everyone.

References

[1] SSL overview. (n.d.). HCL Technologies. Retrieved March 28, 2024, from https://help.hcltechsw.com/bigfix/10.0/platform/Platform/c_SSL_overview.html

[2] SSL Checker. (n.d.). SSL Shopper. Retrieved March 28, 2024, from https://www.sslshopper.com/ssl-checker.html