This is something very important that I never really understood: how to use SSL certificates. They are extremely important if you are maintaining a Web Application, but I never really bothered to read about it - it was the secure elephant in my room. But now I finally got the motivation (pure pressure and necessity) to research about it, and this is what I learned:
SSL certificates are supposed to make your website more secure (duh), and they do this by ensuring:
- Encryption - your data will be encrypted, which is good!
- Data integrity - your data will not be broken, which is good!
It also has some nice side-effects:
- Green address bar - your address bar tuns green, which is good! I mean, your visitors will know that your website is secure. If you do financial transactions or collect important information, your website will be a lot more attractive with that pretty, green bar for your users.
- Prevents attacks - since your data will be encrypted, it will be (almost) impossible to steal it with "man in the middle"attacks. This is good too.
- Boost in ranking for searching engines - Google, for instance, will rank your website better if you use HTTPS. This is probably good.
HTTPS certificates are usually not free (although there are some services like Lets Encrypt), and since you have to pay for them, you probably should think about your priorities: do you really need HTTPS in your blog that nobody reads? Probably not. Do you need HTTPS in a website with financial transactions? Probably yes.
So, first of all, how do you get a certificate? Simple. Follow these steps:
Step 1: pick your certificate type
|Certificate Type||Types of Sites||Features|
|Extended Validation (EV)||* eCommerce
* Sites collecting personal info
* Sites where user trust is paramount
|* 2048-bit encryption
* Green Bar to provide top-of-the-line trustworthiness
* The type used by web giants like Twitter, banks, etc.
* Issued in 3-5 days
|Organization Validation (OV)||* eCommerce
* Sites collecting personal info
|* Verified that the site is a registered government entity
* 128-, 256-, or 2048-bit encryption
* Issued in about 24 hours
|Domain Validation (DV)||* Testing Sites
* Internal Sites
* Non-eCommerce Sites
|* Very affordable
* Issued almost immediately
In addition to the 3 main types above, we also have:
If you need to secure multiple domains, but only want one certificate: you can have up to 100 domains in your certificate, and if you get another domain, you can just add the domain to it.
With these, you can secure your website, as well as any subdomains. They can be both DV or OV, but not EV.
Step 2: buy the certificate
There are several websites where you can buy certificates. Sometimes your own hosting company will offer this service. The price and speed for issuing the certificate will vary.
Step 3: install the certificate in your website
This will depend on what host you are using - they will have their own methods to apply the certificates. If you are using Node.js, you will probably have to use it directly in the .js file that creates the server.
Step 5: update links and images
Make sure all links in your website point to an https route instead of http. Do the same thing for images, CSS, scripts, and so on. It is also a good idea to redirect the traffic coming from any http route to the https route.