Self-Signed SSL Certificates

SSL allows you to serve encrypted web pages to website visitors over the HTTPS protocol. Certificates must be signed in order to not set off browser flags that will question your site’s authenticity. But OpenSSL also provides the option to create a self-signed certificate, and many web hosting control panels have an option for it.

In most circumstances involving financial transactions, you should purchase a signed certificate, but there are instances when self signing will suffice. Some examples include private intranets, internal business groupware, web-based control panels, and other content backends. In all of those situations, you need encryption, but it does not matter to you if the certificate is official since you are the one who signed it.

You will still receive the browser warning the first time, but your browser should have a function that allows you to add your site to your browser’s trusted sites. From then on, you will not see the warning, although other users still would see it. If you ever decide that you do actually need to purchase a certificate, you can always change it later. For information about creating a self-signed certificate, see this site.

Photo Source: Flickr

What You Should Know About SSL Certificates

SSL certificates allow website owners to provide something like a badge of authenticity to their users. In theory a website with a valid certificate should be trustworthy and secure. By default, web browsers will recognize a number of certificate authorities, companies that sell annual certificates and verify them. Depending on the company selling the certificate and the level of encryption, they can run from free to nearly $500.

When a web browser connects to a site without a valid certificate, the user will receive a nasty warning about the site not being trusted. This increases the chances that a user may not stay on the site, and if you are a business, it means that customers may be unwilling to proceed with sales transactions. In some cases, you may even have a self-signed certificate with perfectly secure encryption, but the user’s web browser will stay say it is untrusted.

Purchasing a certificate is only the beginning of the process. You will need to setup your server correctly to use it. Each secure HTTPS site will require a unique IP address and correct certificate authority information that matches the certificate. If anything does not match (such as the domain name – common problem with domain CNAME aliases), web browsers will still spit out errors. Be mindful of all these factors as you choose the right certificate for you.

Photo Source: Flickr

What's HTTPS?

If you’ve ever shopped online or used Internet banking, you may be familiar with Hypertext Transfer Protocol Secure. Better known as HTTPS, this technology is simply a more secure form of the regular HTTP protocol that uses SSL.

HTTPS works by encrypting data that would otherwise be out in the open. Most people don’t realize it, but when you send data over the Internet, it is by default unprotected and readable by anyone with the right tools. This is fine for most websites, but for anything financial or communication related, HTTPS is a must.

If you wish to shop at an online store with HTTP or use an email provider that does not offer the option for a secure connection, you may want to find an alternative service.

How to enable HTTPS on a Windows server

SSL stands for Secure Socket Layer and is the underlying technology that enables a website to use the HTTPS protocol. Why is this important? A website with an HTTPS URL provides website visitors with a secure connection for private transactions. It is essential for any type of online sales or exchange of private data.

Windows 2008 server relies on IIS to serve websites to users, and in order to configure a Windows server for SSL, you need to enable it in IIS.

“The implementation of SSL has changed from IIS 6.0 to IIS 7.0.  On Windows Server 2003, all SSL configuration was stored in the IIS metabase and encryption/decryption happened in user mode (required a lot of kernel/user mode transitions).  On Windows Vista and Windows Server® 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections.  “

Read the rest at Learn IIS

Photo: stock.xchng

Running an entire website under SSL

Question: I was thinking of making my entire website HTTPS instead of just the shopping cart. Is this a good idea?

Answer: There are both pros and cons to securing an entire site with SSL, but most seem to agree that the cons outweigh the pros. The advantage is that your users know from the beginning that they are working with a secure site. If your website happens to be for a financial institution, this may add to users’ comfort when they are entering login data.

The disadvantages are that a site will mostly like run slower when it has to authenticate encrypted data. The larger your site, the more data it will have to encrypt. Also, if a browser ever has issues with the certificate, a user will be locked out from your site completely or will have to click through unnecessary confirmations. This may prevent them from even getting to a contact form to tell you something is wrong.

Generally speaking, there is simply no need to encrypt general pages of information. Login forms should point to encrypted script URLs, and all shopping cart data, personal information, and financial information should be under HTTPS. If that is all you have (i.e. you only have those private forms on your site and nothing else), then complete HTTPS might be a good idea.

Source: webhostingtalk.com
Photo: Flickr

How to Redirect HTTP to HTTPS

Question: How do I force users to use the SSL version of a folder on my website?

Answer: With e-commerce websites it is very important to make sure your customers have a secure connection to your website. Nothing can be more damaging to a business than to have sensitive user information leaked to would-be attackers and cyber-criminals. While you can always make sure your links point to the SSL version of a particular page, user might still reach the page without the “https” protocol. Using a simple Apache rewrite rule, you can ensure that even if users go to http://www.yoursite.com/billing, they will be redirected to https://www.yoursite.com/billing.

In the directory you want to redirect, create an empty .htaccess file and add the following code:

RewriteEngine on
RewriteRule (.*) https://www.yoursite.com/billing/ [R=301,L]

That is all it takes. Now you will guarantee your users a secure experience whenever they access your site.

When you need SSL and when you don't

Most web hosts offer some form of SSL in at least some of their hosting packages. Many users are confused about when it is necessary to have SSL, when it is optional, and when they do not need it at all. SSL stands for Secure Sockets Layer. It is essentially a form of security encryption that protects data being transferred from one point to another. In terms of web sites, SSL is used to display encrypted website pages via the HTTPS protocol.

Many users who run businesses automatically believe that SSL is necessary. The truth is that it is only absolutely necessary if you are collecting sensitive data from your visitors, whether it is credit card numbers, addresses or any other information that visitors would consider private. If you forward your customers to a payment processor without collecting any sensitive information on-site, SSL is probably optional for you. It might make your operation look more professional to have a verified security certificate, but it is not necessary.

Good web hosts offer more than one SSL option. For a full SSL implementation, your website will require its own IP address, and you will have to purchase an SSL certificate from an established SSL authority. If your needs are not that great or you cannot afford that option, some hosts offer Shared SSL, which provides SSL to shared hosting customers (i.e. multiple customers sharing a single IP address). This method will usually suffice for small operations. If none of the above apply to your website, then you most likely do not need SSL at all.