There has been a lot of talk lately about HTTPS (Hyper Text Transfer Protocol Secure) and SSL (Secure Sockets Layer) after the infamous Heartbleed bug, Google’s switch to encrypted searches, and internet users becoming more conscious about their security in general (NSA, anyone?). It sounds like a good thing, but what is it really?
Essentially, HTTPS is exactly the same as HTTP except it implements the SSL protocol, which allows for a secure connection between the end user and the server. This level of security is usually only necessary with web sites and applications dealing with financial or very personal information.
While having security in place is great, it can have some downsides as well for situations where it isn’t totally necessary:
- Website or web applications become slower due to the handshake and decoding/encoding of data for each request.
- Getting signed certificates from well-known authorities can be expensive.
- If you do not have a certificate that the visitor’s browser recognizes (a free self-signed certificate), the user will get a warning prompt.
How to Implement HTTPS
So, you read the first part of this post and your quick and dirty website assessment tells you that your site needs the extra security and maybe the slight SEO lead generation edge HTTPS now gives you with organic search ranking on Google. The good news is that installing it is relatively straightforward (but takes basic system administration knowledge and a few prerequisites).
Disclaimer: As all of the software on the server stack varies, this will be a broad set of instructions for enabling HTTPS on a web server stack. These instructions lack intricate details because they vary based on system specs.
Prerequisites:
- If running Apache, mod_ssl needs to be enabled.
- A unique IP address.
Step 1: The Certificate
If you don’t mind users seeing a large warning screen when they visit your website, you can use a (free) self-signed certificate. Otherwise, you will need to purchase a certificate from a commercial certificate authority. Once you receive these files (certificate, key, csr), copy them over to your server. This is usually /etc/httpd/conf/ssl.crt/.
Step 2: Enabling
Add the following to the server configuration file (the following example is for Apache under a virtualhost for “your-domain.com” running under port 443):
SSLCertificateFile /etc/httpd/conf/ssl.crt/your-domain.com.crtSSLCertificateKeyFile /etc/httpd/conf/ssl.key/your-domain.com.key
** your-domain.com would need to change to whatever domain you are actually using.
Step 3: Restart
Now simply restart the server then try visiting https://your-domain.com/ (note the https://). If all went well, there will create a secure connection between you and the server.
Congratulations!
You’ve got goals, challenges, opportunities. And you’re looking to make sense of them, create a winning digital strategy and bring it to life online. This is what gets us out of bed in the morning. That, and the smell of coffee.
