What is an SSL Certificate?
What is an SSL Certificate? Or is a TSL Certificate? or maybe a Security Certificate? Learn what these are and why Google Chrome and other browsers are indicating your website connection is not secure. Let’s Encrypt (letsencrypt.org) to the rescue!
Learn about the massive movement to secure the entire Internet with a project called Let’s Encrypt, which should enable you to easily secure your website. Get familiar with the the technical lingo involved, so you can find the right help on how to secure your website through your hosting provider.
Script
Intro
When you load a website, the browser tells you whether or not you should trust it. Why? And how does the browser decide? Today, I am going to talk about something called an SSL Certificate, what it means, why you need one, and the massive movement to hand them out freely, making it easier for you to secure your website. So let’s get started…
Hi my name is Katie Ayres and I’m a web developer and owner of 1 Happy Place and today we are going to talk about SSL Certificates…subscribe to my channel if you want to know all about websites and the internet in a fun and gentle way…
What is an SSL Certificate?
When you are in your browser and looking at a website, behind the scenes, the browser is connecting your computer to the website’s server.
Originally, this connection was wide open, with the messages between the server and your computer were in plain text and completely insecure. This made it far too easy for malicious software to sit on the connection and grab those messages as they went by.
Then came along encryption and SSL Certificates.
Luckily, the only thing we really have to understand about encryption is what it does, not how it accomplishes it through its complex math. You start with a plain text message, that message is then sent through an algorithm, that garbles it up, so it is impossible to read. Only the intended recipient can unscramble and then read the message.
SSL Certificates enable this encryption by providing a pair of keys that allow only the recipient to read the message and no one else.
Let’s take a moment to talk about the lingo involved here. When you secure your website through your hosting provider, they are going to use one of the following terms: “SSL Certificate, TLS Certificate, or Security Certificate” All three mean the exact same thing.
Notice that all of them use the word Certificate. This well-describes what goes onto your website’s server. You can compare it to a Certificate of Authenticity, often used by the art world or collectors, which is simply a badge that assures something is authentic.
SSL Certificates work similarly, but in a much more complex way. The browser reaches out to a webserver and says, “Hey, I’m looking for 1happyplace.com. You say you’re 1happyplace.com, but are you the real deal?” The webserver answers back, “Yes, I’m the real 1happyplace.com and here is my special key to prove it.”
Once the browser has this key, it starts the encryption process, which requires that the webserver have another, and mathematically-linked private key to match. Only the real webserver can have that matching key, so it proves authenticity to the browser. This is why, when you to google.com, you always get google.com.
Once a website has been secured, it guarantees to the website visitor:
- Confidentiality – meaning it is not possible for messages to be grabbed and read by malicious software while in transit
- Authenticity – the website in which you are interacting is the expected website
- Integrity – since the connection is secured, the data passing between your browser and the website is exactly as each side intended it
So let’s talk about why your website needs a certificate
The Internet is going through a big change. For example, on September 8th, 2016, Google published an article, “Moving towards a more secure web”. There is a link down in the description below.
In it, Google announced its overall plan to change the way it tells visitors about the security of the website they are visiting. At the time I made this video, Google Chrome dominates the browser market with a full 62% usage, with Safari at 15% and the rest at no more than 4%. So for the rest of this video, I am going to focus on Google Plans. The other browsers have also made similar plans.
Google is switching the way it indicates to website visitors whether a page is secure. These pictures show Google’s plan, starting with what it was and where it is going.
For pages that had no sensitive data, there was only an information icon, which you could click to drop down a panel that stated it was an insecure page. But recently, Chrome moved to the next stage where it has the words “Not Secure” up at all times.
The big news was that in the near future, Chrome will show “Not Secure” in red along with a red triangle to get your attention. This will be done for all insecure pages, no matter the sensitivity of the data involved. This is a very big shift.
At the same time, it is going to retire the lock that we are all familiar with. Originally, when a page was secure, there was a green lock and the word “Secure”. Currently, the lock is still there, but gray, and the Secure word has disappeared. Then in the near future, that lock will disappear. The idea here is that it is expected that all web pages will be secure, so the browser will only show indicators when that is not the case.
To show how all of this works, let’s look at a website I built for demonstration purposes, 1securewebsite.com. This is a simple static website, with a home page, and a fake login page.
Even though it looks like a secure website, Chrome is informing me that it is, in fact, not secure. But it is also not too fussed about it because we are looking at static page that doesn’t do anything and Chrome is letting it slide.
But notice if I move to the login page. Chrome still says it is insecure, but still not to fussed. But if I start to type in the username field, Chrome starts to warn me. This is that middle stage of the overall plan. In the future, this red warning and icon will happen on all the pages of a website without an SSL certificate installed.
If we move to 1happyplace.com which is secure, you can see how different it looks in the address bar. It has a gray lock and shows https at the beginning of the web address. This indicates that the page is being delivered on a secure connection, thanks to the installed certificate and associated keys.
Remember, the plan is for that little gray lock to disappear, so that we all expect for pages to be secure by default.
So, how do you secure your website?
For websites that are still not secured, there is some good news. In May of 2013, the Internet Security Research Group or ISRG was founded, with its stated mission to help websites secure their information. It was sponsored by many companies, including Google and Mozilla, and launched a massive undertaking- Let’s Encrypt.
Thanks to Let’s Encrypt, website owners can now acquire a security certificate easily, efficiently, and for free. You start the process by working with your hosting provider.
Most hosting providers will do this automatically or require change of a setting. But if you are unlucky enough to work with a provider who makes it difficult or expensive to get a certificate for your website, it is probably time to shop for a new provider, because they are just not keeping up with the industry. The important thing is to remember to look for those three names, SSL, TLS or Security Certificate.
I wish you the best as you dive into securing your website knowing that it will reassure your website visitors and add to the overall goal of securing the Internet.
Hey! Thanks for watching! I post videos all about websites and the internet in a fun and gentle way…so be sure to subscribe and click the notification bell if you would like to see more!