Technology

Securing your website

Putting the S in HTTPS. What does the S stands for? Secure of course! Long gone are the days when only corporations and enterprises are using SSL certificate, just about anyone with a website can take advantage of the Secure Socket Layer (SSL) protocol. SSL certificate has been around since 1994, first introduced with Netscape browser. SSL certificate was available for purchase from Public Certificate Authority (CA) and is associated with high cost. Comodo has majority of the market share at 41%, followed by Symantec at 30% and GoDaddy at 13%. This trend will change significantly over the next few years as other CA providers are saturating the market.

On November 18, 2014, a group of companies and nonprofit organisations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let’s Encrypt, a nonprofit certificate authority that provides free domain validated X.509 certificates as well as software to enable installation and maintenance of certificates. Let’s Encrypt is operated by the newly formed Internet Security Research Group, a California nonprofit and tax exempt organisation.

Why do I want to secure my website? The reason is quite simple, Google chrome will mark non HTTPS site as “Not Secured” in turn will affect your google ranking! Important enough reason right? Now let’s get to the bit on how I secured my website and gave it HTTPS.

Thanks to Let’s Encrypt and Zuver I was able to secure my website with free SSL certificate! The process is very simple, and as mentioned above, Let’s Encrypt has provided easy installation in which Zuver has participated in.

  1. My unsecured website is an unhappy website
  2. Log into Zuver and go into Hosting Services Manage | (+) click on Let’s Encrypt

  3. Click Install then sit back and enjoy
  4. Watch your website secured with HTTPS (Secure Padlock)

Watch your google page ranking skyrocket to the top :p – That’s for another blog post chapter on its own. Stay tune! You may also come across page not secured due to mix content, I will show you how you can diagnose that in one of my next blog post.

For those that have purchased SSL certificates from CA in the past, how easy is getting HTTPS enabled using Let’s Encrypt via Zuver? This used to take hours (even days) from proving domain ownership, creating certificate request, securing your private key, getting your public key issued from CA and finally uploading it to your web server. That of course is done after you have paid hundreds of dollars if not thousands, and what about the approval process from your Financial Controller? Now your website can be secured long before your skinny cappuccino got made and served to you!

Don’t forget to update your site to serve HTTPS and that your default URL is updated to HTTPS. You may also come across mixed content warning which you can find through F12 Web Developer Tools, my personal favourite is whynopadlock website which gives you an easy to read report. Other things to consider is that your web server allows only TLS 1.2 communication, reason being SSL 1.0, 2.0, 3.0 and TLS 1.0 have vunerabilties and are obsolete.

If your web hosting provider does not Integrate with Let’s Encrypt you can request SSL certificate through their website. There are two ways of doing this:

  1. With Shell – Certbot
  2. Without Shell – Manual

What if I am running a non Unix web server and I want to automate this process? Easy, there are ACME client tools available!

 

Leave a Reply

Your email address will not be published. Required fields are marked *