Lets take a few moments to talk about SSL – that little padlock you see in the corner of your browser; What they can do, what they cannot do, what is new and exciting (no really – stick with me), and where the old model still sits. Sure – as always the usual caveat of this is a 101 – an overview – this is not intended as semester to of a cryptography and cypher course.
PKI and SSL – what is it all about?
Good question – I am glad you asked. Public Key Infrastructure (PKI) is a mechanism that involves some fancy maths and a key you never divulge, and one you can hand out all over the place. This in turn solves the age old problem of getting something securely from A to B without letting anyone else have your key (picture real key as opposed to any fancy terms).
The best way I have heard this explained is akin to the Fox, Cat, Duck or whatever it is and getting them over the river. How do you go about doing this.
1. Padlock your box.
2. Give your locked box to the other party.
3. They put their lock on it, and they hand it back.
4. You now remove your lock, and give it back.
5. They remove their lock and as if by magic the contents have been secured from A to B and no one had to loan anyone else the keys to the Kingdom. Every one is a winner.
While simplified – this the end goal – and this is the concept behind this. SSL stands for Secure Sockets Layer, and is an implementation of PKI for streams of information such as web pages in the case of this article. Realistically SSL is dead as a Do-Do and you will probably be using Transport Layer Security (TLS) – however as with so many things – people say SSL and they know what you are talking about. It has kinda stuck.
Why is this a good idea?
Lets assume that your machine is not compromised. There is no ‘bad man’ sat in your OS or application, monitoring your keystrokes, or watching packets as they leave your machines. This – to be fair is quite a big ask – but the world is not perfect, and I need to start somewhere… so here it will be.
With this assumption in place – through using – say – in this case for web traffic – an SSL certificate – over HTTPS:// (as opposed to HTTP://) you are keeping that box with your information squirrelled away inside out of sight of prying eyes from your machine – to the webserver.
This means – out over your network, over your providers network, over whatever transit links that network and the target server users, and to that specific webserver…. and back. So your passwords are unseen, the content of your email is unseen, its all good in the hood. Sure – the connection can be seen – you are leaving a trail – but the contents are secured.
You are (within reason) assured of two things – the connection to the server at the other end is being maintained once started, and that from the A point to the B point the contents are unreadable to all but the parties involved.
What it is not.
It is not a magic bullet.
It does not make your site “more secure“ – it merely means that the there is an encrypted tunnel between two machines that the content of which will be exceptionally hard to read without a lot of time, and resources.
You are still susceptible to attacks – they simply come in over encrypted tunnels.
Why are there so many types?
Validation. No more. No less.
A comparable key length for a ‘self sign’ and the most expensive types of certificate out there ….. you may need to take a moment to get your head around this but cryptographically speaking – they are identically secure.
Yes. Whether it is free, ten pounds, or a thousand pounds for the certificate – the security it delivers is…. THE SAME.
What you are buying is assurance.
You are buying that warm and fuzzy feeling you probably don’t realise you are getting when you see the green text of a company name in the address bar.
When you purchase a certificate what you are doing is getting your key counter signed in essence – akin to getting your passport photo signed. When you land at a site with a self sign certificate – if its yours, and its for admin purposes – great – if its a site you were looking to buy something from – then it’s all gone a bit sour… your browser doesn’t trust them. Should you? No… probably not.
Back to the passport photograph analogy: At one end of the scale you are signing it yourself – next up you are getting it signed by your doctor… the other end its lets say – Price Waterhouse.
Your status as the owner and requester of the certificate is checked out – an increasing element of due diligence is done to assure you are at least, doing a good job of being who you say you are.
Why? Sure – good question. So that your customer TRUSTS that they are buying from the real deal. They trust that they are going to have some form of recourse, you exist, your company is stable, has a postal address, a phone that works, is registered at companies house, and so on.
Our biggest selling certificate for business use is our EV (Extended Validation) True BussinessID certificate – which is the entry point into the company name in the address bar in green next to the address. You are in short – paying for trust – that warm and fuzzy feeling that it is rare to be able to buy in just about any other field.
You said there was excitement?
As hushed masses start to whisper things like Web3.0 and phrases such as HTTPS Everywhere… the smart masses are switching to a platform called “Lets Encrypt“. This is a mechanism that is set up by a number of really rather large important groups (namely the Electronic Frontier Foundation (EFF), and Mozilla Foundation) who are big on Open Source, and equally big on privacy and security as a right.
The short version is that they have a simple quick method to deploy certificates with absolutely zero diligence – at the same time delivering a certificate your browser isn’t going to get all upset and give you a question to answer and have to trust something before you even get to view the content.
“So why is this a good idea, who is it for, and why are you offering it?”
Sure. It is a good idea because encryption everywhere is a generally agreed to be a good thing – no matter who you are.
If you have a blog, or a site that doesn’t handle payments, a holding page, a club site – something like that – this is for you.
Why are we offering it? Well – because we also believe in privacy and encryption everywhere as a good thing.
Some of you on our newer packages – specifically the Linux ones, and I believe shortly the Windows packages – will have noticed that there is a a LETS ENCRYPT icon in your control panel.
Click on it, check the email address, tick the box, and save – you are done.
You may need to have a look over your code… change your default home page to include the S or redirect to it in .htaccess (or web.config) – but this is what would usually cost £10 per year for gratis.
Privacy is something that we believe is worth taking the hit on. Give it a go.
As if that was not enough of a silver lining… Google will preference sites that are delivered over SSL. Oh my. Best get on that now.
Surely there is a catch?
Well, actually, No…. this is in everyone’s interest apart from ‘the bad man’ to a certain extent ‘the state’ if you are a cynic, and helps everyone else in the short and long run. Win win. Thank you EFF/Mozilla.
We would NOT ADVISE THIS IS USED FOR ANYTHING THAT HANDLES SALES OR MONEY OR CARD TRANSACTIONS – we would directly you firmly towards our EV certificates or our RapidSSL‘s – however – for that blog on kittens, that local pub’s ale selection, and your mothers crochet group – this is the perfect upgrade – and its free…. go find it today.