SSL Requirements

SSL Requirements

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems

The main idea of HTTPS is to create a secure channel over an insecure network

 

How it’s working:

The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third-party, a Certificate Authority (CA), to identify one end or both end of the transactions. This is in short how it works:

  • A browser requests a secure page (usually https://)
  • The web server sends its public key with its certificate
  • The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted
  • The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data
  • The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data
  • The web server sends back the requested html document and http data encrypted with the symmetric key
  • The browser decrypts the http data and html document using the symmetric key and displays the information

 

The trust inherent in HTTPS is based on major certificate authorities that come pre-installed in browser software (this is equivalent to saying “I trust certificate authority (e.g. VeriSign/Microsoft/etc.) to tell me whom I should trust”). Therefore a HTTPS connection to a website can be trusted if and only if all of the following are true:

1. The user trusts that their browser software correctly implements HTTPS with correctly pre-installed certificate authorities

2. The user trusts the certificate authority to vouch only for legitimate websites without misleading names

3. The website provides a valid certificate, which means it was signed by a trusted authority

4. The certificate correctly identifies the website (e.g., when the browser visits “https://example”, the received certificate is properly for “Example Inc.” and not some other entity)

5. Either the intervening hops on the Internet are trustworthy, or the user trusts that the protocol’s encryption layer (TLS or SSL) is unbreakable by an eavesdropper

Most browsers display a warning if they receive an invalid certificate. Older browsers, when connecting to a site with an invalid certificate, would present the user with a dialog box asking if they wanted to continue. Newer browsers display a warning across the entire window.

 

The difference from HTTP

As opposed to HTTP URLs that begin with “http://” and use port 80 by default, HTTPS URLs begin with “https://” and use port 443 by default

HTTP is unsecured and is subject to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information. HTTPS is designed to withstand such attacks and is considered secure against such attacks (with the exception of older deprecated versions of SSL)

 

Server setup

To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server. This certificate must be signed by a trusted certificate authority for the web browser to accept it. The authority certifies that the certificate holder is indeed the entity it claims to be. Web browsers are generally distributed with the signing certificates of major certificate authorities so that they can verify certificates signed by them

To integrate a SSL certificate on a website it is required a SSL certificate issued by a SSL certificates issuer like Geotrust, Verisign, etc.

 

List of pages where the “https” URL is  displayed after SSL is installed

  • administrator dashboard
  • front-end – register page
  • front-end – lost password page
  • front-end – all payments pages: checkout and shopping cart pages
  • front-end thank you page
  • user dashboard – profile page
  • twitter redirect pages
  • upgrade page
  • all pages containing captcha

 

Note: the https is also loaded on http pages where the login overlay is loaded.