Service design has been around for many years, and to a certain extent a lot…
Google and Mozilla are tightening the reigns on insecure websites. Mozilla recently rolled out Firefox 51 to its mainstream user base which comes with an insecure warning that offers a login over an HTTP connection. Google announced new secure connection regulations that came into play in January and, therefore we moved all our sites from HTTP to HTTPS. We speak to one of our technical team members, Neil Clulow, who was responsible for this project.
What do Google’s new regulations entail?
Google announced that HTTPS is a ranking signal and failing to comply could cause your SERP (search engine results page) ranking to move lower down. This is against everything we strive towards. Higher rankings equal more traffic, which in turn results in more business.
What is HTTPs?
HTTPS is a security encryption that stands for Hypertext Transfer Protocol Secure and allows for communication between different systems. HTTPS is a secure connection version, the “s” standing for “secure”, and is most commonly used for transferring data from a web server to a browser in order to view web pages.
HTTPS encryption, until recently, has only been used for e-commerce sites payment pages.
A secure connection involves the use of an SSL certificate (Secure Sockets Layer Certificate), which will create a secure encrypted connection between the web server and the web browser. Without HTTPS, any data passed is, in fact, insecure. This is very important where sensitive information is being passed across the connection, e.g. an e-commerce site that accepts online card payments or login details.
How does HTTPS works?
HTTPS ensures a connection is secured on both ends so that an external source cannot garner information passed over the connection for malicious purposes. This is done in a three-step process:
- Encryption: Data passed from the client to the server and vice versa are encrypted to keep the information safe. This means that when a user is on a site, it is impossible for another user to “listen in on” or “eavesdrop” on the data being sent to and from the server.
- Data Integrity: This means that the data going to and coming from the server cannot be changed. It stops attacks by “injection” where an external entity can change or edit data in order to make it unusable by the server.
- Authentication: This ensures that the server the user is connected to belongs to the business they intend to deal with. It also stops “man-in-the-middle” attacks where another user spoofs the server in order to intercept data that is meant for the server which can then be decrypted.
What is HTTP?
HTTP (no “s” on the end) is not encrypted and is the insecure connection version. This is a problem as data can be intercepted by a third party to gather the information being passed between two systems.
Why switch over?
In an attempt to push more websites to implement encryption and to better protect users, Google will start to flag plain HTTP connections as insecure in its popular Chrome browser.
The plan was launched in January 2017 with the release of Chrome 56 and will roll out in stages. Chrome 56 will display a “not secure” indicator in the form of a red padlock, before HTTP URLs in the browser’s address bar, but only for those web pages that contain password or credit card form fields.
In later Chrome releases, the HTTP warnings will be further expanded. First, HTTP pages will be labelled as “not secure” when accessed in the browser’s privacy-oriented Incognito mode. Eventually, Chrome will show the warning for all HTTP pages and will switch the security indicator to the red triangle now used for broken HTTPS connections.
Google’s other efforts to push encryption on the web include using HTTPS as a page ranking signal in its search engine. Even the online advertising industry has made significant progress in providing ads over HTTPS.
For the move from HTTP to HTTPS, we made use of the Let’s Encrypt service.
What is Let’s Encrypt?
Let’s Encrypt is a free, automated and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). They provide Domain Validation certificates (DV certificates) in order to enable HTTPS for websites, for free, to create a more secure and privacy-respecting Web. Let’s Encrypt is a non-profit organisation funded by donors.
What is the difference between a Let’s Encrypt certificate and an SSL certificate bought from Azapi?
Both offer the same strength of encryption and both are domain validated, resulting in HTTPS and a green padlock being displayed in the address field of the browser.
They are issued by two different certificate authorities but perform the same function with the same encryption benefits.
How does the domain verification work?
Domain validation is typically done either by verifying the existence of a specified DNS record (Domain Name Server record) or the existence of a file accessible via HTTP. If the requestor can create either of these, they meet the criteria for demonstrating control of the domain. For a more detailed explanation see: How it Works
The initial process was manual, where a system needed to be built using the Let’s Encrypt platform to validate all Azapi hosted sites. Each site needed to be validated individually.
How long is my Let’s Encrypt certificate valid for?
Let’s Encrypt works on a cycle of 90 days. Azapi will automatically renew the certificate after 60 days. This allows us a fail-safe of 30 days should the certificate, for whatever reason, not renew on day 60.
You, as the customer would not need to renew the certificate and certification is effectively indefinite.
Is there a setup fee for Let’s Encrypt?
No, we will not be charging our clients for the move from HTTP to HTTPS. Let’s Encrypt is currently a free service that operates from the goodwill of donors. This move is to the benefit of our clients and we believe in adding value.
Should your site require an SSL certificate, for e.g. an e-commerce website or where secure login is needed, please contact us for assistance.
Are certificates from Let’s Encrypt supported by all browsers?
Almost, but there are minor exceptions e.g. gaming consoles, older Blackberry devices and Windows XP. See the Let’s Encrypt compatibility list for specifics.
Where can I find more information about Let’s Encrypt?
You are welcome to have a look at Let’s Encrypt’s FAQ’s.
Do you need an SSL certificate? Contact us know and we will gladly help you.