This is an SSL certificate primer for dummies. It is not intended to be exhaustive or turn you into an expert. It is merely an initiation. Feel free to add tips you feel are important in the comments section however.
Whenever I am visiting local websites I am amazed with how many of them continue to use unsecured http connections when submitting forms. There are even corporates and public sites that continue to offer email and other such sensitive services on these connections. For some reason they fail to comprehend that these days we live in a perilous world where online security is constantly being undermined by all sorts of people from your average day hacker to governments.
Not having an SSL connection to secure your site is simply inexcusable nowadays, you can get one online for as little as $7/year. This might not spare you from government backed hacking like PRISM, but it will certainly scare away script kiddies and your random hacktivist. Even Google no longer uses unsecured for making searches. It is strange therefore whenever I visit bank websites and see they have not even bothered to at least purchase a domain validation certificate. It seems most people operate under the naive assumption that no one will be eavesdropping on their connections.
When you see the light and do decide to use an SSL certificate, it is important that you choose the right one depending on your budget and the purpose for which you intend to use the certificate for. There are five major classes of certificates:
-
Self signed.
-
Domain Validation.
-
Organizational Validation
-
Extended Validation
-
Wildcard SSL
Self signed certificates– these are self-generated as opposed to being issued by a Certification authority. They are great for testing purposes and internal use in organisations. They are not recommended for production or e-commerce use because every time a user visits the site they receive a warning and they have to manually override this to see the site. Self signed certificates give a red text in the address bar.
Domain Validation certificates– these are the traditional certificates, their purpose is to assure a person visiting the website that it is indeed the authentic site and encrypt the connection between the two computers
.
Organizational Validation certificate-these, in addition to the services provided by domain validation certificates, are only issued after the applying entity has been vetted and includes a clickable link with your organisation’s information. These are characterised by green text in your address bar. They are ideal for payment processing,email services and other personal services.
Extended Validation certificate-these offer the highest level of security and involve thorough verification of your website. These are also known as greenbar certificates because they present a greenbar in the address bar which can be clicked to give additional information about the organisation. This is a must have if you are an ecommerce website.
Wildcard certificates– can belong to any of the above categories but are not tied to any single domain. There are issued to domains of the form *.example.com and can be used on your subdomains as well. They are usually more expensive and should only be used by large organizations. Chances are most Zimbabweans, even organisations, do not need these unless you are an ISP.
It is would be great if everyone was security conscious, and I feel some web companies here in Zimbabwe should do more to conscientize and help their clients to use secure connections especially for websites that habitually collect personal information such as online directories, organizational email, banks (these should have at least domain validation certificates for their sites), social sites and ecommerce sites.
CheapSSL.com offers affordable cerficates that most of you will find affordable and they also accept Zimbabwean credit cards without a fuss as some do.
If you have any suggestions or additional tips please leave them in the comment section.
Share
Home
21 comments
SSL and HTTPS are NOT guarantee’s that your information is still secure mate. If the site, code and server are not secured properly, this really makes no difference. this is really just to secure against man in the middle attacks. You’d be surprised how many HTTPS sites still store people’s passwords and other sensitive info in plaintext on their relevant db’s
I was not looking to give a comprehensive guide on security. SSL and HTTPS are simply a part of a long list of security measures that at the disposal of the developer. You rightly pointed out that they will not foil some forms of attack but the reason I mentioned them is that they do prevent some forms of attack. Thank you for pointing this out.
you dont walk the talk man,you talk security and you dont know any thig about it, this is y i came here once a we to know what econet has been up to only that, for security i go same were like 39hg97fjh7.onion
So u think ur validated by knowing a tor site? n00bies!
i know more than you can ever know in your life tyme, and becoz you know how to google does not make you a pro
You don’t even know how to spell correctly. Get outa here.
Hence the reason why he said for dummies. It is an intro. Anything deeper some one will have to research on their own. Or ask questions.
mypoint is he is waiting about ssl yet they dont us it,simple ,if same on is going to tell about same thing he must be doint same thing right
Dude it’s a primer…get over yourself
Guess what? Even man in the middle attacks are now possible. Recent revelations from the trove of NSA-leaks indicate that GCHQ and NSA can break/bypass online encryption(SSL,fincancial transactions …etc… included) using cryptanalysis and all manner of backdoors.
Whatever you communicate electronically has ceased to be private.
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
just because a door can be kicked in by a thief doesnt mean you should not put a door on your house. Its NOT a gurantee that nobody will get into your house, but it does stop the ‘normal’ thief.
As with all security measures, there are weaknesses in the system.
Its like that Dettol advert when they say ‘Protects against 99.9% of all germs’.
The 0.1% is mainly the very resourceful hacker teams (think governments/ government agencies, from the link: $250m-a-year US program) thats a load of quid (ask BITI).
Going back to ‘What is SSL’:
“SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).”
So in summary, SSL will stop tinm@n, allan, zimhacker, Philipino HAckeRZ and other script kiddies from intercepting your communications.
> It will, therefore not stop SQL injections or XSS attacks for example.
You’re preaching to the choir sorry.
just a heads up
Thanks for the tip. I have pointed out in the article that certificates are unlikely to stop determined government attacks as we have learnt now and again ( in PRISM and IRAN)
Good primer though. More of those. To the point.
wildcards are basically normal SSL certs, they can be domain validated or EV, the only thing special about them is they are valid for *.domain.com rather than just http://www.domain.com
also my SSL is Domain Validated – i still get the green text in chrome, you dont get green text, when the page you are visiting is pulling in resources e.g. JS from http sources, its chrome warning you that some parts of the page might not be secure
Garikai, I think you have done you part in letting people know of this security issue. Other people can criticise but what is important here is for developers to take the responsibility
and intitiative for the BASIC security. People should understand that
security cannot be 100% – if u put a 2m durawall and razor wire around
your property that does not mean determined thieves cannot get in. The
fact here is u would have minimised unauthorised entry which is ok. The
highest level security certificates can still be compromised but
“amateur” criminals would have been discouraged to make an effort. In
fact good security is where u make the criminal really work. There are
so many security issues presented with these exciting technologies, but at least its good you have started somewhere to create awareness. Thanks.
If you talk SSL and leave out bit size, they still wont make sense(fiscally and otherwise).
And why SSL a simple contact form on a small hobby website? Overkill and speed overhead negate any supposed extra cover offered. In fact, a simple CAPTCHA does more than SSL in most sites. What business and website owners have to do is realise where SSL is required and where HTTP alone is required. As a matter of interest, what does more harm to reputation from a layman point of view, a forgotten SSL certificate that has expired, versus a site without?
[…] In this article we are assuming you have your own domain and have already set up you MTA to use TLS/SSL authentication. […]
[…] We have already looked SSL certificates here. […]
[…] We have already looked SSL certificates here. […]