Basics of HTTPS (HTTP over SSL)

  Basic information, Web hosting

This article describes the basic theory of HTTPS and the concepts related to it. The goal is not to provide complete information and teach novices about this technology, but to simply provide a general overview.

To set up HTTPS for web hosting read HTTPS for a web hosting.

Encryption and Credibility

Encrypted communication means that all data transmitted between the server and the client (our server and your web browser) is encrypted, communication can be intercepted by someone, but it cannot be decrypted, and thus no one can detect what page you are viewing, and what data you are sending. When using unencrypted communication, it is not recommended to send personal data via Web forms, since it can be theoretically intercepted and misused by an unauthorized person (especially passwords, credit card numbers, etc.).

Trusted communications mean that the client authenticates the server, and is therefore confident that the website is downloading from the right server and that attacker does not substitute a fake page.

Encryption does not guarantee credibility, they are two different things, but SSL can provide both.

What is SSL and HTTPS?

SSL (Secure Socket Layer) is, in general terms, the technology used for encryption and trusted communication in computer networks. It can be used in any application protocol – for POP3 (POP3 + SSL = POP3S) with SMTP (SMTP + SSL = SMTPS), etc..

To use SSL, we need 2 things:

  • A Private Key – the encryption / decryption key that the owner keeps secret, ie. places it on the WWW server.
  • A Certificate – the public key for encryption / decryption, which contains information about the identity of its owner (of their server) and is signed by a certification authority.

The certificate is always (in the case of WWW pages) bound to a domain name (or can be used for multiple domain names).

Regular certificates are only for one specific name (eg. www.example.cz) – then communication is trusted if the certificate is used on web sites, where the site’s domain exactly matches the name in the certificate. If these names do not match, then the communication is untrusted.

You can also use wildcard certificates, for example *.example.cz, for any website or subdomain, ie for example www.example.czeshop.example.com – for all these cases, communication is trusted. This, however, does not apply to a domain of the 4th level (for example my.eshop.example.cz).

To access Web sites through SSL, URLs with https at the beginning are used, for example https://www.example.cz/. For unencrypted access, the usual http address is used, for example http://www.example.cz/.

If the name of the certificate matches the domain of web sites, then it is Trusted Communication. If it does not match, then it is Untrusted and the browser notifies you of possible security risk (because the browser can not guarantee that you are connecting to the correct server) when entering such sites over HTTPS.

How Do I Get a Certificate and a Private Key?

If you use SSL with a shared certificate for our web hosting, you do not have to worry about anything, our certificate and private key will be used. There are, however, some limitations and the communication will not be trustworthy. Find out more in HTTPS for a web hosting article.

If you would like access to your website to be encrypted and trusted at the same time, (ie. you do not want to display security warnings in browsers to your customers and for them to be sure that communication is trusted), then you need to get your own domain certificate.

Certificates are issued by Certification Authorities, which are organizations that are widely trusted and which are trusted by creators of operating systems and web browsers. These Certification Authorities will issue a certificate based on verification of your “identity”, which in the case of web pages means that they will somehow verify that you are indeed the owner of the domain and that you are requesting the certificate. The certificate can not be issued to a ‘stranger’ who has nothing to do with the domain.

The issuance of the certificate is charged and the certificate is valid for one or more years, but never valid permanently. Before its expiration, it is necessary to get a new one.

It depends on each certification authority on how they choose to verify your identity. The easiest way is to send a password to the e-mail of the domain owner – this is the most basic level of verification. If you want to have a more trustworthy certificate, it is usually necessary to come in person with an identity card, an extract from the Commercial Register, or scan your documents and send them somewhere, etc. The certificates state not only the domain name, but also the identity of the person / company to which the certificate was issued.

Our company does not issue certificates. To get one, you need to contact the certification authority by yourself and deliver the final certificate and private key to us.

To receive a certificate for your web site, any of the following listed authorities are suitable: