Tag: ssl certificate
What Is the Difference Between HTTP and HTTPS?
Have you ever noticed, at the beginning of every website URL, are the letters http or https? Take notice and you’ll see that it’s there every time. In actuality, even when you don’t see it, it’s there. But what do http and https stand for? How are they different from each other? And probably most importantly, “Does It Matter?” Yes it does….a great deal. In fact, if you input “http” instead of “https” as the URL, there’s a good chance that the website will not work properly and may not even load at all.
HTTP stands for “HyperText Transfer Protocol”, and it is the protocol used to send data over the internet. Http is written in plain text with no encryption at all. Therefore, http websites can be read by anyone on the internet, even if the page has sensitive or personal information including passwords. The S in https, on the other hand, stands for “secure”. Https websites encrypt all of the data that is sent or received over the internet, which makes it much more secure as well as more difficult to tamper with.
This article will address and provide answers to the following questions:
When were http and https first used?
Http was first released in 1991 by Tim Berners-Lee. Mr. Lee is a British computer scientist who was knighted by Queen Elizabeth II and was named in Time magazine’s 100 Most Important People in the 20th Century edition of December 1999.. And what was Mr. Lee’s claim to fame? He is credited with inventing the World Wide Web. Http was the first interactive text-based web browser and was created alongside HTM, one of the first coding languages, intended for simple text in websites..
Https, on the other hand, was created by Netscape Communications in 1994 as an extension to http to make its web browser, Netscape Navigator, more secure. Its initial purpose was so users could send credit card information securely over the internet to allow for online purchases.
What has https traditionally been used for?
Https has traditionally been used for internet usage that needed to be secure due to the risk of theft or to prevent the release of sensitive user information. Banks, shopping websites, and doctors’ offices/hospitals have used https the longest to make certain that financial or patient information stayed secure.
A little while later, websites started using https to encrypt passwords. In 2008-2009, Microsoft and Google made https optional on their login pages. Within two years, it had become standard for most login pages. Without using https when logging in, your password is in plain text for anyone who chooses to look for it. Over time, https became more mainstream. Now, more than 80% of websites implement https on their websites.
In fact, in 2014, Google turned https into a ranking symbol. They not only started using https in their Google Mail, Google Search, and Google Drive, but also started rewarding sites that followed suit with a higher Google ranking. Therefore, if you wish to rank well on Google, converting your website to https has become essential.
Why is https becoming more important as time passes?
With http written in plain text, it is easy to intercept and use the information contained on http-written websites for malicious purposes. One such purpose is the “the man in the middle” phishing attack. In that attack, the attacker inserts himself into an online conversation, impersonates both parties, and gains information that the two parties were attempting to send to one another without either party’s knowledge. In this manner, the attacker is able to gain access to any sensitive information that they might have been discussing.
Https also reduces the piracy that can occur through an open network connection or public wi-fi network, such as in coffee houses or stores, though it is not fail-safe nor does not stop all attacks from such locales.
What’s more, according to Chris Hoffman, content writer for McAfee in his blog “What is HTTPS, and Why Should I Care?”, internet service providers are legally allowed to spy on their customers’ web browsing history and sell it to advertisers. In matter of fact, Verizon created a supercookie that they are using to track user’s ads. What’s more, documents leaked by Edward Snowden back in 2013 indicated that the U.S. government monitors the internet activity of many users for national security purposes, both domestically and abroad. This activity, which was previously unknown, is controversial and has led to a lot of scrutiny. Using an https URL largely curtails this type of activity. Using Https, however, is not infallible. If you wish to stay secure during your internet usage, you may need to take other steps to protect yourself.
Finally, by using https, you will receive a boost in Google search ranking, so there is a better chance that your website will be found.
How can I distinguish between a HTTP and a HTTPS URL?
It is easy to determine if a website is http or https by a quick visual inspection. By just looking at the website URL, you might be able to figure it out. If it says http, guess what? It’s http – and vice versa. Websites don’t always directly state whether a given website is http or https, however. You can still determine if a website is http or https if you know what to look for. If a website is https, there will be a lock in the upper left-hand corner in front of the URL address such as the following:
What if I open a website using http instead of https?
If you mistakenly open a https website with http, it will more than likely still come up, but some of its functionality may be missing. If the site normally asks for permission to access your location or access to your camera or photos, for example, it probably won’t, nor will the website allow you to do those things. In addition, some pages that request personal or sensitive information may not come up at all. Those pages may appear to have a bug when they are actually functioning according to design since an http website is not secure in any way and would allow for others to see and steal your sensitive information. What appears to be a problem with the site or page, in this case, is actually protecting the user from having personal information stolen.
How do you acquire an https website?
In order to have an https website, a business or organization needs to acquire a security certificate (SSL) which does expire and needs to be renewed. Most SSL certificates need to be renewed every year, though there are exceptions. If the certificate expires, it will cause pages with sensitive information to have issues or, in some cases, not load at all. There are different types of security certificates and there are times, depending on the business or organization, that more than one security certificate may be needed. Some security certificates are very inexpensive, starting at $8 per year, while others can go up to $1000 per year. Types of security certificates include the following:
- Domain Validated (DV) SSL Certificate: This type of certificate validates that the domain name is registered to the applicant through an automated validation process. It does not verify the identity of the organization and does not provide any additional features.
- Organization Validated (OV) SSL Certificate: This type of certificate validates that the domain name is registered to the applicant, and it also verifies the legitimacy of the organization who possesses it. An OV SSL Certificate provides additional features as well such as the company’s name displayed in the certificate.
- Extended Validation (EV) SSL Certificate: This type of certificate provides the highest level of validation available and is used for high-profile, high-security websites. These websites include e-commerce websites, financial institutions, government organizations, and large corporations. It verifies the domain name, the organization, and provides additional features such as a green bar in the address bar.
- Wildcard SSL Certificate: This type of certificate allows a single certificate to be used to secure multiple subdomains of a domain.
- Multi-Domain (SAN) SSL Certificate: This type of certificate allows a single certificate to be used to secure multiple domains.
- Code Signing Certificate: This type of certificate is used to digitally sign software and other code to verify the author and integrity of the code.
Matraex is an app and software development company located in Boise, Idaho, and our goal is to answer all of your app development and tech-related questions so you can be an informed consumer. Have a question? We’d love to hear from you. You can contact us, send us a message through our website, call us directly, or post a question through our Google Business Profile.
Sign up to receive answers to your questions delivered directly to your inbox!
Verify ssl certificate chain using openssl
Verify ssl certificate chain using openssl
SSL Certificates ‘usually’ work and show ‘green’ in browsers, even if the full certificate chain is not correctly configured in apache.
You can use tools such as SSL Labs (link) or run a PCI ASV check on your site to find out if you are compliant, but a quicker way to do it is using openssl from the command link.
Using this command you can quickly verify your SSL Certificate and Certificate chain from you linux command line using openssl
openssl s_client -showcerts -connect mydomain.com:443
If you receive a line, ‘Verify return code: 0 ‘ at the end of the long out put, your chain is working, however you might receive an error 27 if it is not configured correctly.
In order to configure it correctly you will like need an line in your apache conf file
In addition to the files which list your Key and Cert file
SSLCertificateFile <yourcertfilename> SSLCertificateKeyFile <yourkeyfilename>