When you develop a website, there are many things you need to consider. Security is also one of them. With cyberattacks on websites rising every year, it has become an additional responsibility of web developers to build a solid foundation for the security of their websites. SSL is also a part of that foundation. So, if you’re a web developer, there are certain things you must know about it in order to ensure the security of your websites. Here we’re going to cover those things for you, so you can develop websites that are SSL-protected.
SSL and TLS: What’s the difference
First, an important fact: What we’re talking about is NOT SSL! That’s right – it’s Transfer Layer Security (TLS) protocol that secures our webpages today. The TLS is a successor to SSL 3.0, and it was adopted way back in 2014 after SSL was found vulnerable to POODLE attacks. However, SSL continued to be the mainstream term for secure data transfer protocol of Web, which is why we still talk of SSL instead of TLS. But as a developer you should keep in mind that although we call it SSL, we’re referring to TLS.
How SSL works: The TLS Handshake
Now, the next important thing for a developer to know about SSL is how it works. Basically, it works by establishing a secure connection known as a “session” between the web browser of a user (known as “client”) and the host of a website (known as “server”). This secure connection is established over HTTPS protocol, and here’s how it’s done:
- Client Hello: Whenever a user fires any HTTPS-based URL from his/her web browser, the browser sends a “hello” message to the web server hosting that URL. This message also includes crucial details about the capabilities of browser, like the highest SSL version it supports (i.e. TLS 1.0, TLS 2.0, TLS 3.0 etc), the cipher suites supported by it, and a random byte string called client random.
- Server Hello: Upon receiving this message, the server sends its own “hello” message to the client. This message includes information about the cipher suite chosen by the server from list provided by the client, a session ID, its SSL certificate, the public key of certificate, and another random string of bytes called server random.
- Authentication: The client then verifies the SSL certificate sent by the server from its Certificate Authority (CA) to ensure that the communication is happening with the actual owner of a domain name.
- Sending of Premaster secret: Upon successful verification of SSL certificate, the client sends another random string of bytes, called a Premaster secret, to the server. This premaster secret is encrypted by the public key of SSL certificate that was sent along with the Server Hello message.
- Decryption of Premaster secret: The server decrypts message received from client with its Private key and extracts the premaster secret.
- Creation of Session keys: Now the server and client both create session keys from client random, server random and premaster secret. The computation results in same output (aka same keys) on both sides.
- Client ready: Client sends a “finished” message to server once session keys have been created.
- Server ready: Server sends a “finished” message to client once session keys are created.
- Encryption achieved: That’s it. Secure connection has been achieved now, and webpages protected with encryption can be transferred now between both client as well as server.
So that’s how a TLS Handshake helps in creation of a secure connection between client and server over HTTPS protocol. Once this connection has been established, both client as well as server encrypt every file and webpage before it’s sent by them. The files and webpages are then decrypted by the receiving party (i.e. server or client) using the session key.
The right time to install an SSL certificate
It’s also important for every developer to know the right time of installing an SSL certificate. The SSL certificate should be installed early in the life of a website, usually before you start uploading your webpages to the server. There’s a solid reason behind it. If you upload all your webpages and files to the server but install the SSL certificate later, some of your files (i.e. images, java scripts etc.) may load through the unsecure HTTP protocol despite your webpages loading on HTTPS.
Do you know why?
Because your webpages will have HTTP links referring to those files. And when webpages are requesting a file over HTTP, it’ll by default load over HTTP instead of HTTPS. It is called mixed content error. In such a situation, your website may not show the green padlock of SSL, because some elements will be loading over unsecured HTTP protocol. When that happens, the browsers may mark your website as ‘Not secure’ despite your website having SSL certificate installed properly. To fix this thing you’ll have to do the additional work of changing all HTTP references to HTTPS references in the code of every single webpage that you developed.
Now, if you want to avoid this problem, the solution is to install your SSL certificate right in the beginning of site development. If you install it before uploading all the webpages and files to the web server, the references to all files in your webpages will have HTTPS links only, thus eliminating the possibility of ‘no padlock’ from all your webpages.
How to Force SSL: Creating Redirects
Finally, every web developer should also know how to force a website to load on HTTPS even if someone tries to access it through the insecure HTTP protocol. That is achieved by creating redirects, and you should learn how to create the necessary redirects in your web server to force the loading of your website on SSL-protected HTTPS protocol. Generally, the process looks something like this (for example in cPanel):
- Login to the cPanel (or any other Control panel, depending on your host) of your website;
- Navigate to the Redirects section either by clicking an icon or searching for it;
- Create a permanent (301) redirect for your HTTP homepage (i.e. http://xyz.com/) to HTTPS homepage (i.e. https://xyz.com/);
- Save the changes.
That’s it. The process may vary slightly for different cPanel, but it’s roughly the same. You may have to research a little more to get guide for cPanel.
The pricing of SSL certificate varies
If you’re going to purchase the certificate yourself, it’s also crucial to know that the pricing of SSL certificates varies between CAs and vendors. For example, a RapidSSL Wildcard certificate may cost more or less than a DigiCert Wildcard SSL certificate. Therefore, you should also do a comparison of pricing before choosing an SSL certificate for the site which you’re developing.
So that’s what every web developer should know about SSL certificates. This information can come handy when you develop your next site as it can save you from doing any sort of mistakes while deploying SSL certificate. And when you do less mistakes, you’ll save both time as well as money. So, keep all these things in the back of your mind, and keep developing!