Why and how to use HTTPS on your website!

HTTPS

• Senior Windows System engineer at ORTEC B.V.• Regional Coordinator – Joomla Certification Program for the

Joomla User groups in the Netherlands• Owner Connecting Connections

– Since Mambo working with and for Joomla!– Extension translator RSJoomla!, Hikashop, Freestyle-Joomla– Organizer/Supporter many different Joomla! events.

Wilco Alsemgeest

https://twitter.com/conconnl

https://twitter.com/conconnl

https://www.facebook.com/conconnl/

HTTPS

Principles of TLS / SSL Obtaining an SSL Certificate

Which SSL Certificates are available? What do I need for this? How to get one? How much time does it take?

Implementation and Maintenance Good to know! Joomla! and HTTPS

HTTPS

Definitions What is TLS / SSL? What are certificates? Why is HTTPS necessary? How is the secure connection created? What are the dependencies?

Principles of TLS / SSL

HTTPS

DNS – Domain Name System TLS / SSL – Transport Layer Security – Secure Sockets Layer (Predecessor) CA – Certificate Authority (Sub) Domain name (TLD)

Principles of TLS / SSL Definitions

HTTPS

Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL),Are standard cryptographic protocols for providing secure communication between supplier and client.

Principles of TLS / SSL What is TLS / SSL?

HTTPS

All browsers have the capability to interact with web servers using the TLS / SSL Protocol.

For that, the browser needs an Root CA Public SSL Certificate (Pre-Installed) and the server needs an SSL Certificate issued by a Root CA to beable to establish a secure connection.

Principles of TLS / SSLWhat are certificates?

HTTPS

Websites that use an SSL Certificate can be recognized by the use of the HTTPS protocolinstead of HTTP.The “S” stands for Secure, which means encryptedby both the client browser and web server.

Because the network traffic is encrypted from start to end there is no possibility to capture (for instance) username and password combinations.

Principles of TLS / SSLWhy is HTTPS necessary?

HTTPS

When a browser attempts to access a website that is secured by TLS, the browser and the webServer establish an TLS connecting using a processcalled “Handshake”.

Essentially, three keys are used to set-up the TLS connection:The public, the private and the session keys.Anything encrypted with the public key can only be decrypted with the private key, and vice versa.

Principles of TLS / SSLHow is the secure connection created?

HTTPS

Principles of TLS / SSLHow is the secure connection created?

HTTPS

1. The browser connects with the secured with TLS / SSL (HTTPS) website and asks the server to identify itself.

2. The server sends a copy of de SSL Certificate and Public key.3. The browser checks the certificate against the list with trusted Certificate

Authorities and the date/time validity. The website address is checked with the common name in the certificate.The browser creates a Session Key with the use of the Public Key and sends this to the server.

4. The server decodes Session Key with the Private Key; Sends confirmation encrypted with Session Key back to browser.

5. Server and browser start communicating with all data encrypted with the Session Key.

Principles of TLS / SSLHow is the secure connection created?

HTTPS

SSL certificates are bound to a ‘common name’ registered in the DNS, which is usually a fully qualified domain name but can be a wildcard name (e.g. *.domain.com)

Principles of TLS / SSLWhat are the dependencies?

HTTPS

Which SSL Certificates are available? Kinds: Domain name certificates SAN/UC/Multi-domain certificates Wildcard certificates

Validation methods: Domain validation (DV) (For all kinds) Organization validation (OV) (For all kinds) Extended validation (EV) (Only for domain and Multi-Domain)

Obtaining an SSL Certificate

HTTPS

What do I need for this? A unique IP address, or Server Name Indication (SNI) functionalities. Correct contact information in WHOIS database. Business/Organization validation documents.

Obtaining an SSL Certificate

HTTPS

How to get one? There are different methods for obtaining a certificate all methods

result in the same certificate. An IT partner can help with obtaining the SSL certificate. It’s possible to obtain a certificate at different suppliers.

Root suppliers: (Market leader) (Number 2, Market leader) (Oldest SSL Supplier) (Fastest growing SSL Supplier)

Obtaining an SSL Certificate

HTTPS

How much time does it take?Depending on the type of certificate and the supplier used, it can take from minutes to weeks.

A domain validation certificate takes minutes. A organization validation certificate can take hours up to days. A extended validation certificate can take

a few days up to a few weeks.

Obtaining an SSL Certificate

HTTPS

How do I implement one? Hosting supplier. ICT Partner Hosting control panel (DirectAdmin, Plesk,

Cpanel and others) What maintenance is needed?

Certificate renewal. Certificate replacement / upgrade.

Implementation and Maintenance

HTTPS

SHA-1 encryption is outdated and will display warnings in the browser. HTTP Strict Transport Security (HSTS) HTTP/2 (The new internet), most browsers only accept HTTPS with TLS 1.2. Browsers are going to start warn visitors when the website does not use

HTTPS

Good to know!

HTTPS

System – Global Configuration – Server – Force HTTPS

.htaccess configuration (Depending on the Hosting supplier)

Joomla! & HTTPS

HTTPS

HTTPS

HTTP

HTTPS

HTTPS