Encrypting web content is nothing new: It's been nearly 20 years since the publication of the specification for encrypting web content by running HTTP over the Transport Layer Security protocol. However, running a secure encrypted web server has gone from an option to a virtual necessity in recent years.
Attackers continue to seek -- and find -- ways to steal information sent between users and web services, often by tapping into unencrypted content being sent over the Hypertext Transfer Protocol. Even for mundane, untargeted web content, securing a website with encryption is crucial, as the top browsers now flag unencrypted websites as potentially dangerous.
While HTTPS website encryption is a requirement for assuring data integrity between browsers and servers, it is also increasingly a prerequisite for new browser functionality. Learning how to encrypt a website by enabling HTTPS is mandatory, especially for enterprises that want to provide users with a safe and secure web experience.
HTTP transfers data as plain text between the client and server. Therefore, anyone who has access to any network segment between you and the server -- on your network, on the server's network or any place in between -- is able to view the contents of your web surfing.
Use HTTPS to protect data relating to financial transactions, personally identifiable information or any other sensitive data, as well as to avoid having browsers flag your site as insecure. HTTPS enables website encryption by running HTTP over the Transport Layer Security (TLS) protocol. Even though the SSL protocol was replaced 20 years ago by TLS, these certificates are still often referred to as SSL certificates.
Here's a simplified view of how it works:
While HTTPS sessions can be reliably considered secure from eavesdropping attacks, HTTPS by itself does not protect against any other types of attack. Site administrators must still take an active role in preventing and mitigating cross-site scripting, injection and many other attacks that target application or other website vulnerabilities.
The keys to encrypting a website reside, literally, in the web server. To enable a web server to encrypt all content that it sends, a public key certificate must be installed.
The details of installing an SSL certificate and enabling a web server to use it for HTTPS encryption vary depending on which web server software is being used. But, in almost all cases, the process broadly encompasses these steps:
Installing a digital certificate and providing users with the ability to make HTTPS connections to your web server is one of the simplest ways you can add security to your website and build user confidence when conducting transactions with you over the web. It eliminates "site not secure" messages from web browsers and ensures communications are not subject to eavesdropping on the internet.
19 Sep 2019