There is lots of discussion about using HTTPS lately. Browsers are getting more aggressive with visual queues to the enduser when pages are not secure.
For example Chrome will display a warning if it detects the page has any input fields they deem sensitive. For example alogin form with a password field.
Edge will not display the padlock if the page has mixed content. This is when the page is served using HTTPS but makes arequest for a resource using HTTP.
This happens when you either upgrade a site and have not fully audited your content and upgraded your links and referencesto scripts, images, stylesheets, etc.
Don't forget to only reference new resources via HTTP or you can loose your site's padlock.
What Is the Padlock
The padlock, typically green, indicates the page is secure. It is a simple visual queue to the end user they can submit sensitiveinformation to your server. This is because the site uses HTTPS, which requires a security certificate, enabling encryption.Certificates are issued once the site owner's identity has be validated.
A green padlock indicates:
- You are definitely connected to the website whose address is shown in the address bar; the connection has not been intercepted.
- The connection between the browser and the website is encrypted to prevent eavesdropping.
What it does not indicate is just how secure the data is on the server. Sites may not store data, like passwords safely.They may also used compromised or poorly maintained servers, making it easy for hackers to attack.
Transport Layer Security (TLS), better known as SSL, is an extra layer to the HTTP protocol. The 'S' in HTTPS stands forsecure.
Requests served via HTTPS are 'wrapped' by the secure layer provided by a TLS certificate. It really sites between HTTP andthe TCP layer in the OSI diagram, but let's keep this simple today.
So HTTPS is all about the communication channel between the client and the server, not the server itself. Most browsers havebecome intelligent enough to detect and track sites with malware or used for phishing scams. They provide big red warningpages.
All browsers visually indicate if a site uses HTTPS with some sort of padlock icon on the left side of the address bar.
Employees, friends and family members should be trained to look for that symbol on any site. If they don't see the symboland there is any data being submitted to the site tell them to stop!
In the past you would look at the URL to see if https was used. But the average person does not know what this means. Mostlikely they did not type the protocol part of the URL as most are either clicked or just submitted without the protocol.The browser then assumes HTTP and the server will redirect to HTTPS before providing the content.
Currently there is no official standard as to how browsers should indicate the security state of a web page to the end user.Each major browser is almost experimenting with what works best.
Chrome and FireFox are 'testing the waters' to see what works best. For example, starting this summer any site not servedvia HTTPS will have a
There are different types of 'padlocks' available because there are three different TLS certificates classifications available.
- Domain: most basic, validates domain ownership
- Organization: requires additional documentation to prove identity in addition to domain ownership
- Extended: more rigid proof required, typically legal proof
The level of scrutiny increases with each type. This means the confidence in identity is increased.
In other words, when you visitPayPal you know it is the real PayPal because you see the green padlock, often with the corporate name displayedbecause they use an extended certificate.
Most sites wont have either an extended or organization certificate because they cost more money and require more work toreceive. Domain validated certificates are the most common certificates because they are typically free and take lessthan a minute to install.
Love2Dev.com uses a domain validated certificate and there is nothing wrong with doing so. The encryption and protectionoffered is the same as the extended validated certificates. The difference is the 'confidence' in the owner's identitysince more scrutiny is required for the extended certificate.
There are many conversations about the different types of certificates and is it worth it to spend the extra money and timeto get the extended certificate.
Personally I have mixed feelings. It is easy to get a domain validated certificate, which means bad guys can get them, anddo damage before they are invalidated. I don't think the average site should worry about EVs, but financial institutions,medical and some more popular e-commerce providers should.
If you brand is big enough to attract potential 'bad guys' trying to phish customers then you should get the extended certificate.
Once you do the browser will display your corporate name with the padlock. This is an added queue that the page is reallyyour page.
Ultimately to me, your customer, I know I can trust my interaction with your site.
The primary HTTPS benefits are:
- Proof of Identity
- Confidence data transferred between client and server integrity
- Preventing common attacks like man in the middle
Of course these are the security benefits. I shared5 reasons you should use HTTPS in a previous article.
Who Issues Certificates?
TLS certificates are issued by a certificate authority (CA). There are many authorities offering certificates.Let's Encrypt has become the most popular source because they offer free certificates.
I use Amazon's Certificate Manager because I host my progressive web applications in AWS. The Certificate Manager takes about30 seconds to generate a certificate after I submit the request. They even validate ownership through the Route53 DNSservice.
Once issued I then apply the certificate to the CloudFront origin serving the site.
Originally Network Solutions was the only certificate authority, back in the early 90s. By the end of the 90s there werea handful of competitors. I used to use Thawte because they were based in Raleigh at the time.
Since then Network Solutions has bought many of those CAs, but more have emerged. Most are great, but others not so much.
Symantec recently had issues with many of the certificates. This has caused problems for many enterprises that use firewallsand routers using Symantec issued certificates.
But that is more of a technical issue, relegated to the responsibilities of your DevOps team.
Certificate authorities must pass a rigorous validation process before they can become an official CA. They must have theircertificates trusted at a root level.
When they issue a certificate their credentials, referencing their CA certificate, are included.
The whole certificate process relies on their identity being trusted. If they issue a 'bad' certificate it affects theirreputation and possibly the integrity of all the certificates they issue.
It is similar to having a friend vouch for you to enter some exclusive event.
The padlock is important to every web site. It not only means the content you serve is secure it means it came from yourserver and you are who you say you are.
TLS certificates are free and easily obtainable by any site owner. You should be able to install them easily in today's cloudfirst world. If you can't figure out how to install a certificate with your host and do not use a CDN you are in luck.
Create an account with either AWS or Azure. Provision a CDN service (CloudFront in AWS) and set the origin to your host'sURL to your site, not your actual domain. You can then change your DNS to point to the CDN and use their free TLS certificateservices to make your site secure. You will also benefit by distributing your content around the globe with a CDN.