Redirect to HTTPS

Google just announced that starting July 2018 Chrome, their very popular web browser, will start alerting for all websites which are not using Secure Sockets Layer, or SSL encryption. This is huge. The ramifications of such an alert could be quite impactful to traffic, to websites, and especially for the average user. So, what does that mean for you? More importantly, what can you do about it? No worries! Liquid Web has you covered.

In today's post, we'll be detailing some finer points of SSL encryption including what it is, what it means, and how to employ it. Let's get started!

What is Secure Sockets Layer (SSL)

Secure Sockets Layer, or SSL, is a means to encrypt traffic. That's it! They're no mystery, and there's no reason to feel daunted by the technical term. The best part is that you've probably been making use of SSL encrypted traffic forever and haven't even noticed it. If you've ever browsed to a website and noticed the prefix https:// or a little padlock in the browser bar, you're using Secure Sockets Layer encryption.

Unencrypted: non-SSL

Encrypted: Secure SSL

At a very high level, it's referred to as a key-cert pair, and it's super easy. The key file and certificate files are installed on your web server. Once installed your visitors browse to the https:// prefix and that's it! Their traffic is encrypted end to end. If you're unsure whether you're currently using an SSL, there are some handy tools like Why No Padlock that can help identify your usage.

How does SSL work?

The more technical portions revolve around an encryption algorithm and are a little specific for the average user. At its base, an encryption key and certificate are installed on your web server, as we mentioned earlier. This key is composed of details about the website. Nothing scary, though! It's just enough to ensure the site is who it claims to be. Details such as the domain name, the company's name, the company's business address; that kind of thing. You know, aspects you'd like to know about a legitimate company with whom you're choosing to do business and, as a business owner, are proud to announce to the public.

Finally, that information is submitted to a known certificate authority who'll encrypt the data into the key-cert pair we talked about already. You'll install the key-cert pair on your server. Then, whenever someone tries to access https on your site, their browser will receive that public cert and compare it to public records for your domain. The browser will verify that your business is legitimate, –because it is!– and will use that certificate to encrypt all the data that's passed between them and your web server.

This means, whenever there is data moving between them and you, if any bad guys try to inspect or steal it, all they'll get is a bunch of garbled junk. Your data and your clients' data are both safe and secure!

Liquid Web has a detailed step-by-step instruction on server setup at our Knowledge Base. Once you have an SSL installed on your site, your clients still have two means by which to connect to your site. The HTTP method, which is unencrypted, and the HTTPS method, which is encrypted by your new SSL. The choice is usually denoted by how your clients or your referral traffic structures their link.

Redirecting to HTTPS

The process is referred to as "Forcing SSL Redirection." Ultimately, you'll use code to make sure, whenever someone goes to HTTP, their traffic is directed over to HTTPS. Click on the tabs below to learn how the different ways to implement SSL onto your site.

Mixed Content (Insecure Content)

There is one last part. SSLs are installed on your server. So, they can only encrypt and protect objects that are on your server. This means, if you happen to be linking to off-server content, like Facebook posts, YouTube links, or images or other content from some else's sites, you have to make sure they're using an SSL too. If they're not, you're technically hosting insecure content on that page and Chrome will alert your clients as such (characterized by having https but not the green lock). If you're unsure about the content on your site, you can use a site like Why No Padlock to check. It'll give you a nice readout and will list any issues with unencrypted content under the "Mixed Content" heading in the report.

Luckily, big names like YouTube and Facebook are already on board and use SSLs. But there are still many sites on the internet who do not. It's up to you to help the internet's security and be diligent in our pursuit to be good net-citizens together.

You're now familiar with SSLs, Forced SSL Redirection and the upcoming Google Chrome alert. As always, if ever you need help or have issues, our Knowledge Base is here for you to peruse and our Helpful Support Humans are happy to help.