24
Should you use http or https? What’s the difference?
Http stands for hypertext transfer protocol, this is the communication protocol used by web browsers to receive data from a website. Https is hypertext transfer protocol secure; the secure means that the data transfer is encrypted (and thus more secure).
The data transfer is encrypted by the use of a secure socket layer (SSL) certificate. This certificate has to be purchased from a certificate authority (CA), most web hosts offer this facility.
The process is a bit complicated (well very complicated really) but it basically works like this:
The user give an https address to a browser (to view a website)
The browser sends a message to the web server requesting a certificate and a public (encryption) key
The server issues a certificate and a public key to the browser
The browser checks the certificate with the issuing certification authority.
If the certificate is not verified, communication fails and the browser issues a warning (usually “connection is not private”)
If the certificate is verified the browser send its own encryption key to the server
The server then decrypts the key uses it to encrypt content that is sent to the browser
The browser decrypts the content and displays the web page
Https is the preferred type of website, it will give a stronger ranking with Google and it tells people that you consider security to be important. Chrome is also getting more twitchy about http and is starting to flag up off-putting warning when it encounters such sites.
If you are serious about your website, you will want to use https.
That said it isn’t free, it costs me another £50 per year plus VAT to have an SSL certificate.
What I will say is this, if you are going to use https, you are better to do it at the start, I didn’t, and switching it all over later is a pain in the arse — something I’m not entirely sure I’ve sorted out even now, a year later.
Make your decision and stick with it is what I say; if you have even the slightest doubt pay the fifty quid and buy the SSL certificate.
Getting the certificate is a relatively easy process; you do it through your web host. They will have some add-on package that makes this available to you. With Heart Internet, it is in the add-ons section:
It is called
, under this I get several options:Simple SSL (£50)
Standard SSL (£150)
Extended verification SSL (£250)
The more expensive option come with some form of warranty, I guess a sort of insurance policy. I went for the simple one.
One of the questions you will be asked is whether your site URL is to be https://www.yourdomainname or https://yourdomainname.
Generally, you can have either; the www is no longer compulsory, most new sites do without the
(mine does). It doesn’t matter which you use, just be consistent.When you apply (and pay up) it will send emails to the following addresses:
administrator@[your domain]
hostmaster@[your domain]
postmaster@[your domain]
webmaster@[your domain]
This means that you must be able to allocate email addresses with your web host. This is fairly standard, virtually all web hosts that provide you with a domain name also give you the facility to assign mailboxes with your domain name (e.g. in my case: mg@practicalseries.com)
Heart Internet use Starfield Technologies as the certification authority, you will eventually receive an email from the authority asking you to verify the certificate, this usually involves creating a web page with that contains a code the authority sends to you. It proves that you are in charge of the website. This is the email I received with the code and instructions about how to deploy it (I’ve change the code, obviously).
When I looked at the
link on the email, it told me to do the following:It wants me to create a folder structure from the root of the web page (the folder above public_html), you can see it in Figure 24.7, it is the:
.well-known/pki-validation/
It then wants a file called starfield.html in that folder with the code specified in the email, the thing that starts l4omb in the email.
I created this file in the above path and then clicked the bottom link in the email to validate it.
A few minutes later Heart Internet emailed me to say that the certificate had been verified and the site was now available at the https:practicalseries.com address, and it was. That was all there was too it (apart from the fifty quid).