What does a website need to be https?

[Carlos1010]

Hi all,

Is there like a test online or something that tests the security of a website and if it passes the test, then the website will get transferred/changed to https? What does a website have to do in order to get https certified?

Thanks in advance.

[yathis]

security reasons most likely

[Mirdon]

I typed how to get https in google and this was the first result: http://www.howto-expert.com/how-to-get-https-setting-up-ssl-on-your-website/

[The Sloth]

HTTPS (Hypertext Transport Protocol Secure), HTTPS is useful for sites that collect and transmit personal information. Banks, e-commerce sites, social networks and online schools need to have HTTPS in place to make sure's sensitive information is protected.

[mariushm]

There's no such thing.

 

You have to configure the web server to serve content encrypted (listen on port 443 along with regular port 80 for http) and you need a valid SSL certificate in order for encrypted communication to work ( a ssl certificate is like a notebook which contains a "public password" that's used by both the web server and the person accessing the website to create some secret passwords that are then used to encrypt content)

 

Public tests simply check the SSL certificate for the authenticity, to make sure it wasn't "hacked" or altered in such a way as to allow people to go between you and the website and snoop on the communication.

 

Let's Encrypt is an organization that makes it easier to install SSL certificates and obtain SSL certificates : https://letsencrypt.org/how-it-works/

 

These are basic certificates, for websites that handle payments or more serious stuff, some browsers don't consider these free certificates good enough, you have to pay up to hundreds of dollars per year for a valid certificate from a more respected organization.

 

 

 

[kirashi]

I work on websites daily, and all you need is an SSL certificate to change over to HTTPS, since all modern versions of Apache, Nginx, and LightSpeed (the software serving your webpages) can serve pages over both port 80 and port 443 natively. If you have a specific question about how to make it happen on a particular site, I might be able to help, otherwise you can find more info here: https://www.liquidweb.com/kb/what-ssl-do-i-need/

[mariushm]

Quote

Is there like a test online or something that tests the security of a website and if it passes the test, then the website will get transferred/changed to https

 

There's no such thing.

 

You have to configure the web server to serve content encrypted (listen on port 443 along with regular port 80 for http) and you need a valid SSL certificate in order for encrypted communication to work ( a ssl certificate is like a notebook which contains a "public password" that's used by both the web server and the person accessing the website to create some secret passwords that are then used to encrypt content)

 

Public tests simply check the SSL certificate for the authenticity, to make sure it wasn't "hacked" or altered in such a way as to allow people to go between you and the website and snoop on the communication.

 

Let's Encrypt is an organization that makes it easier to install SSL certificates and obtain SSL certificates : https://letsencrypt.org/how-it-works/

 

These are basic certificates, for websites that handle payments or more serious stuff, some browsers don't consider these free certificates good enough, you have to pay up to hundreds of dollars per year for a valid certificate from a more respected organization.

 

Most web browsers try to encourage usage of encryption, of SSL (serving pages through https) by refusing to talk to web servers using the more modern and faster  HTTP/2 protocol (as opposed to HTTP/1.1 which is now years old) unless those web servers have encryption enabled.

 

That's why some websites enable it even though technically it's not really required, like on this forum for example, where most of your posts are public anyway and indexed by Google within seconds from your posting.

 

 

 

[Carlos1010]

11 minutes ago, nerdslayer1 said:

HTTPS (Hypertext Transport Protocol Secure), HTTPS is useful for sites that collect and transmit personal information. Banks, e-commerce sites, social networks and online schools need to have HTTPS in place to make sure's sensitive information is protected.

According to this site ; http://www.howto-expert.com/how-to-get-https-setting-up-ssl-on-your-website/ if you buy a certificate and activate it, your website automatically changes to https, please correct me if i'm wrong. This could mean that your website can change to https even when your website isn't secure. Also, can a scammer make a https website so that he can scam everyone that send information through his site, their customers will think that the website would be secure. 

[Carlos1010]

9 minutes ago, kirashi said:

I work on websites daily, and all you need is an SSL certificate to change over to HTTPS, since all modern versions of Apache, Nginx, and LightSpeed (the software serving your webpages) can serve pages over both port 80 and port 443 natively. If you have a specific question about how to make it happen on a particular site, I might be able to help, otherwise you can find more info here: https://www.liquidweb.com/kb/what-ssl-do-i-need/

Check my message above ^^

 

[Carlos1010]

10 minutes ago, mariushm said:

 

There's no such thing.

 

You have to configure the web server to serve content encrypted (listen on port 443 along with regular port 80 for http) and you need a valid SSL certificate in order for encrypted communication to work ( a ssl certificate is like a notebook which contains a "public password" that's used by both the web server and the person accessing the website to create some secret passwords that are then used to encrypt content)

 

Public tests simply check the SSL certificate for the authenticity, to make sure it wasn't "hacked" or altered in such a way as to allow people to go between you and the website and snoop on the communication.

 

Let's Encrypt is an organization that makes it easier to install SSL certificates and obtain SSL certificates : https://letsencrypt.org/how-it-works/

 

These are basic certificates, for websites that handle payments or more serious stuff, some browsers don't consider these free certificates good enough, you have to pay up to hundreds of dollars per year for a valid certificate from a more respected organization.

 

Most web browsers try to encourage usage of encryption, of SSL (serving pages through https) by refusing to talk to web servers using the more modern and faster  HTTP/2 protocol (as opposed to HTTP/1.1 which is now years old) unless those web servers have encryption enabled.

 

That's why some websites enable it even though technically it's not really required, like on this forum for example, where most of your posts are public anyway and indexed by Google within seconds from your posting.

 

 

 

Can the owner of the site see the content that is moved from one end to another? Or does the owner have to know the key that the sever gave the user?

[samiscool51]

it's called SSL

https://www.globalsign.com/en-au/ssl-information-center/what-is-an-ssl-certificate/

Quote

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details

to purchase one you have to get one from a SSL certificate provider

an example we use at work is:

https://www.thawte.com/ssl/

it's just that, once done, follow your website hoster program or web page to install the certificate on the web server and it should automatically work and start using http:\\ or https:\\

and their is no difference between http and https (as far as i know, there might be a difference on how the data is handled)

[mariushm]

No, it doesn't change automatically.

 

Users could still simply type http in front of your site's address and it would work without encryption. You would have to configure the web server to automatically route browsers to the new encrypted connection.

If users type https in front of the address AND you change your web servers from listing for connections only on port 80 (HTTP) to both port 80 (HTTP) AND port 443 (HTTPS) and the SSL certificate is properly installed THEN the connection would be encrypted.

 

The articles simplfies things probably because it assumes most people would use shared hosting where the web servers or managed VPS  or managed servers which would already come pre-configured to listen for connections on both ports.

[The Sloth]

4 minutes ago, Carlos1010 said:

if you buy a certificate and activate it, your website automatically changes to https, please correct me if i'm wrong. This could mean that your website can change to https even when your website isn't secure. Also, can a scammer make a https website so that he can scam everyone that send information through his site, their customers will think that the website would be secure. 

yes, sadly some scammers usually use "secure sites" to fool users into giving them information. 

[Carlos1010]

3 minutes ago, nerdslayer1 said:

yes, sadly some scammers usually use "secure sites" to fool users into giving them information. 

But doesn't the scammer have to know the little key the server gave the user to send the encrypted message through their website?

[The Sloth]

2 minutes ago, Carlos1010 said:

But doesn't the scammer have to know the little key the server gave the user to send the encrypted message through their website?

it's more of a redirect, it will ask the user to log in. 

[kirashi]

10 minutes ago, Carlos1010 said:

Check my message above ^^

 

Right, so you seem to be confused with what HTTPS and SSL mean in terms of security. They simply mean the connection is encrypted between site users and the server host so that third parties like other users on public WiFi or your ISP or a backbone internet provider cannot see the data being sent in plaintext form.

 

HTTPS and SSL do not mean the site or server isn't malicious itself. You can serve up malware via HTTPS, or host a phishing site designed to look like your bank/ebay/paypal over HTTPS just to make it look more convincing to your visitors. Your site is also not safe from vulnerabilities in your own code, so if you have a flaw in server side code that lets a malicious user upload say... a virus (for simplistic reasons here) to the server, HTTPS will do nothing to prevent that.

 

6 minutes ago, Carlos1010 said:

But doesn't the scammer have to know the little key the server gave the user to send the encrypted message through their website?

The server hands out (or ideally, generates) the key to site visitors for each connection. This is known as a handshake, and ensure that ONLY the server and that visitor can talk to each other, and also verifies that the server is indeed who the site visitor thinks it is. What happens with the data between a user and an HTTPS connection is fully readable by the server and user already, so there's no "key" needed by the scammer - you, the user, just need to not submit your PayPal login details to www.paypal.thisistotallypaypal.notaphishingsite.somehacker.com.cn even if it has a nice little green padlock.

[mariushm]

SSL (HTTPS) is about securing the communication between you and the website you access. It's not about what the end website does with the data you enter there.

 

It encrypts everything in-between so that nobody can read the data being exchanged between you and the website.

 

For example, let's say you go on Wikipedia using an unencrypted connection. The ISP detects that you've connected to Wikipedia because you're asking them to convert wikipedia.org to an IP address using DNS, then it can log the url (from which it can know the page title) and if it wants to it can make a copy of the reply from Wikipedia to you because that comes back in clear text.

But, if you access Wikipedia using an encrypted connection, the ISP can still detect that you're connecting to wikipedia server (because you've asked for wikipedia's IP using DNS), but from that point the connection is encrypted - the ISP can't tell which page you request from Wikipedia, and can't log the answer from Wikipedia.