I recently made a rash Tweet saying that if you don’t have SSL (Secure SocketsLayer; what HTTPS uses) your WordPress site will be hacked. That’s an overstatement. I’ve known people who’ve run WP sites without SSL with no problems.
So here’s a little web SSL orientation for people who have better things to do than learn the details of computer security.
First, some people think that you need SSL on your web site/service only if you’re doing things you want to hide, or if you’re doing financial transactions.
My opinion is that your web needs SSL for anything that involves posting or login. As plenty of people have pointed out, if you as a web client don’t use SSL when you post or login to a site, an attacker – an eavesdropper – can easily post or login to that site as you. So if you don’t have SSL, you can’t trust that the poster or login isn’t somebody whose life goal is to sell counterfeit shoes, inflate the Google ratings of their bogus web site, or worse.
Another benefit of SSL is that it gives your web clients better assurance that when they go you your site, say “https://needhamia.com”, they are talking to the real site and not some imposter site (who wants to sell shoes, etc.)
SSL can involve a bit of sticker-shock on the scale of buying web hosting in the first place, so think about the costs to you and your users of your site getting hacked or their accounts or data being stolen. If your site and data need to be safe, you’ll probably choose to bite the bullet and pay the money necessary to make your site secure. (I know, I know, it sounds like a racket doesn’t it?)
SSL also involves a lot of lingo. Thankfully, you don’t have to understand the details of the meaning of the words or how SSL/HTTPS works to use it.
So here’s my recommended sequence of things you need to do to support SSL. I’ve left off the details because I just want to give you an orientation rather than a tutorial.
- Find a web host that supports SSL. Most do, but a surprising number don’t. If you’re building your own web host from scratch, I expect you’ll be able to setup SSL.
- Buy a domain name. For example, my domain name is Needhamia.com. It will cost you a small amount per year. This name is necessary for SSL registration. Some web hosts support only domain names that they sell, vs. domain names sold by other domain name registration services.
- Once you have your domain name, connect it to your web site. If you bought your domain name from your web hosting service, they can help you do this. It’s not complex.
- Once you have connected your domain name to your site, order an SSL certificate. It can cost you a surprisingly large amount per year – but think about the costs to you of not having it: suppose somebody hacks your site or impersonates a user. There are several kinds of certificates. Again, some web hosts support only SSL certificates that they sell vs. certificates sold by others or ‘signed’ by yourself. Filling out the paperwork can seem daunting, but it’s not so bad for the simpler types of certificates.
- “self-signed”. These certificates are the simplest/cheapest because you can make one yourself. It gives your web clients the security they need to keep from being eavesdropped. It doesn’t give them any assurance that your site is real – but that’s ok in some applications.
- “standard” certificates. These are often the least expensive certificates a web host will sell. They’re probably fine if your site doesn’t deal with money directly. This is the level certificate I’m using on Needhamia.com.
- Fancy certificates. These are more about what kind of logos various browsers will show for your site, and how much assurance the certificate gives web clients that your site is who it says and you are who you say you are. Useful if you’re selling stuff.
- Once you have your SSL certificate, install it on your web site. Your web hosting company can make this easy for you, especially if you bought the certificate from them.
- Ta Da! Now https://yourdomainname uses SSL!
- To make your browser-based clients safer, it’s a good idea to make your web site “redirect” http to https. That is, if they type “http://yourdomainname” their browser automatically goes to “https://yourdomainname” instead. I found it hard to find the instructions I needed for this step, but a little searching turned it up.
To sum up: you need to, in this order, get a site, get a domain name for it, get an SSL certificate for that domain, install the SSL certificate on your site, and (optionally) redirect http to https.
Now you can build some really cool web apps!