MENU
Securing with HTTPS
HTTP, an abbreviation for HyperText Transfer Protocol, is a stateless standard in which clients 'pulls' data from servers through requests. By default, browsers fetch data over HTTP, which is susceptible to 'man-in-the-middle attacks' as data hops from one server to another during transmission. A website communicating sensitive information such as account passwords and credit card information should be hosted over HTTPS (HyperText Transfer Protocol Secure), which encrypts the HTTP layer with TLS (Transport Layer Security), or its predecessor, SSL (Secure Sockets Layer). Notice how a padlock symbol appears to the left of the address bar when you enter a URL (Uniform Resource Locater) that precedes with 'https://...' into the address bar on a browser.
Most web hosts offer TLS certificates. However, if you are hosting your server and wish to secure your website with HTTPS, you will need to get a TLS cert online. Some certs are meant for a single domain name, some cover the subdomain names too, whereas some can be shared across different domain names. Do be aware that you should have a TLS cert only after obtaining a domain name.
You can obtain a TLS cert for free at https://certbot.eff.org/.
You can also purchase a cert from a TLS cert authority such as
ssl.com,
ssls.com,
NameCheap,
The SSL Store,
GoDaddy,
GlobalSign,
DigiCert,
Thawte,
GeoTrust,
Entrust,
Network Solutions
etc.
Installing a TLS cert usually involves generating on the server machine a private key as well as a CSR file. Visit https://www.digicert.com/easy-csr/openssl.htm for instructions on how to use OpenSSL. After uploading the CSR file to the cert authority, you will need to verify your identity as the rightful owner of the domain name by hosting a verification file on your server or confirming an email address suffixed with the domain name. After obtaining the certs, install them at your specific server by following the instructions at their site. Finally, test the HTTPS connections at https://www.ssllabs.com/ssltest/ .