I wanted to talk about SSL certificates for quite a long time now (so that a site would open on https).
Quite often, our clients ask for recommendations on what certificates they need, the ways to buy them, and why they vary in price, depending on different providers.
Imagine you need to call a friend of yours, say, Nick, to deliver information of special importance. Today, a lot of people are concerned about their privacy since their conversation can be bugged by interception of a GSM call. Consequently, they are looking for "secure channel" for their conversation. Some people choose applications like Viber or Skype, and some use encrypted Internet telephony so that the communication channel would be secure.
SSL/https is one the communication channel protection means. By using SSL/https one can secure their data between a computer and a server of the site you are working with. Otherwise, an attacker intruding your connection to the site can get following types of data:
While using SSL encryption, only the domain name and service port where the data is being sent are available to the attacker. The rest of the data is simply inaccessible.
It’s also necessary to point out the following popular statement:
If your site is "read-only"(for example, a corporate site, a landing page, a static site-directory, etc.) and you do not expect a user to enter any kind of data, you can safely avoid an SSL certificate, using http only.
Unfortunately, this is a popular misconception.
Nowadays, many search engines lower the site in the listing if it does not have an SSL certificate. In fact, it is necessary for all sites.
Here follows an example. Our corporate site is completely static and hardly has any server logic. This is an information site with many pages. Hacking it is meaningless as well as hacking its visitors. Nevertheless, the site has a feedback form where visitors can leave their data so we could contact them - link. This is exactly the source of vulnerability - without the use of https encryption, an attacker can intercept such user data as their name, email, sent files, passwords in the text of the message.
By using SSL certificate and encryption interception of data becomes a significantly complicated process.
An SSL certificate consists of three basic elements:
Let's say the key is a very large 1024 characters password. Without delving into encryption algorithms, it is obvious that the longer the password, the more difficult it is to break it. The certificate contains information about identity of its owner and an issuer. You can generate all three elements by yourself and it's absolutely free.
But there’s one catch: no one, except your computer, will be able to verify the authenticity of a secure connection, since no one else has the access to information about the keys.
At this point, a certificate provider (registrar) is involved - it stores public data about the certificate, and provides them to any requestor. Therefore, when you visit the https resource, your browser looks at the certificate who issued it, makes a request to the registrar's server and checks whether the certificate issuer and public keys correspond to the claimed by the resource. Thus, the browser identifies the resource as secure.
Money, a lot of it. The price is incredibly high for one or several certificates for a couple of decades. Once there was a monopoly, and only 3-5 companies were issuing certificates. Now everyone can become a provider.
To do this you need to :
It is necessary to understand price forming factors:
There are no certificate providers in Ukraine, it is too expensive. Therefore, on preferential terms, we have companies that resell the issuance of certificates and save money by on cutting staff’s salaries and insurance payments.
Should one take the most expensive certificate that would display the name of your company in a green square with a little lock? It’s perfect option for boosting own self-esteem or visual distinction, but with cheaper options available, not more than that.
Today, there is another option to get a certificate — Let'sEncrypt the registrar. There you can get working certificate with some restrictions absolutely for free.
Over time a concept of commercial certificate developed a significant drawback. In the early 2000s, if a developer created a prototype or a mini-version of a big idea, or if an investor started a new web startup, it was necessary to purchase a security certificate for the security of the data transmission channel. Prices were starting at $50+. So, for example, if a student does a term paper and s/he was intended to show the fact of secure connection, s/he had to buy a certificate. At the same time, without a verified certificate every time you load https page, a “connection is not secure” message appeared, which is not the best option for demonstration of the project, is it?
Every year the number of geek programmers like this grew, and it became easier to enter the industry of web solution development. Today, even housewives can create a website about themselves basically for free, just by following an instruction. Technologies have become more accessible, hosting has become almost free, but certificates still cost $50+, the same way they did before. Imagine that you need a page about yourself, with your own domain name, fully processable by search engines. You buy a $10 domain and hosting for $2-5 per months, create a site based on a convenient CMS with a free template (for example, AcroCMS). And that's it. Today you have paid only $15. Then, the search robot sends you a recommendation: “Move your website to https to get higher rankings in search engines”. But for the same cost you can make 3 more sites like this.
Thus, in April 2016 appeared Let'sEncrypt — a new registrar of certificates. This is a fully automatic service that allows you to create free certificates for your domain name.
In less than 2 years, the project has reinforced its standing in the development of small sites and web applications. Many hosting companies built in support for Let'sEncrypt to simplify and facilitate the process of obtaining a certificate and its auto update every 90 days.