If your website still isn’t using HTTPS, it is high time to get on it

Is your website still not using a TLS/SSL certificate and is not yet available over HTTPS? Then you need to act quickly, or you will lose visitors and business.
Since the beginning of July, the Chrome browser marks all websites not available over HTTPS as “not secure”, like in the screenshot below.

What visitors will see if your website doesn't use HTTPS
What visitors will see if your website doesn’t use HTTPS

If you have a website but aren’t a tech expert, I will explain as simply as possible (I try!) what you should know about HTTPS and what you can do yourself. Depending on your server setup, your experience might vary, in some cases you might need to get a technical person involved. If you do you will at least you will know what they are talking about.

This change from Chrome will certainly be followed by other browser manufactures and is part of the ongoing push to make the web safe for users.
Having an SSL/TLS certificate (TLS is the more modern version of SSL) does three things:

  1. Privacy. The information your user transmit to your website can’t be intercepted during transfer. So if somebody is running a shady WIFI network they can’t get to the information users are sending to your website.
  2. Authentification. With HTTPS a website saying to users that it is example.com is verified as being example.com. No other website can fakely pretend to be example.com over HTTPS
  3. Validity. And similar to above nobody on a shady WIFI network can modify example.com if it’s loaded over HTTPS. So they can’t add malware, ads or whatever on the fly.

HTTPS is also increasingly good for SEO and Google will list your sites higher if they are secure.

Chrome version 68 implementing the change to "not secure" with http only websites. Make sure you have https

So if your website doesn’t yet have an SSL certificate, you should act now!
Fortunately for 99% of websites, it’s going to be an easy, quick and free fix.

In 3 quick steps, you will be done.

  1. Get an SS/TLSL certificate
  2. Configure your website, CMS, WordPress, whatever
  3. Send all your traffic to HTTPS (optional but very highly recommended)

1. Get an SSL certificate

There are a lot of “traditional” certification authorities (CA), and some are better than others (cf Symantec’s debacle last year). Those will cost you a couple of hundred dollars per year. Over the last year, the free initiative of Let’s Encrypt has grown into a stable and reliable source for modern certificateshttps://letsencrypt.org 

Let’s Encrypt certificates

For Let’s Encrypt there are two ways to get a certificate:

  • For the more tech savvy with access to a shell on their server, they can use CertBot https://certbot.eff.org to quickly get a certificate and install it on their server. The CertBot instructions are quite easy to follow, and if you are a bit technical, you shouldn’t have any problems.
  • For the other ones, it might be even simpler if your host is on the list of “Web hostings who support Let’s Encrypt”. If that’s your case, either go to your cPanel and look for the “Let’s Encrypt for cPanel” from there on the instructions should be quite easy. You can also get in touch with your host and let them know that you want a certificate from Let’s Encrypt and they should help you along.

Let’s Encrypt’s certificates are only valid three months for security purposes, but they make it easy to auto-renew them. So either set up a cron job that asks CertBot to check and renew the certificate or use the features in cPanel.

“Traditional” Certificate Authorities

If your host isn’t on the list, you might suggest them to get with the programme and move to the 21st century. But if you don’t want to change hosters and you have cPanel you can go the “traditional” route. First, go create private and public keys with the “SSL/TLS” option (never give/send your private key to anyone!!) and then create a “certificate signing request” (CSR). You will use that to get a certificate from a CA (for about a hundred dollars per year) which you can then upload in the Certificate section of the SSL/TLS option in your cPanel. The final step is to “install” it for your website, which in this case means to link the certificate with the specific domain in cPanel.
If you are using this method, your certificate is usually valid for 1 or 2 years, and the CA will remind you to renew the certificate when the time comes.

2. Configure your website

If you are using WordPress you should set the “WordPress Address (URL)” and “Site Address (URL)” in your General Settings to use https://

Always have a backup of your database and website!

You might run into problems where Chrome is telling you that you have “mixed content”, meaning that you are loading images, web-fonts or external scripts over HTTP instead of HTTPS. The developer console in Google Chrome will let you know which resources are the problem.
It can be that links stored in your database are the culprit for those errors and then you should either track them down in your posts/pages and update those or use a module like “All in one WordPress migration” which can create a database export and systematically replace https:// with https:// or even better // (which will create a relative link). You can then import the export back into your blog. Images, stylesheets from your blog should ideally be referenced with a relative link. Only external assets should be loaded with an absolute link (starting with https:// obviously).

3. Send all your traffic to HTTPS (optional but highly recommended)

In these days there is no good reason to have your website accessible over HTTP and HTTPS, and you should redirect all your traffic to HTTPS. If your server is using Apache and you have access to the .htaccess file on your server, then these lines will do that for you. Add them at the beginning of the file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} =off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]
</IfModule>

This means that if the request isn’t sent over HTTPS if will get sent to the HTTPS version of the requested URL with a 301 redirect which will tell your visitors’ browser that it should from now on use the HTTPS version. Incidentally, this is also the best way to let search engines know that a page has moved definitively.

If you are using nginx, you will need to edit your nginx.conf file. You can use https://mozilla.github.io/server-side-tls/ssl-config-generator/ to get the appropriate configuration for your server but these lines below should do the trick. 

server {
listen 80 default_server;
listen [::]:80 default_server;

# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

resolver <IP DNS resolver>;

...
}

Further reading:

 

Now you can test that everything is working well at https://www.ssllabs.com/ssltest/ where you should be rewarded with a good grade and a lovely green colour.

You are done. Congrats!

 

Further reading for the technically inclined

  • If you want to go into more technical details, read this blog post
  • The Wikipedia page about HTTPS is here
  • HTTPS standard page

 

 

If you have any issues or remarks, don’t hesitate to let me know in the comments or reach out over email. Also, let me know which other web subjects I should write about.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.