Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!

Why should you use HTTPS and how can you use this?

These are the two most important questions when thinking about secure communication between the visitors and your website.
This is exactly what the presentation was about.

What is HTTPS?
How does the basics work?
What do I to know about it?
How does it work with Joomla! ?

Presentation was given at the JoomlaDay in Austria December 2016, to different kind of Joomla! users, from beginners to developers.

  • Be the first to comment

  • Be the first to like this

JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!

  1. 1. Why and how to use HTTPS on your website!
  2. 2. HTTPS • Senior Windows System engineer at ORTEC B.V. • Regional Coordinator – Joomla Certification Program for the Joomla User groups in the Netherlands • Owner Connecting Connections – Since Mambo working with and for Joomla! – Extension translator RSJoomla!, Hikashop, Freestyle-Joomla – Organizer/Supporter many different Joomla! events. Wilco Alsemgeest
  3. 3. HTTPS  Principles of TLS / SSL  Obtaining an SSL Certificate  Which SSL Certificates are available?  What do I need for this?  How to get one?  How much time does it take?  Implementation and Maintenance  Good to know!  Joomla! and HTTPS
  4. 4. HTTPS  Definitions  What is TLS / SSL?  What are certificates?  Why is HTTPS necessary?  How is the secure connection created?  What are the dependencies? Principles of TLS / SSL
  5. 5. HTTPS  DNS – Domain Name System  TLS / SSL – Transport Layer Security – Secure Sockets Layer (Predecessor)  CA – Certificate Authority  (Sub) Domain name (TLD) Principles of TLS / SSL Definitions
  6. 6. HTTPS Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), Are standard cryptographic protocols for providing secure communication between supplier and client. Principles of TLS / SSL What is TLS / SSL?
  7. 7. HTTPS All browsers have the capability to interact with web servers using the TLS / SSL Protocol. For that, the browser needs an Root CA Public SSL Certificate (Pre-Installed) and the server needs an SSL Certificate issued by a Root CA to be able to establish a secure connection. Principles of TLS / SSL What are certificates?
  8. 8. HTTPS Websites that use an SSL Certificate can be recognized by the use of the HTTPS protocol instead of HTTP. The “S” stands for Secure, which means encrypted by both the client browser and web server. Because the network traffic is encrypted from start to end there is no possibility to capture (for instance) username and password combinations. Principles of TLS / SSL Why is HTTPS necessary?
  9. 9. HTTPS When a browser attempts to access a website that is secured by TLS, the browser and the web Server establish an TLS connecting using a process called “Handshake”. Essentially, three keys are used to set-up the TLS connection: The public, the private and the session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa. Principles of TLS / SSL How is the secure connection created?
  10. 10. HTTPS Principles of TLS / SSL How is the secure connection created?
  11. 11. HTTPS 1. The browser connects with the secured with TLS / SSL (HTTPS) website and asks the server to identify itself. 2. The server sends a copy of de SSL Certificate and Public key. 3. The browser checks the certificate against the list with trusted Certificate Authorities and the date/time validity. The website address is checked with the common name in the certificate. The browser creates a Session Key with the use of the Public Key and sends this to the server. 4. The server decodes Session Key with the Private Key; Sends confirmation encrypted with Session Key back to browser. 5. Server and browser start communicating with all data encrypted with the Session Key. Principles of TLS / SSL How is the secure connection created?
  12. 12. HTTPS SSL certificates are bound to a ‘common name’ registered in the DNS, which is usually a fully qualified domain name but can be a wildcard name (e.g. * Principles of TLS / SSL What are the dependencies?
  13. 13. HTTPS  Which SSL Certificates are available?  Kinds:  Domain name certificates  SAN/UC/Multi-domain certificates  Wildcard certificates  Validation methods:  Domain validation (DV) (For all kinds)  Organization validation (OV) (For all kinds)  Extended validation (EV) (Only for domain and Multi-Domain) Obtaining an SSL Certificate
  14. 14. HTTPS  What do I need for this?  A unique IP address, or Server Name Indication (SNI) functionalities.  Correct contact information in WHOIS database.  Business/Organization validation documents. Obtaining an SSL Certificate
  15. 15. HTTPS  How to get one?  There are different methods for obtaining a certificate all methods result in the same certificate.  An IT partner can help with obtaining the SSL certificate.  It’s possible to obtain a certificate at different suppliers. Root suppliers:  (Market leader)  (Number 2, Market leader)  (Oldest SSL Supplier)  (Fastest growing SSL Supplier) Obtaining an SSL Certificate
  16. 16. HTTPS  How much time does it take? Depending on the type of certificate and the supplier used, it can take from minutes to weeks.  A domain validation certificate takes minutes.  A organization validation certificate can take hours up to days.  A extended validation certificate can take a few days up to a few weeks. Obtaining an SSL Certificate
  17. 17. HTTPS  How do I implement one?  Hosting supplier.  ICT Partner  Hosting control panel (DirectAdmin, Plesk, Cpanel and others)  What maintenance is needed?  Certificate renewal.  Certificate replacement / upgrade. Implementation and Maintenance
  18. 18. HTTPS  SHA-1 encryption is outdated and will display warnings in the browser.  HTTP Strict Transport Security (HSTS)  HTTP/2 (The new internet), most browsers only accept HTTPS with TLS 1.2.  Browsers are going to start warn visitors when the website does not use HTTPS Good to know!
  19. 19. HTTPS  System – Global Configuration – Server – Force HTTPS  .htaccess configuration (Depending on the Hosting supplier) Joomla! & HTTPS
  20. 20. HTTPS
  22. 22. HTTPS