Why should you use HTTPS and how can you use this?
These are the two most important questions when thinking about secure communication between the visitors and your website.
This is exactly what the presentation was about.
What is HTTPS?
How does the basics work?
What do I to know about it?
How does it work with Joomla! ?
Presentation was given at the JoomlaDay in Austria December 2016, to different kind of Joomla! users, from beginners to developers.
2. HTTPS
• Senior Windows System engineer at ORTEC B.V.
• Regional Coordinator – Joomla Certification Program for the
Joomla User groups in the Netherlands
• Owner Connecting Connections
– Since Mambo working with and for Joomla!
– Extension translator RSJoomla!, Hikashop, Freestyle-Joomla
– Organizer/Supporter many different Joomla! events.
Wilco Alsemgeest
https://twitter.com/conconnl
https://twitter.com/conconnl
https://www.facebook.com/conconnl/
3. HTTPS
Principles of TLS / SSL
Obtaining an SSL Certificate
Which SSL Certificates are available?
What do I need for this?
How to get one?
How much time does it take?
Implementation and Maintenance
Good to know!
Joomla! and HTTPS
4. HTTPS
Definitions
What is TLS / SSL?
What are certificates?
Why is HTTPS necessary?
How is the secure connection created?
What are the dependencies?
Principles of TLS / SSL
5. HTTPS
DNS – Domain Name System
TLS / SSL – Transport Layer Security – Secure Sockets Layer (Predecessor)
CA – Certificate Authority
(Sub) Domain name (TLD)
Principles of TLS / SSL
Definitions
6. HTTPS
Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL),
Are standard cryptographic protocols for providing secure communication
between supplier and client.
Principles of TLS / SSL
What is TLS / SSL?
7. HTTPS
All browsers have the capability to interact with web servers using the TLS /
SSL Protocol.
For that, the browser needs an Root CA Public SSL
Certificate (Pre-Installed) and the server
needs an SSL Certificate issued by a Root CA to be
able to establish a secure connection.
Principles of TLS / SSL
What are certificates?
8. HTTPS
Websites that use an SSL Certificate can be
recognized by the use of the HTTPS protocol
instead of HTTP.
The “S” stands for Secure, which means encrypted
by both the client browser and web server.
Because the network traffic is encrypted from start to end there is no
possibility to capture (for instance) username and password combinations.
Principles of TLS / SSL
Why is HTTPS necessary?
9. HTTPS
When a browser attempts to access a website
that is secured by TLS, the browser and the web
Server establish an TLS connecting using a process
called “Handshake”.
Essentially, three keys are used to set-up the TLS connection:
The public, the private and the session keys.
Anything encrypted with the public key can only be decrypted with the
private key, and vice versa.
Principles of TLS / SSL
How is the secure connection created?
11. HTTPS
1. The browser connects with the secured with TLS / SSL (HTTPS) website
and asks the server to identify itself.
2. The server sends a copy of de SSL Certificate and Public key.
3. The browser checks the certificate against the list with trusted Certificate
Authorities and the date/time validity. The website address is checked
with the common name in the certificate.
The browser creates a Session Key with the use of the Public Key and
sends this to the server.
4. The server decodes Session Key with the Private Key; Sends confirmation
encrypted with Session Key back to browser.
5. Server and browser start communicating with all data encrypted with the
Session Key.
Principles of TLS / SSL
How is the secure connection created?
12. HTTPS
SSL certificates are bound to a ‘common name’ registered in the DNS, which is
usually a fully qualified domain name but can be a wildcard name (e.g.
*.domain.com)
Principles of TLS / SSL
What are the dependencies?
13. HTTPS
Which SSL Certificates are available?
Kinds:
Domain name certificates
SAN/UC/Multi-domain certificates
Wildcard certificates
Validation methods:
Domain validation (DV) (For all kinds)
Organization validation (OV) (For all kinds)
Extended validation (EV) (Only for domain and Multi-Domain)
Obtaining an SSL Certificate
14. HTTPS
What do I need for this?
A unique IP address, or Server Name Indication (SNI) functionalities.
Correct contact information in WHOIS database.
Business/Organization validation documents.
Obtaining an SSL Certificate
15. HTTPS
How to get one?
There are different methods for obtaining a certificate all methods
result in the same certificate.
An IT partner can help with obtaining the SSL certificate.
It’s possible to obtain a certificate at different suppliers.
Root suppliers:
(Market leader)
(Number 2, Market leader)
(Oldest SSL Supplier)
(Fastest growing SSL Supplier)
Obtaining an SSL Certificate
16. HTTPS
How much time does it take?
Depending on the type of certificate and the supplier used, it can take from
minutes to weeks.
A domain validation certificate takes minutes.
A organization validation certificate can take hours up to days.
A extended validation certificate can take
a few days up to a few weeks.
Obtaining an SSL Certificate
17. HTTPS
How do I implement one?
Hosting supplier.
ICT Partner
Hosting control panel (DirectAdmin, Plesk,
Cpanel and others)
What maintenance is needed?
Certificate renewal.
Certificate replacement / upgrade.
Implementation and Maintenance
18. HTTPS
SHA-1 encryption is outdated and will display warnings in the browser.
HTTP Strict Transport Security (HSTS)
HTTP/2 (The new internet), most browsers only accept HTTPS with TLS 1.2.
Browsers are going to start warn visitors when the website does not use
HTTPS
Good to know!
19. HTTPS
System – Global Configuration – Server – Force HTTPS
.htaccess configuration (Depending on the Hosting supplier)
Joomla! & HTTPS