JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
-
Upload
wilco-alsemgeest -
Category
Internet
-
view
76 -
download
1
Transcript of JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
Why and how to use HTTPS on your website!
HTTPS
• Senior Windows System engineer at ORTEC B.V.• Regional Coordinator – Joomla Certification Program for the
Joomla User groups in the Netherlands• Owner Connecting Connections
– Since Mambo working with and for Joomla!– Extension translator RSJoomla!, Hikashop, Freestyle-Joomla– Organizer/Supporter many different Joomla! events.
Wilco Alsemgeest
https://twitter.com/conconnl
https://twitter.com/conconnl
https://www.facebook.com/conconnl/
HTTPS
Principles of TLS / SSL Obtaining an SSL Certificate
Which SSL Certificates are available? What do I need for this? How to get one? How much time does it take?
Implementation and Maintenance Good to know! Joomla! and HTTPS
HTTPS
Definitions What is TLS / SSL? What are certificates? Why is HTTPS necessary? How is the secure connection created? What are the dependencies?
Principles of TLS / SSL
HTTPS
DNS – Domain Name System TLS / SSL – Transport Layer Security – Secure Sockets Layer (Predecessor) CA – Certificate Authority (Sub) Domain name (TLD)
Principles of TLS / SSL Definitions
HTTPS
Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL),Are standard cryptographic protocols for providing secure communication between supplier and client.
Principles of TLS / SSL What is TLS / SSL?
HTTPS
All browsers have the capability to interact with web servers using the TLS / SSL Protocol.
For that, the browser needs an Root CA Public SSL Certificate (Pre-Installed) and the server needs an SSL Certificate issued by a Root CA to beable to establish a secure connection.
Principles of TLS / SSLWhat are certificates?
HTTPS
Websites that use an SSL Certificate can be recognized by the use of the HTTPS protocolinstead of HTTP.The “S” stands for Secure, which means encryptedby both the client browser and web server.
Because the network traffic is encrypted from start to end there is no possibility to capture (for instance) username and password combinations.
Principles of TLS / SSLWhy is HTTPS necessary?
HTTPS
When a browser attempts to access a website that is secured by TLS, the browser and the webServer establish an TLS connecting using a processcalled “Handshake”.
Essentially, three keys are used to set-up the TLS connection:The public, the private and the session keys.Anything encrypted with the public key can only be decrypted with the private key, and vice versa.
Principles of TLS / SSLHow is the secure connection created?
HTTPS
Principles of TLS / SSLHow is the secure connection created?
HTTPS
1. The browser connects with the secured with TLS / SSL (HTTPS) website and asks the server to identify itself.
2. The server sends a copy of de SSL Certificate and Public key.3. The browser checks the certificate against the list with trusted Certificate
Authorities and the date/time validity. The website address is checked with the common name in the certificate.The browser creates a Session Key with the use of the Public Key and sends this to the server.
4. The server decodes Session Key with the Private Key; Sends confirmation encrypted with Session Key back to browser.
5. Server and browser start communicating with all data encrypted with the Session Key.
Principles of TLS / SSLHow is the secure connection created?
HTTPS
SSL certificates are bound to a ‘common name’ registered in the DNS, which is usually a fully qualified domain name but can be a wildcard name (e.g. *.domain.com)
Principles of TLS / SSLWhat are the dependencies?
HTTPS
Which SSL Certificates are available? Kinds: Domain name certificates SAN/UC/Multi-domain certificates Wildcard certificates
Validation methods: Domain validation (DV) (For all kinds) Organization validation (OV) (For all kinds) Extended validation (EV) (Only for domain and Multi-Domain)
Obtaining an SSL Certificate
HTTPS
What do I need for this? A unique IP address, or Server Name Indication (SNI) functionalities. Correct contact information in WHOIS database. Business/Organization validation documents.
Obtaining an SSL Certificate
HTTPS
How to get one? There are different methods for obtaining a certificate all methods
result in the same certificate. An IT partner can help with obtaining the SSL certificate. It’s possible to obtain a certificate at different suppliers.
Root suppliers: (Market leader) (Number 2, Market leader) (Oldest SSL Supplier) (Fastest growing SSL Supplier)
Obtaining an SSL Certificate
HTTPS
How much time does it take?Depending on the type of certificate and the supplier used, it can take from minutes to weeks.
A domain validation certificate takes minutes. A organization validation certificate can take hours up to days. A extended validation certificate can take
a few days up to a few weeks.
Obtaining an SSL Certificate
HTTPS
How do I implement one? Hosting supplier. ICT Partner Hosting control panel (DirectAdmin, Plesk,
Cpanel and others) What maintenance is needed?
Certificate renewal. Certificate replacement / upgrade.
Implementation and Maintenance
HTTPS
SHA-1 encryption is outdated and will display warnings in the browser. HTTP Strict Transport Security (HSTS) HTTP/2 (The new internet), most browsers only accept HTTPS with TLS 1.2. Browsers are going to start warn visitors when the website does not use
HTTPS
Good to know!
HTTPS
System – Global Configuration – Server – Force HTTPS
.htaccess configuration (Depending on the Hosting supplier)
Joomla! & HTTPS
HTTPS
HTTPS
HTTP
HTTPS
HTTPS