Website SSL (secure socket layer), or as many people know it HTTPS, is mainly used for identification and encrypting HTTP traffic. In this series of SSL blog posts we will explain why you should use SSL, what are the components of SSL (HTTPS), how they work and how to setup your WordPress to run on HTTPS by using SSL web server certificates.
Why Use SSL for WordPress Websites and Blogs
When visiting a website, the traffic exchanged between your browser and the web server is sent in clear text. Therefore if a malicious third party intercepts the traffic exchanged between the two parties, he or she can read what is being exchanged, such as authentication details.
As an example, when logging in to the WordPress dashboard (wp-admin section) without using SSL, if a malicious user captures the HTTP traffic being sent from your computer to your WordPress, the malicious hacker can easily steal your username and password and login to your WordPress. The same applies for all type of information being sent to a website which does not have SSL and is running on HTTP rather than HTTPS, such as credit card details.
Therefore HTTP traffic should be encrypted with SSL whenever sensitive information is being sent over the internet. E.g. when logging in to your WordPress wp-admin section or any other web application, when asking your customers to submit their hosting details (including credentials ) via a web form, when asking your website visitors to submit payment details and donations etc.
Refer to the WordPress HTTPS (SSL) plugin security tutorial to setup WordPress SSL using a plugin.
How Website SSL and HTTPS Work
- When trying to access a website running on HTTPS (using SSL), the browser requests the web server where the website is hosted to identify itself.
- The web server sends the browser a copy of its SSL Certificate.
- The browser checks whether it trusts the SSL Certificate. If trusted it sends a message to the web server to proceed with the encryption. If it is not trusted, it alerts the user with a warning that there is something wrong with the certificate and the user can choose whether to proceed or not.
- Once the certificate is trusted, the web server sends back a digitally signed acknowledgement to start an SSL encrypted session so the traffic between the browser and the web server cannot be read by third parties when intercepted.
What is an SSL Web Server Certificate?
To be able to run a website on SSL and encrypt traffic, an SSL certificate needs to be installed on the web server. SSL web server certificates can be purchased from trusted certificate authorities. Alternatively one can generate a self signed SSL web server certificate to encrypt HTTP traffic (for more information on the differences between commercial and self-signed SSL web server certificates, refer to the article Self-Signed SSL Certificate VS Commercial SSL Certificate). Typically, an SSL certificate includes the below information about the website you are visiting and is used by the browser to verify the validity of the certificate as explained in step 1 to 3 of the section above.
- URL of website that is running on SSL
- Name of the company which owns the website
- Information about the issuer of the certificate
- Validity dates
The SSL web server certificate also consists of the following two components:
- Private key: Used to encrypt and decrypt traffic
- Public key: Used to encrypt traffic
Once the information on the certificate is verified and trusted by the browser and an SSL encrypted session is to be setup, the web server sends the browser the public key so it can encrypt the traffic sent to the website and the web server can decrypt it. The public key sent to the browser also contains a unique key which can be used to decrypt traffic sent from the web server back to the browser.
In the next HTTPS blog posts we show you how how to generate a self-signed SSL web server certificate and how to enable SSL encryption to encrypt HTTP traffic on your WordPress. If you would like to purchase an SSL web server certificate from a trusted authority, contact the certificate trusted authority, such as Thawte for more information.