Before You Can Require Ssl for a Website, What Action Must You Take?

Chris is a security engineer on the Chrome Security Team, focusing on secure usability.

Matt is a contributor to WebFundamentals

TL;DR

• Create a 2048-bit RSA public/private key pair.
• Generate a certificate signing request (CSR) that embeds your public key.
• Share your CSR with your Certificate Authority (CA) to receive a final certificate or a certificate chain.
• Install your final certificate in a non-web-accessible place such as /etc/ssl (Linux and Unix) or wherever IIS requires it (Windows).

Generating keys and certificate signing requests

This section uses the openssl command-line program, which comes with nearly Linux, BSD, and Mac OS X systems, to generate private/public keys and a CSR.

Generate a public/private primal pair

Let's start by generating a 2,048-bit RSA key pair. A smaller key, such as 1,024 bits, is insufficiently resistant to fauna-force guessing attacks. A larger key, such as 4,096 bits, is overkill. Over time, key sizes increase as computer processing gets cheaper. 2,048 is currently the sweet spot.

The command to generate the RSA key pair is:

          openssl genrsa -out www.case.com.cardinal 2048                  

This gives the following output:

          Generating RSA private key, 2048 bit long modulus .+++ .......................................................................................+++ e is 65537 (0x10001)                  

Generate a certificate signing asking

In this footstep, y'all embed your public cardinal and data about your system and your website into a certificate signing request or CSR. The openssl command interactively asks yous for the required metadata.

Running the following command:

          openssl req -new -sha256 -key world wide web.example.com.fundamental -out www.case.com.csr                  

Outputs the following:

          You are nigh to be asked to enter data that will exist incorporated into your certificate request  What you are most to enter is what is called a Distinguished Name or a DN. There are quite a few fields but y'all tin can get out some blank For some fields there will exist a default value, If you enter '.', the field volition exist left blank. ----- State Name (2 letter code) [AU]:CA State or Province Name (full proper name) [Some-State]:California Locality Proper name (for case, city) []:Mountain View Organization Name (for case, company) [Internet Widgits Pty Ltd]:Case, Inc. Organizational Unit Name (for instance, section) []:Webmaster Help Middle Example Team Mutual Name (e.thou. server FQDN or YOUR proper noun) []:www.example.com Email Accost []:webmaster@instance.com  Delight enter the following 'actress' attributes to be sent with your document asking A claiming password []: An optional company name []:                  

To ensure the validity of the CSR, run this command:

          openssl req -text -in www.example.com.csr -noout                  

And the response should look like this:

          Certificate Asking:     Data:         Version: 0 (0x0)         Field of study: C=CA, ST=California, L=Mount View, O=Google, Inc., OU=Webmaster Assist Center Case Team, CN=www.example.com/emailAddress=webmaster@example.com         Subject Public Fundamental Info:             Public Cardinal Algorithm: rsaEncryption                 Public-Key: (2048 bit)                 Modulus:                     00:advertising:fc:58:e0:da:f2:0b:73:51:93:29:a5:d3:9e:                     f8:f1:xiv:13:64:cc:e0:bc:be:26:5d:04:e1:58:dc:                     ...                 Exponent: 65537 (0x10001)         Attributes:             a0:00     Signature Algorithm: sha256WithRSAEncryption          5f:05:f3:71:d5:f7:b7:b6:dc:17:cc:88:03:b8:87:29:f6:87:          2f:7f:00:49:08:0a:20:41:0b:lxx:03:04:7d:94:af:69:3d:f4:          ...                  

Submit your CSR to a certificate say-so

Different certificate authorities (CAs) require unlike methods for sending them your CSRs. Methods may include using a form on their website, sending the CSR by e-mail, or something else. Some CAs (or their resellers) may even automate some or all of the process (including, in some cases, key pair and CSR generation).

Send the CSR to your CA, and follow their instructions to receive your final certificate or document concatenation.

Dissimilar CAs charge different amounts of coin for the service of vouching for your public key.

There are besides options for mapping your cardinal to more than one DNS name, including several singled-out names (eastward.g. all of example.com, www.example.com, case.net, and www.example.net) or "wildcard" names such as *.example.com.

For case, ane CA currently offers these prices:

• Standard: $16/yr, valid for instance.com and www.example.com.
• Wildcard: $150/year, valid for example.com and *.example.com.

At these prices, wildcard certificates are economic when you have more than 9 subdomains; otherwise, yous tin can simply buy 1 or more than single-name certificates. (If you take more, say, five subdomains, y'all might find a wildcard certificate more convenient when you come to enable HTTPS on your servers.)

Copy the certificates to all your front end-end servers in a non-spider web-accessible place such as /etc/ssl (Linux and Unix) or wherever IIS (Windows) requires them.

Enable HTTPS on your servers

Enabling HTTPS on your servers is a critical footstep in providing security for your spider web pages.

• Use Mozilla's Server Configuration tool to gear up up your server for HTTPS back up.
• Regularly test your site with the Qualys' handy SSL Server Exam and ensure y'all get at to the lowest degree an A or A+.

At this point, you must make a crucial operations conclusion. Cull one of the post-obit:

• Dedicate a distinct IP address to each hostname your web server serves content from.
• Employ name-based virtual hosting.

If you have been using distinct IP addresses for each hostname, yous tin can hands support both HTTP and HTTPS for all clients.

Yet, most site operators apply proper noun-based virtual hosting to conserve IP addresses and because it's more convenient in general. The trouble with IE on Windows XP and Android earlier than 2.iii is that they do not understand Server Name Indication (SNI), which is crucial for HTTPS name-based virtual hosting.

Someday—hopefully before long—clients that don't support SNI will be replaced with mod software. Monitor the user amanuensis string in your request logs to know when enough of your user population has migrated to modern software. (You can decide what your threshold is; mayhap < 5%, or < one%.)

If you don't already accept HTTPS service available on your servers, enable information technology now (without redirecting HTTP to HTTPS; see below). Configure your spider web server to use the certificates you lot bought and installed. You might detect Mozilla'southward handy configuration generator useful.

If you have many hostnames/subdomains, they each need to use the right document.

Now, and throughout your site's lifetime, bank check your HTTPS configuration with Qualys' handy SSL Server Test. Your site should score an A or A+; treat anything that causes a lower grade as a bug. (Today's A is tomorrow'southward B, because attacks against algorithms and protocols are always improving!)

Make intrasite URLs relative

Now that you lot are serving your site on both HTTP and HTTPS, things demand to work as smoothly equally possible, regardless of protocol. An important gene is using relative URLs for intrasite links.

Make sure intrasite URLs and external URLs are doubter to protocol; that is, make sure you utilize relative paths or go out out the protocol like //example.com/something.js.

A problem arises when you serve a folio via HTTPS that includes HTTP resources, known as mixed content. Browsers warn users that the full strength of HTTPS has been lost. In fact, in the example of active mixed content (script, plug-ins, CSS, iframes), browsers oft simply won't load or execute the content at all, resulting in a broken page. And remember, it's perfectly OK to include HTTPS resources in an HTTP folio.

Additionally, when you link to other pages in your site, users could get downgraded from HTTPS to HTTP.

These problems happen when your pages include fully-qualified, intrasite URLs that use the http:// scheme.

Non recommended — We recommend you lot avert using fully qualified intrasite URLs.

<h1>Welcome To Case.com</h1> <script src="http://example.com/jquery.js"></script> <link rel="stylesheet" href="http://assets.example.com/fashion.css"/> <img src="http://img.instance.com/logo.png"/>; <p>A <a href="http://example.com/2014/12/24/">new mail on cats!</a></p>        

In other words, make intrasite URLs as relative every bit possible: either protocol-relative (defective a protocol, starting with //example.com) or host-relative (starting with just the path, like /jquery.js).

Recommended — Nosotros recommend that you use relative intrasite URLs.

<h1>Welcome To Example.com</h1> <script src="/jquery.js"></script> <link href="/styles/style.css" rel="stylesheet"/> <img src="/images/logo.png"/>; <p>A <a href="/2014/12/24/">new postal service on cats!</a></p>        

Recommended — Or, you can use protocol-relative intrasite URLs.

<h1>Welcome To Case.com</h1> <script src="//example.com/jquery.js"></script> <link href="//assets.example.com/fashion.css" rel="stylesheet"/> <img src="//img.instance.com/logo.png"/>; <p>A <a href="//example.com/2014/12/24/">new post on cats!</a></p>        

Recommended — Nosotros recommend that you lot apply HTTPDue south URLs for intersite URLs (where possible).

<h1>Welcome To Example.com</h1> <script src="/jquery.js"></script> <link href="/styles/style.css" rel="stylesheet"/> <img src="/images/logo.png"/>; <p>A <a href="/2014/12/24/">new post on cats!</a></p> <p>Check out this <a href="https://foo.com/">other absurd site.</a></p>        

Do this with a script, not past hand. If your site's content is in a database, test your script on a development copy of your database. If your site's content consists of simple files, test your script on a evolution copy of the files. Push the changes to product only later on the changes pass QA, as normal. You lot tin use Bram van Damme's script or something like to observe mixed content in your site.

When linking to other sites (as opposed to including resources from them), don't change the protocol since you lot don't have command over how those sites operate.

If your site depends on scripts, images, or other resource served from a third party, such as a CDN or jquery.com, you have two options:

• Employ protocol-relative URLs for these resources. If the third political party does not serve HTTPS, ask them to. Most already do, including jquery.com.
• Serve the resources from a server that yous command, and which offers both HTTP and HTTPS. This is often a good thought anyway, because then you lot take improve control over your site'south appearance, functioning, and security. In addition, you don't have to trust a third party, which is always overnice.

Redirect HTTP to HTTPS

You need to put a canonical link at the head of your page to tell search engines that HTTPS is the all-time way to become to your site.

Set up <link rel="canonical" href="https://…"/> tags in your pages. This helps search engines make up one's mind the best style to get to your site.

Turn on Strict Transport Security and secure cookies

At this bespeak, you lot are ready to "lock in" the apply of HTTPS.

• Use HTTP Strict Transport Security (HSTS) to avoid the cost of the 301 redirect.
• Always set the Secure flag on cookies.

Kickoff, employ Strict Send Security to tell clients that they should ever connect to your server via HTTPS, fifty-fifty when following an http:// reference. This defeats attacks such as SSL Stripping, and also avoids the round-trip cost of the 301 redirect that nosotros enabled in Redirect HTTP to HTTPS.

Turn on HTTP Strict Transport Security (HSTS) past setting the Strict-Transport-Security header. OWASP's HSTS page has links to instructions for various server software.

Most web servers offer a like ability to add custom headers.

It is besides important to make sure that clients never send cookies (such every bit for authentication or site preferences) over HTTP. For example, if a user's authentication cookie were to exist exposed in plain text, the security guarantee of their entire session would be destroyed—even if you have done everything else right!

Therefore, change your web application to ever set the Secure flag on cookies that information technology sets. This OWASP page explains how to set the Secure flag in several awarding frameworks. Every application framework has a way to set the flag.

Most spider web servers offer a simple redirect feature. Employ 301 (Moved Permanently) to betoken to search engines and browsers that the HTTPS version is canonical, and redirect your users to the HTTPS version of your site from HTTP.

Search ranking

Google uses HTTPS as a positive search quality indicator. Google also publishes a guide for how to transfer, motility, or migrate your site while maintaining its search rank. Bing as well publishes guidelines for webmasters.

Functioning

When the content and awarding layers are well-tuned (see Steve Souders' books for nifty advice), the remaining TLS functioning concerns are generally small, relative to the overall price of the awarding. Additionally, you can reduce and amortize those costs. (For great advice on TLS optimization and generally, see High Performance Browser Networking by Ilya Grigorik.) See also Ivan Ristic's OpenSSL Cookbook and Bulletproof SSL And TLS.

In some cases, TLS can better operation, mostly every bit a result of making HTTP/2 possible. Chris Palmer gave a talk on HTTPS and HTTP/2 performance at Chrome Dev Pinnacle 2014.

When users follow links from your HTTPS site to other HTTP sites, user agents don't send the Referer header. If this is a problem, in that location are several ways to solve information technology:

• The other sites should migrate to HTTPS. If referee sites can complete the Enable HTTPS on your servers section of this guide, you tin change links in your site to theirs from http:// to https://, or you tin use protocol-relative links.
• To work around a variety of issues with Referer headers, use the new Referrer Policy standard.

Because search engines are migrating to HTTPS, in the future, yous are likely to run into more than Referer headers when yous migrate to HTTPS.

Ad revenue

Site operators that monetize their site by showing ads want to make certain that migrating to HTTPS does not reduce advertizing impressions. Only due to mixed content security concerns, an HTTP <iframe> doesn't work in an HTTPS folio. There is a tricky commonage action problem here: until advertisers publish over HTTPS, site operators cannot migrate to HTTPS without losing advertizing revenue; but until site operators migrate to HTTPS, advertisers have piddling motivation to publish HTTPS.

Advertisers should at least offer advertizing service via HTTPS (such as by completing the "Enable HTTPS on your servers" section on this page). Many already do. Yous should ask advertisers that do not serve HTTPS at all to at least start. You may wish to defer completing Make IntraSite URLs relative until enough advertisers interoperate properly.

Feedback

Was this page helpful?

Yeah

What was the all-time thing nearly this page?

It helped me complete my goal(s)

Thank y'all for the feedback. If you lot take specific ideas on how to improve this page, please create an issue.

It had the information I needed

Give thanks y'all for the feedback. If you take specific ideas on how to ameliorate this page, please create an upshot.

Information technology had accurate information

Thank you for the feedback. If you have specific ideas on how to improve this folio, please create an issue.

It was easy to read

Thank you for the feedback. If you lot have specific ideas on how to better this folio, please create an issue.

Something else

Cheers for the feedback. If you take specific ideas on how to better this page, please create an issue.

No

What was the worst matter about this page?

It didn't aid me complete my goal(south)

Thank you for the feedback. If you have specific ideas on how to improve this page, please create an issue.

It was missing information I needed

Thanks for the feedback. If you take specific ideas on how to improve this page, please create an issue.

Information technology had inaccurate information

Cheers for the feedback. If you have specific ideas on how to improve this folio, delight create an issue.

Information technology was difficult to read

Thank yous for the feedback. If you lot have specific ideas on how to improve this folio, delight create an effect.

Something else

Thank you for the feedback. If you have specific ideas on how to improve this page, delight create an issue.

fosterghte1984.blogspot.com

Source: https://developers.google.com/web/fundamentals/security/encrypt-in-transit/enable-https

Share this post