HTTPS: What is it and Why it Matters
What is HTTPS?
HyperText Transfer Protocol Secure (HTTPS), the extension of HyperText Transfer Protocol, is used for secure network communication. The implemented communication protocol encrypts web communication using Transport Layer Security (TLS) formerly known as Secure Socket Layer (SSL). The protocol is often referred to as HTTP over TLS or SSL.
Why is HTTPS important?
The protocol is used to protect web page authenticity regarding secure accounts, user communication, identity, and private web browsing. This is critical when capturing sensitive user information like payment and passwords. Without HTTPS a bad actor would be able to capture unencrypted packets containing sensitive information to your users.
How Does it work?
The protocol authentication requires a trusted certificate authority (CA) to sign a server-side digital certificate. Web browsers play a critical role in this protocol by checking a website's certificate to make sure it belongs to the domain it says it was issued to and verifying that the certificate was signed by a trusted CA. If these conditions hold, then the web traffic for this site between client and server is encrypted using TLS handshakes. TLS uses symmetric encryption to encrypt web traffic between server and client.
How will we implement HTTPS manually?
Implementing HTTPS is offered as a service by many certificate authorities and web hosting services for a price. As developers, we have the skills to implement HTTPS manually at no cost and should take advantage of the open-source intelligence on how to do so. The steps required to implement the HTTPS protocol will vary depending on what your website is running and what type of server it is running on.
Let’s Encrypt is a reasonable way to obtain a certificate, activate, install, and deploy it. Let’s Encrypt is a free, automated Certificate authority (CA) for the public. Let’s Encrypt runs the internet security research group and aims to provide a free, automatic, secure, and transparent CA to the public for the goal of creating a more secure and privacy-respecting web.
CertBot
Let’s Encrypt issues its certificate via CertBot which is a free and open-source software tool for automatically using Let’s Encrypt certificates on manually administered websites to enable HTTPS. To use CertBot it is recommended to have the following skills:
· some familiarity with the command line
· HTTP website already online with port 80 open
· deployment to a dedicated server, virtual private server, or a cloud-hosted server accessible by SSH and navigable with root privileges.
Deploying our certificate via CertBot
Given we are hosting our web application on an Ubunto 18.04 LTS (Bionic) Headless server the steps to implement HTTPS using CertBot are as follows.
· SSH into our server running your HTTP website (make sure to have root privileges)
· Run the following commands to add the Personal Package Archives (PPA) for CertBot to your repositories.
o sudo apt-get update
o sudo apt-get install software-properties-common
o sudo add-apt-repository universe
o sudo add-apt-repository ppa:certbot/certbot
o sudo apt-get update
- Install CertBot
o sudo apt-get install certbot
- Run Certbot
- Make sure to stop hosting your website
o sudo certbot certonly --standalone
· Install your Certificate in the configuration file for your webserver