Understanding how HTTPS works

I have had FireFox flip out a few times and give me a screen with red font saying “This site is untrusted” of something like that when I have clicked on linkds from a Google search.

Could this be what happened?

Note that just because a trusted Certificate Authority issued a certificate does not mean that the person you’re communicate can be trusted. It’s just a means of identifying that they are who they say they are, so it’s also important that the user checks the domain name or company name on the certificate and makes up their own mind about whether the company they are dealing with is trustworthy.

So a phishing scheme (e.g. NotMyBank.com) could have a trusted certificate?!

Normally on the web, if the server needs to be able to verify who the client is, they do this once the secure session has already been opened. For instance, by requiring a login. The login details are all sent over the already secure channel. That is why I said the server doesn’t need to know who the client is in order to start the secure session.

This is a bit more user friendly, and privacy-friendly, than requiring all web users to have a certificate installed in their browser signed by a certain certificate authority (though some rare services do sometimes request a certificate from a client for security reasons).

Maybe some Business-to-Business situations require client web certificates?

Yep, you’ll need an SSL certificate signed by a trusted Certificate Authority and issued for your actual domain name. An SSL certificate included free with your hosting package may not satisfy both those criteria.

Is there a way to get a test SSL certificate?

I’m going to get a “test” account with GoDaddy.com where there will not be a domain name, just a fixed IP address. (I don’t want people to be able to know who I am for my test account by looking up a domain, plus it is just a “test” account?!)

Hoping you say “yes”?!

Also, when I am ready to get down to business and get a “real” SSL certificate, what kinds of information must I provide to get one?

(I hope they aren’t asking for really intimate details like bank acct #'s, physical address, etc.)

You’ll need to get your host to enable HTTPS with that certificate. For Jane’s sake, make sure that the same content is not available via regular HTTP, and make sure none of your internal links, and links to things like scripts, stylesheets and images, lead to non-HTTPS sites. That’ll ensure her browser will never lead her to the same site, unprotected, or show a confusing warning about non-encrypted page elements.

Wow! That is some of the best advice I’ve been given in a long time?! :blush:

That is a lot to “chew” on, and probably requires a solid architecture, but here are some initial thoughts…

So it sounds like it is better to have “dedicated” Scripts, Style Sheets, Images, etc for secure pages??

Maybe you even would want to double up and have Scripts, Style Sheets, Images, etc map to a specific secure page??

In general, is there any easy way, approach, or even testing tool to ensure that…

1.) You don’t accidentally loop Jane User from a secure area back to a non-secure area, OR that

2.) Jane User can’t get to a secure area via a non-secure area OR that

3.) There isn’t some way for people to “hack” your URL and hope from non-secure to secure to non-secure areas??

(Sorry, those are probably threads unto themselves?!) LOL

There is no special code to switch into or out of a secure connection except the “https:” at the beginning of a URL. Make sure the user is using a secure connection before logging in (ie, the login page should be included in those pages that are only accessible via “https:”).

Okay.

Thanks you Thomas!!

Great information!!

Sincerely,

Amy

For testing purposes you can just make your own certificate and tell your browser to trust it (assuming you decide that you can trust that you are the one who actually made it :lol: )

Really?! Cool! :smiley:

So, is that hard to do?

When I get a little closer to needing to do that, can you show me how?

(assuming you decide that you can trust that you are the one who actually made it :lol: )

Well, hopefully I can get a “simple majority” vote when the voices in my head vote on trusting me or not?! :lol:

Amy

Easy as pie, and automagically created usually when you install mod_ssl, or the dedicated HTTPS server for Apache (depending on Linux distro, if you’re using Linux at all on your server).

From the way you describe the screen, it’s probably unrelated. The site was probably on the blacklist that Firefox uses to detect sites such as Phishing sites or sites that try to install malware.

However, there is a (yellow, from memory) screen which can pop up when entering a secure connection and the site’s certificate does not validate with a trusted certificate authority. That screen has an ‘add an exception’ link which you can use if you are sure it’s the site you wanted.

So a phishing scheme (e.g. NotMyBank.com) could have a trusted certificate?!

Yep. The point of the certificate is not to prove that someone is trusted, it’s to prove who they are. So always check the domain name and decide if you trust it!

Is there a way to get a test SSL certificate?

A self-signed certificate is free to create, and anyone can create one (I won’t go into instructions, as they are google-able). It is a good idea as a test certificate. It won’t validate as being from a trusted CA on people’s browsers, but they can add exceptions, or you can add yourself (the key the certificate was based on) as a trusted CA into your own browser, if you just want to test it locally.

Also, when I am ready to get down to business and get a “real” SSL certificate, what kinds of information must I provide to get one?

It varies by company. They should try to establish that you are the owner of the domain you are getting the certificate for. However it shouldn’t require intimate details like bank account numbers. If you are getting an “EV” certificate it adds more security for users because they also supposedly test that your company name, or your personal name, is who you say it is.

So it sounds like it is better to have “dedicated” Scripts, Style Sheets, Images, etc for secure pages??

Well yes, but they can have exactly the same content though. They just need to be reachable by HTTPS and the ones on your regular site reachable by HTTP. If you are running two servers or virtual hosts you could probably use symlinks to do this, they don’t have to be separate actual files on the server.

In general, is there any easy way, approach, or even testing tool to ensure that…

1.) You don’t accidentally loop Jane User from a secure area back to a non-secure area, OR that

Depending on the way you design your site, it should be simple. Try thinking of the secure site as a separate website.

2.) Jane User can’t get to a secure area via a non-secure area OR that
3.) There isn’t some way for people to “hack” your URL and hope from non-secure to secure to non-secure areas??

There would not be any real benefit to them doing this I don’t think, at least in most normal circumstances. A secure connection protects the end user, so if someone did figure out that they could change from HTTPS to HTTP on part of your secure site, the only downside is that that person’s privacy might be compromised.

The reason you’d want to prevent someone accidentally straying into a non-secure part of the site without realising it, is that they might then give private information, like their address or credit card details, not realising that the connection is no longer secure.

Thomas,

Thanks for the follow-up to my questions!!

Amy