This blog has started to become a "me sharing little things" place. Along the same lines, a friend of mine has been setting up a website and asked me about SSL certificates. Rather than just replying with a recommendation, I launched into a brief description of why they're necessary. I might as well put it up here in case it can help anyone else.

SSL

If you visit a site at https://blah instead of http://blah then the connection is made over a secure tunnel using SSL. This is really important because without it anyone can listen in on what's being sent. Someone could (for example) work out everyone's usernames and passwords for your website by listening for login form submissions on the site (which contain the username and password that the user typed into the form). As a rule of thumb any page with any personal information should be served securely on an https URL and any form submission should also be sent using https. As a better rule of thumb, the whole site should be over https.

It's really easy to set up the server to accept secure connections and that would be the end of it.

But wait…

Except, that there's a second problem. The first is that anyone can listen to you talking to the server. SSL solves this by encrypting the traffic so if anyone listens in all they get is a garbled stream of data. The other issue is ensuring that you are talking to the right person. An attacker can trick your computer into talking to him instead of the real server. If this happens then the fact that you are talking securely is no help, because you are talking securely to a nasty person.

Why SSL certificates are useful

  1. sites have security certificates that allow the server to 'prove' that they are really the people you mean to be talking to Paypal's SSL certificate

  2. browsers show a really scary message to the user if there isn't a valid certificate Paypal's SSL certificate

You can get cheap certificates that do a rudimentary check that you are really the domain owner. These will encrypt the traffic and provide some limited protection against other servers pretending they are you. For a basic site, this is probably what you want.

You can also get very expensive certificates that have a mountain of complex checks to ensure that you are who you say you are before they give you a certificate, then there's lots of configuration to do. The benefit is that these certificates are much more trustworthy and as a result the URL bar will light up in a pretty colour to show the user that they're on a nice secure site. Naturally, this gives your users a warm fuzzy feeling.

Paypal's fancy green SSL URL bar