DEV Community

David Israwi
David Israwi

Posted on • Edited on

Securing your website in 4 minutes - What, Why and How of HTTPS

Donzo

Today I changed my website's protocol from HTTP to HTTPS - it was quick and easy. After finishing, I wasn't sure what I had really accomplished, so I did some research into what it really meant to create a secure connection between you and a website.

Here is a quick summary.

When you submit a body of text to a website (e.g. log-in info, chat message, search query), the information is sent to a server that may return information back to you. This exchange of information happens using the HyperText Transfer Protocol. The issue is the vulnerability of this information; any person intercepting this network can see your message, this is not good for your data.

Catch from Wireshark
Image: this is a sample package sent from my computer to my site before changing the protocol. Caught using Wireshark.

This vulnerability is the reason why HTTPS (HTTP + Secure) is strongly encouraged.

This protocol encrypts your message and sends a public key to the recipient through SSL certificates. This public key is used for end-to-end encryption, or to verify certificate signatures (thanks to Vin in the comments for clarification).

What if I don't send/receive sensitive data from my website?

HTTPS has more benefits other than just securing the exchange of information:

  • Ward off intruders from identifying your users by analyzing your information exchange.
  • Reduce the risk of anyone exploiting the resources of your website to their benefit.
  • As Progressive Web Apps grow in popularity, Service Workers (used for push notifications) require the use of HTTPS.
  • Other benefits of Service Workers include offline behavior and caching.

Changing your website to use HTTPS

Site before changing protocol to HTTPS

There is a 5 minute video made by httpsiseasy explaining how to do this. Here is their step by step tutorial I followed using Cloudflare.

  • Go to Cloudflare
  • Sign up
  • Enter your website's domain. Enter, free, continue, enter
  • The service will give you two DNS nameservers along with instructions to add it to your website.
  • Hit Crypto on the toolbar, change "Always Use HTTPS" to On

Do this and you're donzo, the change may take from several minutes up to 48 hours, but nothing else is needed from you.

Site after changing protocol to HTTPS

After doing this, I was chatting with my brother (@sammyisra) and told him I used Cloudfare to do this, he told me he had used Netlify. I'm curious what most people have used, please leave a comment below sharing what service you used and why.

Thank you!

Other useful resources:

Top comments (9)

Collapse
 
mbethke profile image
Matthias Bethke

Hi David,
there are some important downsides to using CloudFlare for HTTPS, especially for non-US servers. While it does help protect customers from attackers on their local network, at the same time it opens them up to attacks from NSA etc. by directing all your data through a US company's data centers. But what's even more important even if one doesn't care about the spooks is Cloudflare's obnoxious CAPTCHA practice. You wouldn't believe how many sites want me to solve one (i.e. several screens of) of Google's usual train-our-AI CAPTCHAs every freaking couple of minutes simply because I'm in Laos. Or when I use a VPN via my server in Europe. Or when I'm on mobile in Thailand. Client sites don't even notice Cloudflare is doing this and when you test from one of the better-known ISPs you're not subjected to it, but it's so annoying here the site has to be really really important for me to put up with it. For Cloudflare that results in statistics that sell - look how many people didn't get past the CAPTCHA, those were all bots that we're protecting your from!!! - but in reality it's often annoyed people taking their business elsewhere.

Configuring your server to use LetsEncrypt is pretty easy, there are many good tutorials for it already. By all means use Cloudflare if you have trouble with being slashdotted or some other scaling/DOS problem, but for users' privacy and convenience doing it yourself is the much better way.

Collapse
 
davidisrawi profile image
David Israwi

Thank you for the information, Matthias. First time I hear about the practice of CAPTCHAs by Cloudafe - sounds quite tedious for any real user. I will do my research on LetsEncrypt and add a section about it on this post (with the corresponding credit). Thank you again.

Collapse
 
navonf profile image
Navon Francis

Very useful!

Collapse
 
vin_norman profile image
Vin Norman • Edited

Hi there's a couple of bits about certificates and keys that aren't quite right there. Public keys aren't used to decrypt things as you mentioned. They are used to encrypt in the context of end-to-end encryption, or to verify signatures often in the context of certificates. So when the client receives a server certificate, it likely is signed by a Certificate Authority. This signature is in the form of the certificate content hash being encrypted using a super secure private key. The decryption you speak of upon receiving a certificate from the server is actually the client verifying that the signature is valid.. i.e. that the server is who it says it is. The certificate has the Certificate Authority's signature, the encrypted hash of the certificate content, along with the public key. So the client also performs the same hash of the certificate, decrypts the signature using the public key, and sees if the hashes match. If it does, it proves the owner encrypted it with their private key, and also proves the certificate content has not been tampered with.

The actual encryption of the messages sent over Https is done through TLS, and the public/private key pairs here are used to encrypt a shared key (symmetric).. if I were to go on about TLS handshakes here though, this comment would become a bit lengthy!

Collapse
 
davidisrawi profile image
David Israwi

Thanks for clarifying Vin! I'll make the changes in the post

Collapse
 
senyorcranc profile image
Senyor Cranc

If you have a shop, be careful. Some payment methods need a "minimum" certificate, that cannot be wildcard or multiple domain, from certain companies. Also adding certificates and redirecting by default to https could break some Webservices that don't follow 302 redirects or in old servers if the chosen certificate emisor is not recognized.

Yes, its 5 minutes if you don't have a complex system...

Collapse
 
teekatwo profile image
Tori Pugh

Just used Cloudflare for this a month ago. Tried using the service through Bluehost to go SSL and it broke my site and no one could figure out why.

Collapse
 
davidisrawi profile image
David Israwi

Interesting. Do you know why it broke it?

Collapse
 
teekatwo profile image
Tori Pugh

Sadly no, not definitively. They told me to rewrite my htaccess and I think that was the main reason. I changed it and it didn't work. It took my whole site down. The support team changed more stuff in it and it still didn't work. They couldn't figure out why it wasn't working. It was a very confusing time.