SSL certificates have gained a lot of importance over the last few years. 15 years ago, you really only saw SSL in a few places: when you registered on a website, when you logged into your account, and when you purchased items online. SSL wasn’t widely available as it could be expensive. You needed dedicated IPs as the technology at the time could only handle a single certificate per port. This meant that if you wanted SSL on your site, you had to get a dedicated IP which cost you extra per month. It cost companies like ours a lot as we had to start using up more IP addresses. Then, things changed. We fixed the broken technology and made it easier and more affordable for SSL to be installed though a technology called SNI or Server Name Indication.
Protecting information
SSL certificates are important because the job they serve is to encrypt communication between your web browser and the web server you’re making requests to. Without it, bad guys can steal your passwords, credit card information, and other sensitive information like banking and heath records. Encryption also serves another purpose: data integrity. Data integrity means that the data you send or received is not tampered with.
There’s an amusement park operator that offers visitors to its parks free Wi-Fi to use while they’re in line. There’s just one thing – they inject advertisements. So if you go to https://www.nodespace.com while you’re connected you’ll see a banner ad at the bottom. While this is still bad, it’s not malicious. But bad guys can use this same trick to inject malicious code into legitimate websites to steal information or modify it in transit – like what if there’s a t-shirt you wanted. You purchase it but instead of telling your credit card company to charge $10, they modified the request to charge $1000 and to divert $990 to their account. This would be very bad!
How SNI allowed SSL everywhere
Back in the day though, as we previously said, SSL was very expensive. You had to pay for a certificate, a dedicated IP, and then the additional configuration. But we decided we needed to get more secure so that no one could tamper with traffic. When you type in an address like https://www.nodespace.com, your browser makes a request to our server. Lets say our site was on a server with multiple other accounts. The server will look at the virtual host header (“gonodespace.com”) and then finds the website that matches and returns that certificate. Of course, this is an oversimplification of the process but the important thing is it allowed us to start allowing multiple customers to share IPs and use their own SSL certificates without any problems.
Baseline security
However at the time SSLs still required a lot of work. You had to generate a CSR (Certificate Signing Request – it’s something that allows you to request a certificate), then you had to take that to a certificate authority (CA) and pay them for a certificate. Once you proved you owned the domain (validation is generally done via email), you then get the certificate to install. What a process! So several years ago some people got together and they said that the Internet needs some baseline security and they set out to create free certificates. Around the same time, there were a lot of security issues going on with some of the big name CAs. They were randomly issuing certificates they shouldn’t or private keys were becoming compromised. So, this group decided that the best way to handle this was to limit the length a certificate would be valid. Instead of the minimum of one year, they decided on 90 days or three months. This way, if a certificate was compromised, it wouldn’t have long before it would be expired anyways. This group? Let’s Encrypt.
What Let’s Encrypt did was revolutionary. They provided a way for everyone to obtain and use SSL certificates to secure their websites for free. Hosting companies like NodeSpace provide Let’s Encrypt certificates to ensure that you get baseline security as web browsers start to mark HTTP sites as insecure. This way when visitors come to your site, they’re not scared away by insecure warnings. Your content authenticity is protected as data can’t be modified in transit, and you get some peace of mind.
NodeSpace offers Let’s Encrypt on all shared hosting accounts.