How do I encrypt the communication with my website?

Intent

The aim of this pattern is to provide sufficient information allowing users to request and obtain an SSL / TLSCertificate from a trusted Authority and to install it on their own website.

 

Problem Statement

Providing an encrypted connection between the user’s web browser and a website is mandatory, especially when sensitive data (e.g., names, addresses and credit card data) is communicated. Encrypted communication guarantees data integrity, provides safety is necessary for certain web applications. Even though many websites work with sensitive data, only about 40% of the websites currently online provide encrypted communication.

 

Scenario

To provide a safe and secure environment for the visitors of your website, it is mandatory to enable a secure connection via HTTPS on your own website.

 

Solution

To enable the usage of HTTPS on a website, the first step is to obtain an SSL / TLS Certificate from a Certificate Authority. This Certificate then needs then to be installed on the webserver. This is done via the admin control panel provided by the webhost. After setting up the Certificate, the .htaccess file needs to be adjusted to force the web browser to use a secured connection when connecting to the website.  Afterwards it is necessary to check in different web browsers whether the connection to the website is forced to use HTTPS

                     

There are a handful of Certificate Authorities offering their services to issue an SSL / TLS Certificate. This pattern focuses on the Certificate Authority called https://letsencrypt.org, which provides free, automated and open certificates for websites.

 

Examples

Receive an SSL / TLS Certificate using Let’s Encrypt

Visit https://letsencrypt.org and click on the “Get Started” button. The following page explains how to enable HTTPS on your website, depending whether you have remote Server Access via the Shell (SSH) (e.g., access to the server command line terminal) or not. In case your webhost does not provide you with Shell access, the procedure will get more complicated and further steps might be necessary. In order to receive the Certificate, Let’s Encrypt needs to know, whether you are the owner of the web domain in question.

If you …

  • have access to the Shell
  • do not have access to the Shell, but …
    • the webhost supports Let’s Encrypt
      • Contact your webhost via mail and ask them to handle the acquisition and installation of the Certificate via Let’s Encrypt.
    • The webhost doesn’t support Let’s Encrypt
      • In case your webhost does not support Let’s Encrypt, it is still possible to manually receive a Certificate by using your own system in combination with Certbot. However, this process requires special knowledge and experience with command line tools. As this process takes knowledge and time, it is not advised for beginners because this needs to be done each time the Certificate runs out.
      • Apart from getting the Certificate the manual way, you could also ask your webhost whether they are interested to include Let’s Encrypt support.
      • The last resort would be to change to a webhost that supports Let’s Encrypt out of the box.

A detailed explanation on how to use Let’s Encrypt can be found on: https://letsencrypt.org/getting-started/. As the installation of a Certificate requires the usage of the admin panel provided by the webhost, it is recommended to contact your host in case you have any questions.

 

Activate HTTPS on your website There are multiple ways to allow or force a secure communication between a web browser and your website. One way is to modify a certain page or .php file that is accessed by the URL. Just add the following code in the .php file to enable HTTPS when accessing the page:

// Require https

if ($_SERVER['HTTPS'] != "on") {
    $url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
    header("Location: $url");
    exit;
}

If you want to force a secure connection on your whole website, you can alter the .htaccess file, which can usually be found on the root of your webserver (e.g., when using an Apache server). To force the use of HTTPS and redirect HTTP requests automatically to HTTPS, use the code below:

# HTTP to HTTPS redirecting

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com /$1 [R=301,L]

Instead of example.com please use your own URL.

 

References

https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https https://developers.google.com/web/progressive-web-apps/ https://www.w3.org/2001/tag/doc/web-https https://mod-rewrite-cheatsheet.com/#basics-enable-htaccess https://www.ssllabs.com

 

Keywords

HTTPS, cryptography, encryption, SSL, TLS

How do I encrypt the communication with my website?