Secure the complete website with SSL - points of attention
Most CAs (issuers of certificates) now recommend that not only the pages that where confidential information is left behind, but to protect the entire site with SSL. This is now also done by, among other major organizations such as Google, Twitter and Facebook. This article describes the points of attention, to prevent the transition to cause any negative effects.
Order and install an SSL certificate
- In order to set up an SSL connection you need an SSL certificate. You can request the certificate online.
- The certificate you receive needs to be installed on your webserver, together with the root and intermediate certificates.
- For maximum security it's important to optimize the SSL settings on your webserver.
According to the Online Trust Alliance it's the best way to increase customer confidence and prevent attacks. It is a simple and relatively inexpensive way to avoid 'Sidejacking "and" Firesheep " attacks. These are attacks in which visitors will be redirected to another page unnoticed, to intercept confidential information. If the entire site is secured with SSL there won't be switched from secure to non-secure pages so that no data can be intercepted by this type of "man in the middle" attacks. Thereby preventing the visitors on a website to receive no alerts about mixed content. In addition to these advantages, there are some issues that need to be properly set up to ensure that the transition from http: // to https: // has no unintended negative consequences.
SSL and search engines
The following tips may prevent setting https: // on the entire website has negative consequences for the visibility of a website from search engines.
It may be that by implementing SSL for your entire website for the search engines two versions of your website exist with the same content; a secure version and an unsecured version. In this case, you want customers always to be sent from the search-engine to your site with SSL. This problem can be solved in a number of ways;
Tell the search engine what content they should be included in the index
We can tell the search engine what content they should be included in the index by making the https pages a canonical URL. A canonical page is the prefered page when you have multiple pages that have about the same content. This can be configured as follows: Add a rel="canonical" link to every HEAD segment for the pages that should have precende on other pages with the similar content. The link to be added in the HEAD segment will look something like this; <link rel="canonical" href="https://www.domeinnaam.nl/voorbeeld"/>.
Set the XML Sitemap so that it refers to the https version of the content
A sitemap ensures that when the crawler (searching web pages by search engines) will find the protected pages better than the unsecured when they are listed in the sitemap.
These changes ensure that visitors are immediately transferred from the search-engine to the https site. That way visitors will enter the website faster and "man in the middle 'attacks are prevented because your website is not offered at http.
By using HTTPS it could be that there are two versions of your site known to search engines: one for HTTP and one for HTTPS. With a robots.txt file, you can ensure that the crawlers that search engines use skip certain parts of your website; for example, the parts where your customers leave confidential information.
Create a redirect to your https website
Forward all website traffic from http to https by a permanent (301) redirect. For apache servers, you can set this by using a .htaccess file.
Set a preferred domain in Google
In Google Webmaster Tools, you can set a preferred domain. The preferred domain is the version of your site that is indexed by Google. Here you can set it to the https version of your website.
For social media there are consequences too. Facebook likes return to 0 when the url has been modified. To circumvent this to happen, you should add the og:url tag to the headers of your website.
One argument against securing the entire website with HTTPS, is that it can affect the loading time of the website. A secured page does load slower than an unsecured page because the browser visiting the SSL-protected pages must wait for confirmation from the CA that the certificate is valid.
However, all CAs are working on making this delay as short as possible, and thus to reduce the loading time difference with loading unsecured pages. A method that shortens the transfer time using OCSP Stapling. Here, the validity of a certificate verified by the browser so that no separate connection has to be made with the website of the CA. More information about setting OCSP Stapling can be found here.
Cookies are small files placed on the computer when a website is visited. Cookies are primarily intended to differentiate users from each other and provide for example, that the visitor on a website stays Logged-in or that the content is kept in a shopping cart. In addition, they provide a way for advertisers to tailor ads on the surfing habits of users.
Visitors often do not use https when they enter the web address in the address bar and therefore their information is not protected when making the first connection. When you protect your website with HTTPS, it is advisable also also send cookies over the secured connection.
When you make use of HTTP Strict Transport Security (HSTS) the browser is instructed to connect directly with an SSL secured page instead of an unsecured page. If no secure connection is possible, visitors will see an error message, and the connection is refused. Making use of HSTS could protect users from 'man in the middle' attacks, because visitors on your website can not be diverted to an unsecure page.