What is SSL and Why is it Important?
You can no longer ignore your website’s SSL implementation. Search engines like Google have been telling web administrators that it’s beyond time for them to migrate their site from plain old “http” to “https”. When this push first started, moving to https was complicated and expensive. Certificates had to be purchased and renewed, and we had to make extensive site-wide configuration updates.
Things have changed a lot since then. Now, getting an SSL certificate is easier than ever, and can also be obtained for free. Hosting companies have started promising free SSL certificates with their hosting plans, and many popular software installations come with https support enabled.
All this is a good sign, because Google is becoming increasingly serious about its SSL rules. Soon, Chrome browsers all over the world will start displaying scary warning messages for all pages that use insecure http.
The Problem with Linked Non-Secure Sites (HTTP)
However, there’s a problem. It’s not enough to change your URLs to https. All your internal linked files must be https as well! That means your Javascript URLs, and your CSS files need to be hosted on HTTPS servers, and you might need to go through your code to weed out any hidden links that will trip you up.
Even a single link to a non-https site will be flagged as insecure and will display the warning!
As a result, it’s extremely important to know the status of your website and whether or not it’s implementing SSL properly. If not, you need to identify the problem and fix it. And this is where our SSL tool comes in.
Using the SSL tool checker on this page, you should have all the information you need to get HTTPS ready.
Using the SSL Checker
All you need to do is type in your website URL into the box. Just make sure you include the “http” or “https” before the URL:
Just input your URL and click “Check”. The tool will download and examine your URL and show you the SSL status. For example, with the domain webhostinghero.com, here are the results:
You get information about the certificate itself – its issuer, the expiry date, and what SSL protocols are supported. In addition, you get valuable information about external links:
In this particular case, these are the “secure calls” made to other websites. They’re secure because they all start with “https”. If you’re experiencing the dreaded “broken padlock” symbol on your website when viewing it with a Chrome browser, it could mean that your site is linking to other http resources. This tool will help you identify those resources and fix them.
What to Do When your Site Links to an HTTP CSS or Javascript File?
Unfortunately, this is the part of SSL migration that can still get messy. Most often, you won’t be linking to external (or internal) https URLs manually. In WordPress for example, you can have a plugin that links to an https CSS file. If this is the case and if you can’t do away with the plugin, you have no choice but to manually go into the plugin code and change the URL if it links to a file on your own site.
Unfortunately, this opens up other problems like what happens when the plugin updates? Your changes might just revert back and make your site insecure again! In which you have to make the hard decision to either somehow disable updates for that plugin, or switch to another instead.
But the first step is identifying the insecure resources that your site links to, and this tool will help you do just that.
Why Should ALL Elements on your Site be SSL enabled?
As mentioned above, it’s not enough for just the pages on your site to be requested with an HTTPS url. Every single element on the page must be protected by SSL. That includes all Javascript and CSS files whether they reside on your server or not. We’ve also seen that it can be difficult to achieve this if your theme or plugin authors haven’t made the necessary changes to the URLs.
But why is this so important? Why are companies like Google making it so difficult for website administrators to switch to HTTPS? The reason is that even a single insecure element using HTTPS can compromise the security of the whole site! How is this possible?
The answer is that an SSL connection provides three different types of security:
- It ensures that the resource you’re connecting to is actually served from the server in question;
- It ensures that the content hasn’t been changed in transit (man in the middle attack);
- It ensures that no one is snooping on the content as it reaches you.
So if we have say a Javascript code that’s being served from an external 3rd party server using insecure HTTP, it’s theoretically possible for the request to be spoofed and served from another server. This means that you might be getting content that’s completely different from what was requested! And since it’s Javascript that will be executed, a malicious attacker can get complete control over your entire web site or browser.
Changing the Data En Route over Insecure Connections
Another threat is that someone will intercept the data sent back over the insecure connection, and modify it to suit their needs. This is completely unacceptable for obvious reasons. There have been scary stories of ISPs who intercept web requests and inject their own advertisements into web pages! This is made possible only because of insecure HTTP requests.
With a misbehaving ISP who has default access to everything that passes over their network, consider that your web page visitors might be exposed to advertisements that haven’t been put there by you! Not only does it spoil your brand image, there’s the idea that someone else is profiting from your hard work and monetizing your content without your permission or knowledge!
For these reasons, it’s critical that all elements of your website be served over secure HTTPS. It’s not enough for the main URL to be secure. All Javascript, CSS, and even images need to be secured to ensure that your visitors have a smooth and error free experience.
Gustavo Domínguez on How to Install Apache, PHP 7, and PHP-FPM on CentOS 7
Stéphane Brault on How to Install Apache, PHP 7, and PHP-FPM on Ubuntu
ting on How to Install Apache, PHP 7, and PHP-FPM on Ubuntu
Sangam on How to Create a Self Hosted CDN With WordPress
polikmujn on Using Git with WordPress and SiteGround
