SSL Certificate for websites

Question

SSL Certificate for websites

Navigation

#1 by (3 votes)
#2 by (0 votes)
#3 by (-1 votes)

4

I received an email from Google telling me that the non-HTTPS websites will be penalized:

Unsafe pages that collect passwords will generate warnings in Chrome 56 for xxxxx.es

To: owner of xxxxxx.es

As of January 2017 Chrome (version 56 and later) will mark as unsafe those pages that collect passwords or information about credit cards, unless they are published through the HTTPS protocol.

The following URLs include fields for entering passwords or credit card data for which the new Chrome warning will be displayed. Review these examples to see where the notifications will appear and you can take the necessary measures to continue protecting the data of the users. It is not a complete list; they are only examples.

[URLS]

This new warning is the first phase of a long-term plan to mark as unsafe all those pages that are not encrypted with the HTTP protocol.

To solve the problem: Collect confidential information through HTTPS pages. So that the "unsafe page" message does not appear when a Chrome user visits your site, it includes fields that collect passwords and credit card data on pages encrypted using the HTTPS protocol.

My websites are HTTP and I do not know how to get this certificate, nor what it is for or how it is implemented. Some expert on the subject can tell me:

What is the SSL certificate? And what is it for?
How do I implement it on my website for the security of all users?

seguridad http https

asked by Antonio Ángel Estrada Pérez 24.01.2017 в 17:20

source

3 answers

0

To obtain the certificate you will have to contact the hosting provider (usually it is offered as a payment service) they can install it on the server. Once installed on the server you will have to redirect all your traffic from http to https normally through htaccess

answered by 24.01.2017 в 18:05

-1

This is a certificate that encrypts the communication between the client and your website, but these have a cost, on what google penalize me it seems more SPAM that mail than anything else, I doubt that google does this

answered by 24.01.2017 в 17:37

I can not show arduino sensor reading in my interface, it blocks Export Excel file with PHP - Format error when opening file

score 3 · Accepted Answer

First, a clarification: the problem is not that you will be penalized for not using HTTPS, you will be penalized for not using HTTPS on pages where the user will enter private information (eg passwords, credit cards, etc.). credit, bank accounts ...)

And the penalty is not in the indexing for not using HTTPS (although it is something that Google has in mind since at least 2014), but the Chrome browser will show a message to the user indicating that the page is not secure and that its data will be sent in an unsecured way (something that will negatively affect because it will scare some users). If your visitors use Firefox or IE / Edge they will not see that warning.

What is the SSL certificate? And what is it for?

A SSL certificate is a small file associated with a cryptographic key of a company or organization, which is installed on a server and allows secure connections to be created between that server and the client's browser.

SSL certificates allow to protect the information of users and clients because they are used to encrypt the communication and data sent, decrypted in the destination and avoiding possible threats such as broker attack ( Man-in-the-Middle ) .

In your particular case, and as mentioned above, you have received the email because you have (at least) a page where the user will enter sensitive information and it will be done in an insecure way (with HTTP instead of HTTPS) ). By not being HTTPS, that information will not be encrypted and could be read by an attacker.

An important fact to keep in mind: that the HTTPS connection does not mean that you can trust all the data you receive from the user. The user could be the attacker, so you should continue to implement methods to prevent other types of attacks (eg SQL injection, XSS).

How do I implement it on my website for the security of all users?

This will depend on the type of server and web service you have. Normally, your web hosting provider will also offer security services and will allow you to contract and buy SSL so that your pages are secure and if your server is shared, they will do it for you.

If you have a server of your own, then it may be your turn to do it and it will be different depending on the Web server you have installed. On the GoDaddy page you can find guides (in English) on how to do it at IIS or Apache .

Once you have installed and configured the SSL certificate, you can now serve your pages through HTTPS (you may need to make some changes in web.config or .htaccess to put a redirect from HTTP to HTTPS).