Tag Archives: SSL

What Happens If You Don’t Have an SSL Certificate?

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.00 out of 5)
Loading...

If you’re asking yourself “do I need an SSL certificate?” the answer is yes, and here’s why…

If you have a website, even if it is a basic one, you’re likely facing the question of whether you need an SSL certificate. With all of the other costs piling up, you might be tempted to do away with having one more additional bill. But before you decide not to get one, ask yourself a few important questions first:

  • Why do I need an SSL certificate?
  • What is the risk of not having an SSL certificate?
  • What happens if I don’t have an SSL certificate?

We’ll answer those questions and explore the reasons why you need an SSL certificate on your organization’s website. But first, let’s start by talking about what an SSL certificate is.

What Is an SSL Certificate?

An SSL certificate, or more specifically a TLS certificate, is a digital file that you use to secure and identify your website as legitimate. What it does is tie your organization’s cryptographic key to your brand so no one else can use it. It’s a crucial element of having a secure website and is what makes the secure padlock appear in your website’s URL bar. It’s also what makes the “HTTPS” appear at the beginning of the URL as well.

HTTPS is a secure protocol, whereas HTTP is an insecure one. And, as you can imagine, using a secure protocol is always better than using an insecure one when it comes to transmitting personal or otherwise sensitive data.

For example, here’s how it looks on our website when we use an SSL/TLS certificate:

A website with an SSL certificate on the browser

In the screenshot example above, you’ll notice that there’s a padlock in front of our website’s domain. This padlock indicates that the website is using a secure, encrypted connection. This is an indication that the site is using an SSL/TLS certificate. So, to answer the question “do I need an SSL certificate?” The answer is unequivocally “yes!”

When users connect to websites without SSL/TLS certificates via the insecure HTTP protocol, it means their information transmits through insecure connections (HTTP). Essentially, their info is traveling across the internet in plaintext (i.e., readable) format that cybercriminals can intercept, read, and modify in transit. But when they connect with websites that use SSL/TLS certificates (which enables HTTPS), their information is encrypted, meaning that it’s no longer readable and appears like gibberish to anyone who tries to intercept it.

In the most basic sense, this certificate enables you to use encryption to protect the data that transmits between your customers’ clients (web browsers) and your server. It does this by allowing your server to identify itself as being legitimate to clients.

In a more technical sense, what this certificate does is provide instructions and authentication information your web server can use to establish secure, encrypted connections with clients. Historically, all of this used to occur via the secure sockets layer (SSL) protocol. Nowadays, however, the TLS protocol (which stands for transport layer security) is the go-to secure protocol. Hence why we said earlier that they’re really TLS certificates. (The industry is slow to update its lingo, though, so people still commonly call them SSL certificates.)

What Are the Risks of Not Having an SSL Certificate?

More than $3.5 billion. That’s what the FBI’s Internet Crime Complaint Center (IC3) says was reported as being lost to cybercrimes in 2019 alone. According to this report, the IC3 received a total of 467,361 cybercrime-related complaints that year — most of which were related to phishing, non-payment/non-delivery, and personal data breaches.

Needless to say, this underscores the importance of data security and safety. And SSL/TLS certificates are just one of the crucial cogs in the complex data security machine.

By not installing an SSL certificate on your website, you’re leaving your website and your customers open to an assortment of risks:

  • Man in the middle attacks. We’ve already touched on this, but a MitM attack occurs when a cybercriminal intercepts the data that transmits between users’ web clients and your server.
  • Data leaks. Data leaks are another concern when you’re not sending or receiving data via a secure, encrypted connection.
  • Phishing attacks. When you don’t use an SSL/TLS certificate on your site, you’re not authenticating yourself. This leaves your brand open to being used in phishing attacks because users can’t easily identify whether an imposter’s phishing website is real or fake.
  • Your site will be distrusted by browsers. Everyone wants their website to appear in the top search results of different search engines. But did you know that not using an SSL/TLS certificate on your website can actually make it so that the major browsers (Chrome, Firefox, Safari, etc.) won’t trust your site? We’ll speak more to that momentarily.
  • Noncompliance issues. You’ll read more about this shortly, but not having an SSL/TLS certificate on your website can lead to noncompliance issues with a variety of industry regulations, including HIPAA, GDPR, CCPA, PCI DSS, and FIPS.  
  • Brand and reputational damage. As you can imagine, all of these things may cause customers to lose faith and trust in your brand. This can result in lost business and affect your bottom line.

How Is Google Promoting the Use of SSL Certificates?

We cannot emphasize enough the importance of having an SSL certificate. It is evident when tech giants like Google, Apple and Mozilla have made it mandatory for secure sites that want to rank on their browsers to have one. In 2014, Google declared that it considers an SSL certificate among one of its ranking factors. Since 2017, Google labels sites that collect login data or credit card details without the use of an SSL certificate as “Not Secure” in the address bar of Chrome. They do the same with websites whose SSL/TLS certificates have expired.

when happen when you don't have an ssl certificate on your website

What happens if I don’t have an SSL certificate on my site? You get your answer in this picture. The website will display the “Not Secure” message in the browser’s URL bar to all your site visitors. This may drive traffic away from your site and straight into the arms of your competitors.

Google went a step further in 2018 when it began marking all sites without SSL certificates as “Not Secure” regardless of whether they collect user data. Slowly, they’ve been rolling out measures to ensure that sites that have SSL certificates will no longer have the green padlock. However, the sites without an SSL certificate will be marked in red on the address bar, rating them as “Not Secure.”

Consequences of Not Having an SSL Certificate in Terms of Compliance

Not only Google, but other important industry regulatory entities have also made it compulsory to have SSL certificates for websites that handle credit card data. One such example is the Payment Card Industry Security Standards Council (PCI SSC).

PCI SSC designs and manages security standards called PCI DSS (Payment Control Industry Data Security Standards) to provide airtight security for credit card transactions. What PCI DSS does is ensure that the collection, storage, processing, and transmission of credit card details of the customers are done in a safe environment. Companies that collect and process customers’ credit card information must comply with PCI DSS. Failure to do so can lead to dire consequences, including heavy fines and other penalties from Visa, Mastercard, Citibank, Chase, and American Express.

Other Effects of Not Having SSL Certificate on Your Business’s Website

While cyber awareness is slowing growing among consumers, the Fiserv 2019 Cybersecurity Awareness Insights Study reports that “a surprising number of U.S. consumers have little awareness of how to defend themselves against a cyberattack.” However, they can still read warning signs, and the ones from browsers screaming “Not Secure” are sure to catch their attention. Also, even the most ignorant of them will recognize the red warning in the address bar means “stop”.

While 44% of the survey respondents say they want governments and businesses to do more about cyber security, 59% say they’re bothered by the inconvenience created by advanced security measures. Cyber security is a partnership between businesses, citizens, and the government to defend themselves against cybercriminals.       

Nowadays, consumers have numerous options to choose from. When they find out that your website is not secure, they’re more likely to close out of your website to find one that doesn’t display any scary warning messages. As a result, you might lose genuine customers if you do not have an SSL certificate to prove your organizational identity and generate trust. Far from buying anything from your website and sharing important information like payment details, they will avoid sharing their email addresses to stay safe.

While customers believe they are becoming more knowledgeable about security, cybercriminals are also adapting and finding new ways to trick them. These bad guys continually develop different new ways to hack websites with malicious intent to defraud people and businesses and to cause general mayhem. An SSL certificate not only helps you to gain the trust of your customers, but it also helps to guard their information from man-in-the-middle (MitM) attacks.

Hence, although an SSL certificate is not technically “mandatory” for a website, per se, not having one will make it almost impossible for website owners to be successful online. Neither your customers nor any banks will be able to trust your brand. We can say that SSL certificates are the need of the hour and they will be made mandatory in the foreseeable future.

Do I Need an SSL Certificate?

If you’re still not convinced and are asking yourself “why do I need an SSL certificate?” let us conclude this article by quickly summarizing the reasons to persuade you.

  • If you do not have an SSL certificate, your site’s search ranking will plummet on Google Chrome. This will make it virtually impossible for customers to reach your website since most customers don’t go beyond the first page of Google search results. In fact, the Search Engine Journal reports that the second page of Google search results has less than a 1% click-through rate (CTR). 
  • All of the major browsers will not trust your site, and some (e.g., Google Chrome) will punish your site by decreasing its search engine ranking for your site.
  • Not having an SSL certificate will make your website appear as “Not Secure” in the address bar. This will turn red as Chrome rolls out the transition in some time. This will alert the visitors that your website cannot be trusted and may result in decreased web traffic.
  • If you ask for the credit card details of the customers without an SSL certificate, you’ll be non-compliant with PCI DSS and are likely to face heavy fines and penalties.
  • Not using an SSL/TLS certificate can leave you noncompliant with other industry regulations as well.
  • Criminals will have an open field to attack your website and steal your customers’ personal data. This can result in a loss of trust and even potential lawsuits in the future. 

The above points prove the absolute necessity of having an SSL certificate on your website. At the end of the day, your return on investment (ROI) will be much more with the SSL certificate than without it.

Purchase Your SSL Certificate

There are many different types of SSL Certificates available for you to choose from. To find the one that suits your needs, you can click the button below.

Purchase Your SSL Certificate Now and Save Up to 80%!

How to Renew Your SSL Certificate on IIS

1 Star2 Stars3 Stars4 Stars5 Stars (12 votes, average: 3.00 out of 5)
Loading...

Renewing an SSL certificate on IIS has never been easier

If you’re thinking of renewing or updating your SSL/TLS certificate on your IIS server, then you’re thinking in the right direction. And not only that, but you’ve landed in the perfect place to learn how to renew your SSL certificate on the IIS server – whether it’s IIS version 5, 6, 7, 8, 8.5, or 10. In this post, we’ve broken down the IIS SSL/TLS renewal process in simple steps that will get your SSL cert renewed in no time!

Let’s get started!

Renew SSL Certificate on IIS 5, 6 & 7 (This will have hash code to direct the reader to this particular part of the article)

Renew SSL Certificate on IIS 8, 8.5 & 10 (This will have hash code to direct the reader to this particular part of the article)

Renew SSL Certificate on IIS 5, 6 & 7 Server

The process of renewing SSL/TLS on IIS 5, 6, and 7 can be divided into three parts: CSR generation, SSL renewal, and Installing the new SSL certificate. Let’s take a look at each of them in a simple series of steps.

Generate an SSL Certificate Renewal CSR in Microsoft IIS 5, 6 & 7 Server

  1. First, go to Start > Administrative Tools > Internet Information Services (IIS) Manager.
  2. In the left pane named Connections, click on your server’s hostname.
  3. In the middle pane, you should see various options for your server. Double-click on the Server Certificates icon.
  4. In the right pane named Actions, click on Create Certificate Request
  5. Now you’ll be asked information to generate a new CSR. This is what each field means:

Common Name: Your domain name (e.g., www.yourdomainname.com)

Organization: Legally registered name of your organization/company (e.g., Your Company, LLC; Your Company, Inc.)

Organizational unit: The department of your organization (If you don’t know what to put, just enter ‘IT’).

City/locality: The city/municipality where your organization is located.

State/province: The state where your organization is located.

Country/region: Your country’s abbreviated two-letter country code.

  • Click on Next.
  • Select Microsoft RSA SChannel Cryptographic Provider as a Cryptographic service provider and 2048 as Bit Length.
  • Click Next.
  • Specify your convenient location to store your newly generated CSR.
  • Click Finish.

Renew Your SSL Certificate On Windows Server

The SSL renewal process isn’t the same for everyone, as it depends on where you purchased your SSL certificate from. You need to log into your account (of the platform where you purchased your SSL) and submit a renewal request by pasting your new CSR. Once the certificate authority (CA) has received your renewal request, it will conduct a verification process (like it did at the time when you bought your SSL certificate the first time).

Once the vetting process is over, the CA will issue the new (renewed) SSL certificate to you. You’re supposed to install this certificate on your IIS server.

Save Up to 82% on RapidSSL Certificates!

Protect your website with a RapidSSL single domain or wildcard SSL certificate and get a RapidSSL site seal for free.

Shop Now

Install Your Renewed SSL Certificate on IIS Server

  1. First, save the certificate to the same server from where you had generated your CSR.
  2. Open your IIS Manager.
  3. In the left pane named Connections, click on your server’s hostname.
  4. In the middle pane, you should see various options for your server. Double-click on the Server Certificates icon.
  5. In the right pane named Actions, click on Complete Certificate Request…
  6. Click on the three dots (…) to browse to the .CER certificate file of your renewed SSL certificate.
  7. Now give the certificate a friendly name that will be easy for you to refer to in the future and click OK.
  8. Under the Connections pane, expand your server’s computer name, and then click the website that you want to enable SSL on.
  9. Go to the Actions menu and click on Bindings.
  10. In the Site Bindings pop-up, select https and click on Edit…
  11. Now in the Add Site Binding pop-up, choose your renewed SSL (its friendly name) and click OK.
  12. Go to the SSL Checker tool to verify your SSL installation and check for its new expiry date.

Congratulations! You have just renewed your SSL certificate on your IIS server.

Renew SSL Certificate on IIS 8, 8.5 & 10

The progression of renewing SSL on IIS 8, 8.5, or 10 can be separated into three sections: CSR generation, SSL renewal, and Installing the new SSL certificate. Let’s take a look at each of them!

Generate an SSL Certificate Renewal CSR in Microsoft IIS 8, 8.5 & 10

  1. First, go to Start and type Internet Information Services (IIS) Manager and click on it.
  2. In the left pane named Connections, click on your server’s hostname.
  3. In the middle pane, you should see various options for your server. Double-click on the Server Certificates icon.
  4. In the right pane named Actions, click on Create Certificate Request
  5. Now, in the Distinguished Name Properties page, you’ll be asked information to generate new CSR. This is what each field means:

Common Name: Your domain name (e.g., www.yourdomainname.com)

Organization: Legally registered name of your organization/company (e.g., Your Company, LLC; Your Company, Inc.)

Organizational unit: The department of your organization (If you don’t know what to put just enter ‘IT’).

City/locality: The city/municipality where your organization is located.

State/province: The state where your organization is located.

Country/region: Your country’s abbreviated two-letter country code.

  • Click on Next.
  • In the Cryptographic Service Provider Properties pop-up, select Microsoft RSA SChannel Cryptographic Provider as Cryptographic service provider and 2048 as Bit Length.
  • Click Next.
  • Specify your convenient location to store your newly generated CSR.
  • Click Finish.

Renew Your SSL Certificate

See previous “Renew Your SSL Certificate” section as it’s the same direction.

Install Your Renewed SSL Certificate on IIS Server

  1. First, save the certificate to the same server from where you had generated your CSR.
  2. Open your IIS Manager.
  3. In the left pane named Connections, click on your server’s hostname.
  4. In the middle pane, you should see various options for your server. Double-click on the Server Certificates icon.
  5. In the right pane named Actions, click on Complete Certificate Request…
  6. Now, in the Specify Certificate Authority Response page, click on three dots (…) to browse to the .cer certificate file that you received from your certificate authority (CA). Give your certificate a friendly name that’s easy for you to refer to in the future and select an appropriate certificate store.
  7. Click on OK.
  8. Now go back to IIS Manager and, in the left pane, expand your server’s name. Expand Sites and select the website on which you want to install an SSL certificate.
  9. In the Actions pane on the right, click on Bindings…
  10. In the Site Bindings pop-up, click on https and then click Edit.
  11. Now in the Edit Site Binding window, select the SSL certificate by its friendly name.
  12. Click OK.
  13. Go to the SSL Checker tool to verify your SSL installation and check for its new expiry date.

Congratulations! You made to the end of the “How to Renew Your SSL Certificate on IIS” process!

How to Install a RapidSSL Certificate into DirectAdmin

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 3.60 out of 5)
Loading...

A step by step guide to install a RapidSSL certificate in DirectAdmin

Life would be so simple if there was only one process for installing SSL/TLS certificates on all servers, wouldn’t it? Unfortunately, it isn’t and that’s why we keep pumping out content for you – the beloved reader. One of our goals is to help you out with SSL installation on all kinds of servers. In this post, we’ll be outlining the process of installing a RapidSSL certificate into DirectAdmin.

Before you start installing your RapidSSL certificate into DirectAdmin, you first need to have completed the following procedures:

  1. SSL/TLS Certificate Purchase
  2. CSR (Certificate Signing Request) Generation
  3. Domain/Organization Validation

Once you complete those, you will have received your SSL/TLS certificate from RapidSSL. Let’s begin its installation process in DirectAdmin.

Save Up to 82% on SSL Certificates from RapidSSLonline!

Protect your website with an SSL Certificate from brands like RapidSSL, Symantec, GeoTrust, and Thawte.

Shop Now

 

Steps to Install a RapidSSL Certificate into DirectAdmin

  • First, log into the DirectAdmin Control Panel.
  • Then, go to the SSL Certificate panel, which is located under Advanced Features.
SSL in Direct Admin
  • Choose the option to “paste the pre-generated certificate and private key” of your RapidSSL certificate.
  • Now, open the private key and certificate in a text editor (Notepad) and paste them in the “Paste a pre-generated certificate and key” section (Note: First, paste your private key and then paste your certificate).
CSR in Direct Admin
  • Click Save.
  • Now go back to the SSL Certificates panel and choose “Click Here to paste a Root CA Certificate.”
CA root certificate in Direct Admin
  • Then, paste the RapidSSL root certificate.
CA certificate in Direct Admin
  • Click on Save.

And you are all done! You have just installed RapidSSL certificate into DirectAdmin, all by yourself. Bravo!

The Difference Between SSH and SSL

1 Star2 Stars3 Stars4 Stars5 Stars (17 votes, average: 3.82 out of 5)
Loading...

What is the difference between SSH and SSL? One letter. Thank you, have a safe trip home.

Ok, so maybe there’s a little more to it than that. When you look at SSH versus SSL, the two share quite a few similarities — after all, they’re both protocols for creating encrypted tunnels on the internet. The difference between SSH vs. SSL are as follows:

  • SSH and SSL use different ports;
  • They have different use cases; and
  • They end with different letters.

Let’s look at both and compare them side by side to see if we can determine what is the difference between SSL and SSH.

Defining Terms: The Difference Between SSH and SSL

What is SSL?

SSL, which stands for secure sockets layer, is really TLS (transport layer security) now — it’s just we still refer to it colloquially as SSL. Using digital certificates and public key infrastructure (PKI), SSL creates encrypted HTTPS connections between websites and their visitors. HTTPS is meant for the transmission of information and data; it encrypts everything that’s sent between the two parties ensuring its confidentiality. While SSL requires authentication, it’s only on the server side — the client isn’t required to authenticate itself at all.

SSL uses port 443. As of July 2018, it’s mandatory that every website install an SSL certificate to encrypt its connections.

Save Up to 80% on DV SSL Certificates

Protect a website in a few minutes with DV SSL or Domain Validated SSL Certificate.

Get a DV SSL certificate, starting at $12.42/year

What is SSH?

SSH, or Secure Shell, is similar to SSL in that they’re both PKI based and both form encrypted communication tunnels. But whereas SSL is designed for the transmission of information, SSH is designed to execute commands. You generally see SSH when you want to log in to some part of a network remotely.

SSH uses port 22 and also requires client authentication. After all, the ability to run commands requires a certain level of permission, so, obviously, you need to confirm the identity of the individual trying to log in.

So, long story short: SSL is for securing internet connections between websites and their visitors; SSH is for running commands via remote access.

Ok, NOW, drive home safely.

What is SSL or TLS Perfect Forward Secrecy?

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 3.67 out of 5)
Loading...

A look at perfect forward secrecy in SSL with TLS 1.3

If you’re here because you want to understand what “forward secrecy SSL” or “SSL perfect forward secrecy” means, then you’ve come to the right place. Perfect forward secrecy is a now-mandatory component of SSL/TLS. Starting in TLS 1.3, all key exchange methods must be ephemeral Diffie-Hellman families — not RSA, which doesn’t support perfect forward secrecy.

What is Forward Secrecy in SSL / TLS and How Does It Work?

So, what is perfect forward secrecy? First, let’s talk about key exchange. Historically, key exchange has been performed using RSA asymmetric encryption. This method had a number of problems — hence its removal in TLS 1.3 — including Oracle padding attacks and something called Bleichenbacher’s CAT (don’t ask). The biggest may be its lack of ephemerality, though.

An ephemeral key exchange is one that allows for the regular rotation of the session keys. This is necessary for perfect forward secrecy and is impossible with RSA. That’s owed to the fact that RSA uses massive keys and transacts in huge prime numbers that are expensive to compute. The toll it takes on a website’s servers make ephemeral RSA schemes impractical at best (also, impossible).

Diffie-Hellman key exchange, specifically its elliptic curve-based variants, is much easier to compute and allows for regular key rotation. It also facilitates SSL perfect forward secrecy, which is incumbent upon regular key rotation and ensures that even if the private key associated with that site’s SSL certificate — and the private key plays a role in the generation of those session keys — is ever compromised, the session keys cannot be deciphered.

Normally, when your private key is compromised, it means that everything is compromised. The attacker will have no problem deriving keys from previous sessions and decrypting the information. SSL/TLS perfect forward secrecy prevents that, adding an additional layer of security to each session key beyond the computational hardness provided by the private key.

When Does SSL Perfect Forward Secrecy Become Effective?

Starting TLS 1.3, all SSL/TLS implementations will use perfect forward secrecy. It’s also advised that you stop using RSA key exchange and switch to an ephemeral Diffie-Hellman family in TLS 1.2 to enable forward secrecy there, too. If you’re running on a server that doesn’t currently support it, try updating your SSL/TLS software library to see if that helps. If not, it may be time to change servers.

Save Up to 80% on DV SSL Certificates

Protect a website in a few minutes with DV SSL or Domain Validated SSL Certificate.

Get a DV SSL certificate, starting at $12.42/year