Introduction to SSL

By | June 17, 2021

SSL stands for Secure Sockets Layer and is an encryption-based Internet security protocol. It was first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications. SSL is the predecessor to the modern TLS encryption used today.

A website that implements SSL/TLS has “HTTPS” in its URL instead of “HTTP.”

How does an SSL certificate work?

These are the essential principles to grasp for understanding how SSL/TLS works:

  • Secure communication begins with a TLS handshake, in which the two communicating parties open a secure connection and exchange the public key
  • During the TLS handshake, the two parties generate session keys, and the session keys encrypt and decrypt all communications after the TLS handshake
  • Different session keys are used to encrypt communications in each new session
  • TLS ensures that the party on the server side, or the website the user is interacting with, is actually who they claim to be
  • TLS also ensures that data has not been altered, since a message authentication code (MAC) is included with transmissions

With TLS, both HTTP data that users send to a website (by clicking, filling out forms, etc.) and the HTTP data that websites send to users is encrypted. Encrypted data has to be decrypted by the recipient using a key.

TLS handshake

TLS communication sessions begin with a TLS handshake. A TLS handshake uses something called asymmetric encryption, meaning that two different keys are used on the two ends of the conversation. This is possible because of a technique called public key cryptography.

In public key cryptography, two keys are used: a public key, which the server makes available publicly, and a private key, which is kept secret and only used on the server side. Data encrypted with the public key can only be decrypted with the private key, and vice versa.

During the TLS handshake, the client and server use the public and private keys to exchange randomly generated data, and this random data is used to create new keys for encryption, called the session keys.

How does a website with an SSL certificate differ from a website without it?

You can easily find out if a site is using a secure connection just by looking at the address bar. A website with an SSL certificate will have a padlock (design will differ based on the browser):

SSL

More detailed information about the certificate can be found by clicking on the lock 🔒 at the left of the website address. A site without a certificate will be marked with a red warning in most browsers:

Without SSL

Do I need a separate certificate for each site?

SSL certificates. Yes, each of your domains or subdomains will need their own SSL certificate.

Why Do I Need an SSL Certificate and How Does It Work?

My website is showing ERR_SSL_PROTOCOL_ERROR, what to do?

If you happen to get the ERR_SSL_PROTOCOL_ERROR error, most likely there is something wrong with your SSL certificate

If you have an SSL certificate installed and are still seeing this error, there are some things you can do:

SSL Error
  • Try to clear all of your browser history and cache or check the website through incognito mode
  • Use SSL Checker to check if your SSL certificate is valid. If it’s not, you need to contact your current SSL provider.
  • Temporarily disable antivirus and firewall programs

If you have done all the steps, and you are still seeing this error, please contact your current SSL provider.

What is mixed content?

With TLS (also known as SSL), Internet communication is encrypted, creating a more secure browsing experience. Users can easily identify TLS-encrypted sites because they have ‘https://’ in the URL instead of ‘http://’. But in some instances, an HTTPS site can also contain some elements that are loaded using the plaintext HTTP protocol. This creates a condition known as mixed content, sometimes referred to as ‘HTTP over HTTPS’.

With mixed content, users will be under the impression that they are on a secure, encrypted connection because they are on an HTTPS-protected site, but the unencrypted elements of the page create vulnerabilities, opening up those users to malicious activity such as unauthorized tracking and on-path attacks. The severity of the vulnerability depends on whether the mixed content is passive or active.

How to fix mixed content error in WordPress?

After the installation of the SSL certificate and forcing HTTPS protocol, the mixed content issue can appear on the website. This displays a “Not fully secure” warning next to the domain in the URL bar:

ssl-connection-not-secure

Mixed content means that you are trying to load images or other content with HTTP in their links, to fix this, you would simply need to edit all the links on your page to have HTTPS at the beginning instead.

If you are using the Elementor plugin, simply go to Elementor Tools, and in the Replace URL page insert your domain address with HTTP and HTTPS:

replace-url

After this, the Mixed content issue will be fully resolved. If you don’t have Elementor, check the options below:

Method 1 – Install Really Simple SSL plugin

  • Log in to your WordPress dashboard and click on Plugins → Add New
  • install and activate a plugin named Really Simple SSL. Then go to SettingsGeneral
  • And change the address of your blog from http:// to https://
really-simple-replace-url

Method 2 – Install Better Search & Replace plugin

Install the plugin Better Search & Replace, then open Tools Better Search Replace.

  • To Search for field enter the domain’s name with HTTP, for example, http://domain-name.com
  • To Replace with field enter the domain’s name with HTTPS, for example, https://domain-name.com
  • Tick Select all the tables, untick Dry Run, and press the button Do Search & Replace
better-search-replace

Method 3 – Insert a code to your .htaccess file

If the first two steps didn’t help you, you can also open your public_html/.htaccess file (or create it if it wasn’t created yet) and insert the code below:

Header always set Content-Security-Policy: upgrade-insecure-requests

Save the changes and reload your website – it should already be working fully secured 💪.


How to install free SSL?

Let’s Encrypt introduced free SSL certificates quite some time ago. It made it possible for website owners to offer encrypted HTTPS connection for their visitors totally free of charge. To achieve it, follow the steps below:

Step 1 – Register at sslforfree.com

Go to the website sslforfree.com, type in your website URL and press Create Free SSL Certificate:

ssl-for-free

After this, register a new account.

ssl-for-free-account

Step 2 – Generate a certificate

Double-check your domain name and click Next:

Get A Certifate

Choose a 90-Day Certificate (1-year option is paid) and pick a Free plan on the final step. When the certificate is successfully generated, you will receive this message:

certificate-email
Note: Keep in mind that a free plan offers only 3 90-day certificates.

Step 3 – Verify domain ownership

There are 3 options on how you can verify your domain ownership – we strongly recommend HTTP File Upload method, as it is the fastest.

verify-domain-for-free-ssl
Process is the same for all i am using Hostinger Hosting so i will show you procedure for that.

For this method download the requested file, then open Hosting → ManageFile Manager of your domain.

In public_html create a folder .well-known (don’t miss the dot at the beginning), and another folder pki-validation in it:

create-folder-for-free-ssl-verification

Upload the file you downloaded previously using the drag-and-drop or Upload Files button:

The most important – now click on the link, provided in the instruction:

verification-for-ssl

You should be able to open the file by this address – now click Next.

After this open your hPanel, Hosting → Manage → DNS Zone Editor, and insert sectigo in the search field. The record we are looking for is a CAA record with values:

NameFlagTagCA DomainTTL
#0issuesectigo.com14400

If you don’t see such a record – create it:

ssl-certificate-verified

Wait a few minutes and go back to the certificate validation page. Click on Verify.

ssl-certificate-verified

Step 4 – Download and Install your SSL certificate

Choose the default type and download the archive with your certificate:

Downloas ssl

You will see 3 files there:

  • private.key;
  • certificate.crt;
  • ca_bundle.crt.

Open Hosting → Manage → SSL:

install-free-ssl.png
NOTE:  As this SSL certificate expires in 3 months, you will need to repeat the certification generation and installation every 3 months
If the installation seems too difficult for you, or you don’t want to repeat the process every 3 months, you can always purchase the Lifetime SSL.

Leave a Reply

Your email address will not be published. Required fields are marked *