Set Up: Learn about SSL and TLS in cPanel
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocol that provide data encryption and authentication between servers, machines and applications over a network (for example, a browser connecting to a website).
How it works?
Every SSL/TLS connection begins with a “handshake” – the negotiation between two parties (for example, browser and web server) that determines how their communication will be encrypted.
This handshake verifies the identity of the two parties, determines what cipher suite will be used, and establishes a secure connection. All these are done before the actual transfer of data.
Say, you’re visiting a secure website on the Internet:
- The browser attempts to connect to the secured website. This is also known as Client Hello. By doing so, the browser is telling the web server that it would like to set up an encrypted session and gives the web server a list of cipher suites and SSL/TLS versions they can use.
- The web server then sends the browser responds with a Server Hello, along with its SSL certificate, a public key, cipher settings and SSL version number.
- The browser then authenticates the server certificate: Is it valid? Did it come from a trusted party? And does the name on the certificate match the name of the website? Once verified, the browser will use the public key to create a pre-master key and send it back to the web server.
- The web server then uses its private key to decrypt the pre-master key, and uses it to create the master key. The web server then sends the browser a digitally signed acknowledgement to signify the start of the SSL encrypted session.
- From this point on, all data transferred or shared between the browser and the web server will be encrypted using the master key.
Yes, all this happens every time you direct your browser to a secured website.
How important is an SSL/TLS Certificate?
The main purpose of an SSL/TLS Certificate is to encrypt information so that it can only be read and understood by the intended parties.
Information submitted over the Internet often passes through more than one computer before reaching its final destination, making it vulnerable and insecure. As we have learned in the section above, an SSL certificate encrypts the data using a master key that’s only shared between the intended server and the browser. This way, should the data fall in the wrong hands at any stops along the way, it will be unreadable and useless.
If you are running an online store and you want to accept online payment, you will need to have an SSL certificate – it is required for Payment Card Industry compliance. Other reasons and benefits of having a SSL/TLS Certificate:
- Added brand power
- Build customer trust
- Protect both customer and internal data
- A secured HTTPS website gets stronger Google ranking
- Google Chrome will start showing "Not Secure" warning when users enter data on a Non-SSL web page starting in October 2017
Does my website need an SSL/TLS Certificate?
Not all websites need SSL/TLS.
Consider these scenarios:
- You sell products – if you are taking credit card payments directly on your website, you will need an SSL/TLS certificate
- You collect personal information – if you are collecting personal information (such as email address, names, mailing address, etc.) on your website, then SSL would be a good idea.
- You offer memberships – if you run a membership website (or have a Members-Only section) then SSL might be a good idea, especially when many members are very likely to use the same login username and password combinations on other websites.
- You run a blog or online photo gallery – if your website is only a blog or photo gallery with no products, no membership and no exchange of sensitive information, then SSL is probably not needed.
- You run an online product catalog and all orders are taken offline – if you are not accepting any payment or personal information online, then you can probably get away without an SSL certificate.
How will my customers know I have an SSL/TLS Certificate?
There are a couple ways your visitors can tell if you have an SSL/TLS Certificate on your website:
- They will notice that the http in the address line is replaced with https.
- They will see a small padlock in the address.
When you purchase an SSL/TLS Certificate, you also get a site seal that you can add onto your website.
The details of your SSL/TLS certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the padlock symbol.
In addition to HTTPS, SSL/TLS can also be used to secure other application-specific protocols such as SMTP.
What if I don’t want to use an SSL/TLS Certificate?
If you don’t want to use an SSL or TLS Certificate, communications on your website (for example, between your visitor and your server) can easily become a party line for eavesdroppers.
If no sensitive, personal or payment information is sent through your website, then it is totally acceptable not to use an SSL or TLS Certificate.
However, if there is an exchange of such information on your website, then all data will be sent in plain text and there is no guarantee that it will not be fallen into the wrong hands, such as hackers.
Where can I purchase a SSL/TLS Certificate?
The Doteasy Unlimited Hosting and Business Hosting plans support SSL/TLS Certificates.
If you are subscribed to any one of our Business Hosting plans, your account comes with a free SSL Certificate. Simply contact us and we will get it registered and installed for you.
If you are subscribed to the Doteasy Unlimited Hosting plan, you can purchase an SSL Certificate for your domain name and we will install it for you. Doteasy offers the GeoTrust QuickSSL Premium certificates. However, if you already have an SSL/TLS Certificate registered or if you prefer to purchase it elsewhere, you can easily install your certificate in your account’s cPanel.
We also offer a shared SSL Certificate option to all Doteasy Unlimited Hosting accounts. In this setup, the SSL Certificate is registered under the name of the web server and is shared by all accounts on that web server. Using a shared certificate will offer the encryption capability without having to purchase your own certificate. But because the certificate is not registered under your domain name, your secure website will not be https://yourdomain.com. Instead, your encrypted website will use a special URL, under the server name.
SSL Certificate or TLS Certificate, does it matter which one I get?
While the terms SSL and TLS are often used interchangeably or in conjunction with each other, there is a difference between them: vulnerabilities, cipher suites and browser security warnings. SSL is the predecessor to TLS, and its latest version (SSL version 3.0) is nearly 15 years old. TLS is the continuation of SSL, and is subsequently more secure and fixes more vulnerabilities present in SSL.
But wait - there is no need to panic nor to replace your existing SSL Certificates with TLS Certificates.
Certificates are not the same as protocols and certificates are not dependent on protocols. In other words, you don’t need to use a TLS Certificate vs. an SSL Certificate. Whenever you see the phrase SSL/TLS Certificate, it means “Certificates for use with SSL and TLS.”