Google recently took steps to nudge everyone to switch to ‘secure sites’. This has prompted the question to be asked more and more. Your existing web server can probably make its own SSL certificate in minutes. So why would you pay someone else to make it for you? To answer that, we first need to ask what a SSL certificate is and why you would need one at all.
Why Secure Your Website
When you type an address into your browser, or click on a link to a webpage, a few things occur. Actually, quite a lot of things occur in the background, but we will keeps things simple for now.
Firstly, your browser makes a request for the page from a certain address before sending it out to the Internet. The request gets passed from server to server until it reaches the right address. The computer at the other end finds the page and sends it back to you. Your browser then reads and displays the page.
A Question of Trust
This would all be fine and dandy if we were living in an ideal world. However, we have to consider the chance that there are dodgy users out there looking to exploit us. As we have already pointed out, when we use the Internet, we are sending data out for Internet servers to pass around.
Imagine what might happen if one of those servers had been hacked. It could then pass copies of our data on to dodgy third parties. This might not seem very important when all we are doing is looking at cute kitten pics. The reality is that we use the Internet for a lot more these days. Would you want just anyone knowing the password you use to log in to your bank online? Or details of how much money is in your account?
Mistrust is the Answer
A way to stop third parties knowing what you are sending or receiving is to encrypt the data. When your browser sees that you are trying to communicate with a ‘secure’ website it acts differently to above. Firstly, your browser asks the website for a ‘lock’. A SSL Certificate is sent back with details of the ‘lock’. The website keeps the ‘key’ to itself.
Your browser then uses the lock to encrypt anything it sends. All the data it then sends out on to the Internet appears to be gibberish. It can only be understood by the website at the other end when the ‘key’ is used to decrypt the data. The same process is used to send pages back to your browser. So only you and the website you are using will know what you are sending or receiving.
Making Your Website Secure
To be able to send and receive encrypted data, your website needs a SSL Certificate. These can be bought from third parties or can usually be generated by your web server. That brings us back to the question of why you would pay someone else to make the lock for you.
The answer is connected to what your browser does when it receives the SSL Certificate. Your browser can contact whoever made the ‘lock’ and verify it is genuine. If it sees that the ‘lock’ is made by a trusted company, it can be seen to be secure. However, if the browser sees that the ‘lock’ has been self-made, it won’t be treated the same.
What Is So Bad About Self-Made SSL Certificates?
Imagine the same scenario as above where an Internet server has been hacked. When your browser sees you trying to visit a secure site, it sends out a request for the SSL Certificate. The request is picked up by the dodgy server. The dodgy server can then look out for the ‘lock’ being sent back. It can send its own self-made ‘lock’ and keep the real one for itself.
So when you send your data to the website, it is encrypted using the dodgy lock. As this gets passed over the Internet, the dodgy server can then decrypt the data and read it. It would then use the genuine lock it kept for itself to encrypt the data before passing it on to the real website. Anything sent back in reverse can also be intercepted in the same way.
This is why browsers will not class self-made SSL Certificates as trustworthy. They will still encrypt any data you send, but it will warn you that it can’t be trusted. Whereas if the SSL Certificate has been made and verified by a known authority, it will be shown as trustworthy.
The whole point of making your website secure is so that users can trust their information will be kept safe and private. This is negated if their browser is telling them the lock hasn’t come from a trustworthy source.