Secure Sockets Layer(SSL) is the standard security technology for establishing an encrypted link between a server and a client. Usually a web server and a browser, but can also be a mail server and a mail client.
Without encryption, information is sent in plain text. If someone is able to intercept the data they can see and use it. So inputting credit card number or login information in an unsecured site is dangerous and must be avoided. A secured site starts with “https”, as my site. Browsers also show the “padlock” icon.
To enable SSL connection, a website requires an SSL Certificate(CRT). The CRT contains information about the domain, company, address, city, state, and country. It also stores the expiration date and details of the Certification Authority(CA) responsible for the issuance of the certificate.
When a browser connects to a secure site it retrieves the site’s CRT and checks that it has not expired, it has been issued by a CA the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks, the browser will display a warning to the end-user that the site is not secure.
Let’sEncrypt is a free, automated, and open CA. However, demonstrating ownership of a domain requires running software that uses the ACME protocol on the server. To do so, shell access is needed. For the non techies, SSL for Free, FreeSSLCertificate, and ZeroSSL are sites that make the entire process much easier. These services have one issue. The Let’sEncrypt certificate for all its good intention, expires after 3 months only, after which it has to be renewed. CloudFlare offers free SSL if you use their service, renewal is automatic.
Here’s how to generate the CSR using cPanel, ZeroSSL’s CSR Generator can be used also. It has an option to create a 4096 or 2048 bits encryption key. The 2048 bits works like a charm.
If technically knowledgeable, a CSR can be produced using OpenSSL on the local PC.
Creating CSR also generates cryptographic private and public keys. Anything encrypted with the public key can only be decrypted using the private key, and vice versa. The private key must be kept secret at all times, even the CA doesn’t know about it.
The resulting downloadable CSR data file which also contains the public key is then submitted to the CA, who in turn validates it and issue the CRT. To validate the domain, the file based option is better, as one only need to upload a text file. After the CRT is generated, download it as a “Server Certificate” with .pem extension.
When installing CRT on the site, the server will match it with the private key. If they matched, the website will then be able to establish encrypted and secure communication with the visitor’s browser. Here are instructions for installing CRT in cPanel. It’s possible to just supply the CRT and private key and skipped the CA Bundle entry.
To check if the SSL installed properly use SSL Shopper’s SSL Checker. SSLLabs have an SSL Server Test tool that provides comprehensive information that other tools aren’t showing.
Safari is quite strict when it comes to security certificates, in case of “untrusted” error, just disable the TLS 1.0 and 1.1 protocols.
To spare the hassle of the entire process, most web hosts with cPanel or WHM offer AutoSSL with LetsEncrypt support. If there’s an issue with SSL like, it has expired, just remove the existing cert via the SSL/TLS, then Manage SSL sites in cPanel. After removing the defective cert, go to SSL/TLS Status, select the domain and run the AutoSSL.
Now that you have secured the site, there’s a need to redirect all HTTP traffic to HTTPS. Do this by adding the following as the first rewrite rule in the .htaccess file found in the “public_html” directory:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
To fix the mixed content issue, just add this code in the head section:
<meta http-equiv=”Content-Security-Policy” content=”upgrade-insecure-requests”>
To resolve Shopify Ajax cross-domain restriction, use an app proxy. When creating an app, take note to always use the full pair when defining scopes and I use this PHP code for generating tokens.
If the website is hosting resources that are shared to the public such as CSS or Javascript library, there’s a need to ensure that these files aren’t hacked or compromised. One way to implement this is by using SubResource Integrity (SRI). SRIHash and ReportURI generate the hash and code based on the resource URL provided.
Before using SRI, enable Cross-Origin Resource Sharing (CORS) on the server by adding this piece of code in .htaccess:
Header set Access-Control-Allow-Origin “*”
More codes specific to different web servers are available in Enable-CORS.
To set in place authentication to a protected resource, use JSON Web Token. The site provides a list of libraries to use. Here’s a simple tutorial using PHP and jQuery.
If using Mautic and you can’t login because you forgot the password and its not able to send email. You may use this bcrypt generator to generate your new password hash and store in your database. Works like magic.
Password problems? Have you already decided on what password to use? If not yet, no worries. A password is no small thing. Choose an easy one and your account might be compromised in a few minutes. To help secure your online accounts, check out the cool resources below.
Read guides on how to create the “perfect” password here, here and here.
RandomKeyGen is a password and key generator, useful when a secret key is needed. They can generate Fort Knox quality keys.
So now that you have a password in mind, how would you know that it is really “strong”? Kaspersky has a password strength checker that’s fun to use. You enter the password and it gives you an estimate of how long it can withstand a brute force attack. Mine will take more than 3 centuries, haha.
If you are lazy like me and don’t want to sweat over passwords, LastPass is an easy-to-use password manager that also has a password generator. There is no need to download software; just use their browser extension or add-on. Your passwords are stored on their cloud server. They have a free but limited account, which is still good enough. If you organized your passwords properly by folders, you can even use it as a personal landing page with all your online account links and open them in just 1 click. LastPass is now limited to only 1 device. A multi-device alternative is BitWarden, the downside is that the personal free account can’t share passwords.
Another option is Norton Identity Safe.
As a rule of thumb, passwords for accounts that are very important, like your primary email and online banking or financial services, are never stored online. You need to remember them. For anything else, there’s LastPass.
Check out these username generators from NordPass and LastPass.
What if you were hacked? How would you know? In light of all the news about big company sites being compromised, it’s good to be vigilant and get informed if you were a victim. Have I Been Pwned lets you know. Just supply your username or email and it will scan through records of website breaches that have been made publicly available.
To remain anonymous while browsing the web, use Chrome’s Incognito or FireFox’s Private window. Tor is a network of virtual tunnels that prevents websites or apps from tracking or storing information about your surfing habits and whereabouts. It is robust software; in fact, it was developed by the US Navy itself.
PreyProject is a device protection service that keeps track of your mobile, laptop, and tablets and protects the data. It even helps you find it in case you lose it.
Affiliate Disclosure: Post may contains affiliate links. If you use these links to buy something we may earn a commission. Thank You.