How Website SSL and HTTPS Work
Website SSL (secure socket layer), or as many people know it HTTPS, is mainly used for identification and encrypting HTTP traffic. In this series of SSL blog posts we will explain why you should use SSL, what are the components of SSL (HTTPS), how they work and how to setup your WordPress to run on HTTPS by using SSL web server certificates.
Why Use SSL for WordPress Websites and Blogs
When visiting a website, the traffic exchanged between your browser and the web server is sent in clear text. Therefore if a malicious third party intercepts the traffic exchanged between the two parties, he or she can read what is being exchanged, such as authentication details.
As an example, when logging in to the WordPress dashboard (wp-admin section) without using SSL, if a malicious user captures the HTTP traffic being sent from your computer to your WordPress, the malicious hacker can easily steal your username and password and login to your WordPress. The same applies for all type of information being sent to a website which does not have SSL and is running on HTTP rather than HTTPS, such as credit card details.
Therefore HTTP traffic should be encrypted with SSL whenever sensitive information is being sent over the internet. E.g. when logging in to your WordPress wp-admin section or any other web application, when asking your customers to submit their hosting details (including credentials ) via a web form, when asking your website visitors to submit payment details and donations etc.
How Website SSL and HTTPS Work
- When trying to access a website running on HTTPS (using SSL), the browser requests the web server where the website is hosted to identify itself.
- The web server sends the browser a copy of its SSL Certificate.
- The browser checks whether it trusts the SSL Certificate. If trusted it sends a message to the web server to proceed with the encryption. If it is
not trusted, it alerts the user with a warning that there is something wrong with the certificate and the user can choose whether to proceed or not.
- Once the certificate is trusted, the web server sends back a digitally signed acknowledgement to start an SSL encrypted session so the traffic between the browser and the web server cannot be read by third parties when intercepted.
What is an SSL Web Server Certificate?
To be able to run a website on SSL and encrypt traffic, an SSL certificate needs to be installed on the web server. SSL web server certificates can be purchased from trusted certificate authorities. Alternatively one can generate a self signed SSL web server certificate to encrypt HTTP traffic (for more information on the differences between commercial and self-signed SSL web server certificates, refer to the article Self-Signed SSL Certificate VS Commercial SSL Certificate). Typically, an SSL certificate includes the below information about the website you are visiting and is used by the browser to verify the validity of the certificate as explained in step 1 to 3 of the section above.
- Private key: Used to encrypt and decrypt traffic
- Public key: Used to encrypt traffic