What is https and how to enable https for your website?

What's a good tutorial? "Good" means someone who both understands the subject and more importantly doesn't try to teach everything at once. So let me tell you what the minimum level of SSL understanding that you as a web developer should have, SSL or TLS actually serves a few purposes. but in order to understand why it exists, we must first answer this question. How do you know that the website you've got in your address bar is the actual website you're talking to? How do you KNOW that when you type bilibili.com into a browser, that your computer is actually talking to bilibili? Your browser requests the DNS records for the name, from the name servers you are configured to trust. And IP address comes back, let's say 1.1.1.1. Your browser connected to that IP and sends the header telling the server. you're looking for a host called bilibili.com. and the server gives you the web page you've asked for based on that information. There are several subjects that each are black holes of information. You can spend a lifetime devoted to the very few things. http, https, IP and DNS. This illustrates the problem.

So we should FIRST get a high-level understanding, not drill down on each just yet. Let's continue. Suppose someone had hacked the DNS server you use and told it to lie to you. Suppose you ask for the name for A record. It told you 2.2.2.2 rather than 1.1.1.1. Now we are talking to the wrong website which may have made itself intentionally look like bilibili. So how can we stop this from happening?

We need a way to form a 3-way relationship with that website and another service that we TRUST. We need to declare that this third party will be responsible for making sure we're talking to the right website. Those third party providers are already configured in your browser, right now. They are the authorities which tell you which bilibili is the right bilibili. But how does that authority know which one is real? Bilibili's servers are configured in such a way if you talk to them without SSL, they redirect you to their SSL port. The url changes from http to https and they offer you a certificate. Your browser verifies that certificate with the third-party certificate authority, who tells your browser if it's the real site or not. But again, how does that authority know that's the right certificate? Bilibili had to create a certificate request file on their server. That request is tied not to the IP address of the server, but rather to the hostname. They send this file to the certificate authority, which issues an actual certificate based on that request file.  The cert is next to useless by itself but paired with the certificate authority checking it, you can be sure you're at the right site.

But what else is needed to make this a secure connection? Well, encryption. The data we send back and forth between your computer and bilibili's servers by itself is not private. Anyone on the network path can view it all, your password, everything. So to prevent that, they redirect you to the SSL version of the site which not only verifies the endpoints of the connection like we talked about, but also encrypts the traffic. It hides all traffic in a coded way that can only be decrypted on the two ends. That means anyone can still see what you're doing, except now it's a jumbled mess and they have no way to de-scramble it. If you understand just that amonut of information about SSL, you won't need much else to be a competent web developer. You can choose to go deeper but that's all you really need.

The problem that I have when I am learning is it's really difficult to find a simple explanation like that, and someone to tell you how much you actually NEED to learn.

https://letsencrypt.org/

Comments

Popular posts from this blog

All the pitfalls I met in the first month