This is part 2 of an on-going series of posts, where we’ll break down the various vectors of attack in further detail and provide best practices for dealing with each.
- User Accounts
- Data Transmission
- Application Software
- Database and Filesystem Access
- Backups
- Web Server Software
- Server Management Software
- Physical Server Hardware
Overview
The process of a visiting a website is surprisingly complicated – it involves the browser software and operating system of the user, potentially dozens of hops between various networks, routers and servers, and eventually, the destination server that hosts the website or application. Data flows back-and-forth between the user’s browser and the server throughout the duration of the browsing session, hopping between all those other devices each time. Depending on how you’ve configured your website, all of this data could be exposed to snooping or manipulation by third parties. Let’s explore how this process works and what you can do to secure this data.
How web servers talk
There are many layers in the networking model, but the primary one we’re concerned with in this article are the HTTP and HTTPS communication protocols.
HTTP stands for HyperText Transfer Protocol, and can be thought of as the shared language between a user’s browser and the server. Since they speak the same language, they can send requests and responses to each other, resulting in the interactive experience we’re accustomed to on the web.
One downside of HTTP is that these requests and responses are sent in clear text, meaning any party between the user’s browser and the destination server are able to read this information, and possibly manipulate it before passing it along. However, a push by browser vendors and web standards bodies in recent years has moved the industry to a more secure version of the protocol, known as HTTPS, and is now the de facto standard.
A more secure version of HTTP
HTTPS stands for HyperText Transfer Protocol Secure, which is an extension of HTTP that uses encryption to secure the data between a user’s browser and the destination server. Encryption is a complicated and technical topic and we won’t go into a lot of detail here, however, the short explanation is the data going between the user’s browser and the server is no longer in clear text, and it cannot be manipulated by anything sitting in between those parties. This is especially important when this data includes sensitive information, like credit card details when online shopping, financial information when viewing your bank accounts, or medical records when viewing health care portals.
As part of this push to HTTPS, browsers now display a “Not secure” message near the website’s URL if the site is being accessed over HTTP, and websites using HTTPS are given higher rankings in Google search results.
Certificates
In order to support HTTPS, the website owner needs to first install a TLS certificate (also commonly called an SSL certificate) on their server, which is used to create the secure connection to a user’s browser. These certificates can be purchased from certificate providers, or generated for free using Let’s Encrypt, a certificate authority sponsored by many of the largest internet companies.
Many hosting companies offer Let’s Encrypt integration to make the process as easy as clicking a single button, or otherwise have tools in place to let you install and manage certificates manually. And most hosted services, like Wix, Squarespace and Shopify, automatically configure HTTPS and install a certificate for you.
After installing the certificate, your web application needs to be set to use HTTPS, which can be as simple as changing your site’s address from http://example.com to https://example.com. The exact process is determined by the application running your website – below are articles that outline the steps for some of the most common self-hosted content management systems:
In Summary
We highly recommend configuring HTTPS on all websites – with prominent warnings in browsers, effects on search rankings, and improved tools to ease the installation and management of TLS certificates, supporting HTTPS is a no-brainer. It results in a better experience for users and you can ensure data remains secure as it’s transmitted between your server and users’ browsers. If you haven’t already switched to using HTTPS on your website, doing so is easier than ever and becoming an increasingly important component in driving and retaining traffic to your site.
Next in the series: Application software
For our next post in the series, we’ll dig into securing the software running your website or application.
