Enabling HTTPS on Your Servers

TL;DR

  • Create a 2048-bit RSA public/private key pair.
  • Generate a certificate signing request (CSR) that embeds your public key.
  • Share your CSR with your Certificate Authority (CA) to receive a final certificate or a certificate chain.
  • Install your final certificate in a non-web-accessible place such as /etc/ssl (Linux and Unix) or wherever IIS requires it (Windows).

Generating keys and certificate signing requests

This section uses the openssl command-line program, which comes with most Linux, BSD, and Mac OS X systems, to generate private/public keys and a CSR.

Generate a public/private key pair

Let’s start by generating a 2,048-bit RSA key pair. A smaller key, such as 1,024 bits, is insufficiently resistant to brute-force guessing attacks. A larger key, such as 4,096 bits, is overkill. Over time, key sizes increase as computer processing gets cheaper. 2,048 is currently the sweet spot.

The command to generate the RSA key pair is:

openssl genrsa -out www.example.com.key 2048

This gives the following output:

Generating RSA private key, 2048 bit long modulus
.+++
.......................................................................................+++
e is 65537 (0x10001)

Generate a certificate signing request

In this step, you embed your public key and information about your organization and your website into a certificate signing request or CSR. The openssl command interactively asks you for the required metadata.

Running the following command:

openssl req -new -sha256 -key www.example.com.key -out www.example.com.csr

Outputs the following:

You are about to be asked to enter information that will be incorporated
into your certificate request

What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:California
Locality Name (for example, city) []:Mountain View
Organization Name (for example, company) [Internet Widgits Pty Ltd]:Example, Inc.
Organizational Unit Name (for example, section) []:Webmaster Help Center Example
Team
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:webmaster@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

To ensure the validity of the CSR, run this command:

openssl req -text -in www.example.com.csr -noout

And the response should look like this:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CA, ST=California, L=Mountain View, O=Google, Inc.,
OU=Webmaster Help Center Example Team,
CN=www.example.com/emailAddress=webmaster@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:fc:58:e0:da:f2:0b:73:51:93:29:a5:d3:9e:
                    f8:f1:14:13:64:cc:e0:bc:be:26:5d:04:e1:58:dc:
                    ...
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         5f:05:f3:71:d5:f7:b7:b6:dc:17:cc:88:03:b8:87:29:f6:87:
         2f:7f:00:49:08:0a:20:41:0b:70:03:04:7d:94:af:69:3d:f4:
         ...

Submit your CSR to a certificate authority

Different certificate authorities (CAs) require different methods for sending them your CSRs. Methods may include using a form on their website, sending the CSR by email, or something else. Some CAs (or their resellers) may even automate some or all of the process (including, in some cases, key pair and CSR generation).

Send the CA to your CSR, and follow their instructions to receive your final certificate or certificate chain.

Different CAs charge different amounts of money for the service of vouching for your public key.

There are also options for mapping your key to more than one DNS name, including several distinct names (e.g. all of example.com, www.example.com, example.net, and www.example.net) or “wildcard” names such as *.example.com.

For example, one CA currently offers these prices:

  • Standard: $16/year, valid for example.com and www.example.com.
  • Wildcard: $150/year, valid for example.com and *.example.com.

At these prices, wildcard certificates are economical when you have more than 9 subdomains; otherwise, you can just buy one or more single-name certificates. (If you have more than, say, five subdomains, you might find a wildcard certificate more convenient when you come to enable HTTPS on your servers.)

Copy the certificates to all your front-end servers in a non-web-accessible place such as /etc/ssl (Linux and Unix) or wherever IIS (Windows) requires them.

Enable HTTPS on your servers

Enabling HTTPS on your servers is a critical step in providing security for your web pages.

  • Use Mozilla’s Server Configuration tool to set up your server for HTTPS support.
  • Regularly test your site with the Qualys’ handy SSL Server Test and ensure you get at least an A or A+.

At this point, you must make a crucial operations decision. Choose one of the following:

  • Dedicate a distinct IP address to each hostname your web server serves content from.
  • Use name-based virtual hosting.

If you have been using distinct IP addresses for each hostname, you can easily support both HTTP and HTTPS for all clients.

However, most site operators use name-based virtual hosting to conserve IP addresses and because it’s more convenient in general. The problem with IE on Windows XP and Android earlier than 2.3 is that they do not understand Server Name Indication (SNI), which is crucial for HTTPS name-based virtual hosting.

Someday—hopefully soon—clients that don’t support SNI will be replaced with modern software. Monitor the user agent string in your request logs to know when enough of your user population has migrated to modern software. (You can decide what your threshold is; perhaps < 5%, or < 1%.)

If you don’t already have HTTPS service available on your servers, enable it now (without redirecting HTTP to HTTPS; see below). Configure your web server to use the certificates you bought and installed. You might find Mozilla’s handy configuration generator useful.

If you have many hostnames/subdomains, they each need to use the right certificate.

Now, and throughout your site’s lifetime, check your HTTPS configuration with Qualys’ handy SSL Server Test. Your site should score an A or A+; treat anything that causes a lower grade as a bug. (Today’s A is tomorrow’s B, because attacks against algorithms and protocols are always improving!)

Make intrasite URLs relative

Now that you are serving your site on both HTTP and HTTPS, things need to work as smoothly as possible, regardless of protocol. An important factor is using relative URLs for intrasite links.

Make sure intrasite URLs and external URLs are agnostic to protocol; that is, make sure you use relative paths or leave out the protocol like //example.com/something.js.

A problem arises when you serve a page via HTTPS that includes HTTP resources, known as mixed content. Browsers warn users that the full strength of HTTPS has been lost. In fact, in the case of active mixed content (script, plug-ins, CSS, iframes), browsers often simply won’t load or execute the content at all, resulting in a broken page. And remember, it’s perfectly OK to include HTTPS resources in an HTTP page.

Additionally, when you link to other pages in your site, users could get downgraded from HTTPS to HTTP.

These problems happen when your pages include fully-qualified, intrasite URLs that use the http:// scheme.

Not recommended — We recommend you avoid using fully qualified intrasite URLs.

<h1>Welcome To Example.com</h1>
<script src="http://example.com/jquery.js"></script>
<link rel="stylesheet" href="http://assets.example.com/style.css"/>
<img src="http://img.example.com/logo.png"/>;
<p>A <a href="http://example.com/2014/12/24/">new post on cats!</a></p>

In other words, make intrasite URLs as relative as possible: either protocol-relative (lacking a protocol, starting with //example.com) or host-relative (starting with just the path, like /jquery.js).

Recommended — We recommend that you use relative intrasite URLs.

<h1>Welcome To Example.com</h1>
<script src="/jquery.js"></script>
<link href="/styles/style.css" rel="stylesheet"/>
<img src="/images/logo.png"/>;
<p>A <a href="/2014/12/24/">new post on cats!</a></p>

Recommended — Or, you can use protocol-relative intrasite URLs.

<h1>Welcome To Example.com</h1>
<script src="//example.com/jquery.js"></script>
<link href="//assets.example.com/style.css" rel="stylesheet"/>
<img src="//img.example.com/logo.png"/>;
<p>A <a href="//example.com/2014/12/24/">new post on cats!</a></p>

Recommended — We recommend that you use HTTPS URLs for intersite URLs (where possible).

<h1>Welcome To Example.com</h1>
<script src="/jquery.js"></script>
<link href="/styles/style.css" rel="stylesheet"/>
<img src="/images/logo.png"/>;
<p>A <a href="/2014/12/24/">new post on cats!</a></p>
<p>Check out this <a href="https://foo.com/">other cool site.</a></p>

Do this with a script, not by hand. If your site’s content is in a database, test your script on a development copy of your database. If your site’s content consists of simple files, test your script on a development copy of the files. Push the changes to production only after the changes pass QA, as normal. You can use Bram van Damme’s script or something similar to detect mixed content in your site.

When linking to other sites (as opposed to including resources from them), don’t change the protocol since you don’t have control over how those sites operate.

If your site depends on scripts, images, or other resources served from a third party, such as a CDN or jquery.com, you have two options:

  • Use protocol-relative URLs for these resources. If the third party does not serve HTTPS, ask them to. Most already do, including jquery.com.
  • Serve the resources from a server that you control, and which offers both HTTP and HTTPS. This is often a good idea anyway, because then you have better control over your site’s appearance, performance, and security. In addition, you don’t have to trust a third party, which is always nice.

Redirect HTTP to HTTPS

You need to put a canonical link at the head of your page to tell search engines that HTTPS is the best way to get to your site.

Set <link rel="canonical" href="https://…"/> tags in your pages. This helps search engines determine the best way to get to your site.

Turn on Strict Transport Security and secure cookies

At this point, you are ready to “lock in” the use of HTTPS.

  • Use HTTP Strict Transport Security (HSTS) to avoid the cost of the 301 redirect.
  • Always set the Secure flag on cookies.

First, use Strict Transport Security to tell clients that they should always connect to your server via HTTPS, even when following an http:// reference. This defeats attacks such as SSL Stripping, and also avoids the round-trip cost of the 301 redirect that we enabled in Redirect HTTP to HTTPS.

Turn on HTTP Strict Transport Security (HSTS) by setting the Strict-Transport-Security header. OWASP’s HSTS page has links to instructions for various server software.

Most web servers offer a similar ability to add custom headers.

It is also important to make sure that clients never send cookies (such as for authentication or site preferences) over HTTP. For example, if a user’s authentication cookie were to be exposed in plain text, the security guarantee of their entire session would be destroyed—even if you have done everything else right!

Therefore, change your web application to always set the Secure flag on cookies that it sets. This OWASP page explains how to set the Secure flag in several application frameworks. Every application framework has a way to set the flag.

Most web servers offer a simple redirect feature. Use 301 (Moved Permanently) to indicate to search engines and browsers that the HTTPS version is canonical, and redirect your users to the HTTPS version of your site from HTTP.

Migration concerns

Many developers have legitimate concerns about migrating from HTTP to HTTPS. The Google Webmasters Team has some excellent guidance available.

Search ranking

Google uses HTTPS as a positive search quality indicator. Google also publishes a guide for how to transfer, move, or migrate your site while maintaining its search rank. Bing also publishes guidelines for webmasters.

Performance

When the content and application layers are well-tuned, the remaining TLS performance concerns are generally small, relative to the overall cost of the application. Additionally, you can reduce and amortize those costs. (For great advice on TLS optimization and generally, see High Performance Browser Networking by Ilya Grigorik.) See also Ivan Ristic’s OpenSSL Cookbook and Bulletproof SSL And TLS.

In some cases, TLS can improve performance, mostly as a result of making HTTP/2 possible. Chris Palmer gave a talk on HTTPS and HTTP/2 performance at Chrome Dev Summit 2014.

Referer headers

When users follow links from your HTTPS site to other HTTP sites, user agents don’t send the Referer header. If this is a problem, there are several ways to solve it:

  • The other sites should migrate to HTTPS. If referee sites can complete the Enable HTTPS on your servers section of this guide, you can change links in your site to theirs from http:// to https://, or you can use protocol-relative links.
  • To work around a variety of problems with Referer headers, use the new Referrer Policy standard.

Because search engines are migrating to HTTPS, in the future you are likely see more Referer headers when you migrate to HTTPS.

Ad revenue

Site operators that monetize their site by showing ads want to make sure that migrating to HTTPS does not reduce ad impressions. But due to mixed content security concerns, an HTTP <iframe> doesn’t work in an HTTPS page. There is a tricky collective action problem here: until advertisers publish over HTTPS, site operators cannot migrate to HTTPS without losing ad revenue; but until site operators migrate to HTTPS, advertisers have little motivation to publish HTTPS.

Advertisers should at least offer ad service via HTTPS (such as by completing the “Enable HTTPS on your servers” section on this page. Many already do. You should ask advertisers that do not serve HTTPS at all to at least start. You may wish to defer completing Make IntraSite URLs relative until enough advertisers interoperate properly.

HTTPS Certificates stop hackers

Why HTTPS Matters

You should always protect all of your websites with HTTPS, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both your websites and your users’ personal information, HTTPS is a requirement for many new browser features, particularly those required for progressive web apps.

TL;DR

  • Intruders both malignant and benign exploit every unprotected resource between your websites and users.
  • Many intruders look at aggregate behaviors to identify your users.
  • HTTPS doesn’t just block misuse of your website. It’s also a requirement for many cutting-edge features and an enabling technology for app-like capabilities such as service workers.

HTTPS protects the integrity of your website

HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages.

Intruders exploit unprotected communications to trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources. For example, some third parties inject advertisements into websites that potentially break user experiences and create security vulnerabilities.

Intruders exploit every unprotected resource that travels between your websites and your users. Images, cookies, scripts, HTML … they’re all exploitable. Intrusions can occur at any point in the network, including a user’s machine, a Wi-Fi hotspot, or a compromised ISP, just to name a few.

HTTPS protects the privacy and security of your users

HTTPS prevents intruders from being able to passively listen to communications between your websites and your users.

One common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions, and to de-anonymize their identities. For example, employees might inadvertently disclose sensitive health conditions to their employers just by reading unprotected medical articles.

HTTPS is the future of the web

Powerful, new web platform features, such as taking pictures or recording audio with getUserMedia(), enabling offline app experiences with service workers, or building progressive web apps, require explicit permission from the user before executing. Many older APIs are also being updated to require permission to execute, such as the geolocation

API. HTTPS is a key component to the permission workflows for both these new features and updated APIs.

web design in galway

New and Improved Website Design

We have recently improved our website and update it to the latest and most modern design trends. We hope you like what we did with our website and trust us to be your “the ones we go to” website design  company in Galway or Ireland.

Website Speed Optimisation

What makes my page load time?

 

WordPress Speed Optimisation Service

We deliver the most complete WordPress Speed Optimisation Service, allowing you perfect scores(ove 90% Class A ratting).

When a request for a page is made, the Front-end and Server-side components both take a certain amount of time to complete their operations. Since their operations are essentially sequential, their cumulative time can be considered the total page load time.

Even after you’ve optimized your Front-end, speed gains can still be achieved by optimizing the Server-side. This means optimizing the way the page is generated by your server.

A good indicator of your Server-side performance is the time it takes to generate the HTML page (page generation time). This is labeled as “Waiting” time on the first element in the waterfall graph (also known as the “time to first byte”). Generally, this time should be kept under one second (or as low as possible).

How Can I Make the Server-side Faster?

There are many causes to a slow server-side, but they can essentially be grouped into two categories:

  • Inefficient code or SQL.
  • Bottlenecks/Slow Server.
  • No WordPress Speed Optimisation Services techniques employeed.

Since each site has a unique platform and setup, the solution to these issues is dependent on each site. One site might need to have their server-side code optimized, but another might just need a more powerful server. Budget constraints may also come into play, as optimizing server-side code for minor speed gains might be more affordable than upgrading servers for massive speed gains.

It’s best to truly understand your requirements before pursuing a server-side option path.

Solutions

We know how to deliver a perfect score WordPress Speed Optimisation Service. The following optimizations are commonly used by us to improve server-side speed:

Code Optimization

Media PRO Web Design Galway is using programming languages like PHP, Perl, Python, or JavaScript and these are usually teamed up with databases like MySQL, PostgreSQL, or Microsoft SQL Server to create software such as WordPress, Drupal, Magento and all sorts of custom platforms.

This software is usually fairly optimized out of the box, but there are often many customizations to the code or plugins that cause slow performance as a result of inefficient code or un-optimized database queries.

Code optimization involves analyzing the code and database queries and finding the spots where the code is inefficient and where database queries are slow. After finding these “hotspots,” it’s the job of a developer to fix those problems. For code, this often involves finding a better algorithm or modifying the code to work around a bottleneck (ie. hard disk space or I/O, bandwidth, etc). For databases, this may involve adding indexes to speed up the query, rewriting the query or modifying the structure of the database.

Also, a properly speed optimisation service can help your website rank better in Google and ease your SEO efforts. We have the leading SEO service in Galway City.

Page Caching

Most websites today are dynamic, meaning that they pull from a database of information, insert the pulled data into templates, and then serve them to you. This happens every time somebody requests a page from the server, and the time it takes to perform this process is dependent on the efficiency of the code and the power of said servers.

Without Page Caching

WordPress Speed Optimisation Galway

Since the server is handling thousands of requests for the same page, and is essentially “building” the same page every time, why not build the page once, and send that “pre-built” version to anybody that requests it? This is referred to as page caching.

With Page CachingWordPress Caching Galway

If the server gets a request for page it has previously generated, it sends that version back immediately. That version is the “Cached” page.

Sending your users “cached” versions of pages is like giving them photocopies of a flyer. It’s much faster for you to give them photocopies than redrawing and writing the content each time somebody asks for one.

Page caching can be a very effective means of speeding up the generation of a page, but it also has its downsides:

  • Pages that require authentication can’t be cached (as they often contain user information on them).
  • Changes to pages don’t show up until the page cache has expired.

More Powerful Servers

Let’s define two popular terms in the hosting world:

  • Shared Hosting or Virtual Hosting: This means that including your website, the server hosts many websites. All these websites share its processing power and resources.
  • Dedicated Hosting: You are the only user on the server. The server’s processing power and resources are dedicated solely to your website(s).

The Issues With Shared Hosting

Shared hosting is the most affordable, and can be reliably used for starter sites or development purposes.

However, when an enterprise level site matures to the point where traffic is ramping up, a shared server cannot offer much in terms of speed enhancements.

How Dedicated Hosting Compares

Fast WordPress Cache

Larger sites may require multiple dedicated servers (clusters) that play different roles (database querying, media serving, etc.) to generate a faster page load. These servers are built for performance, and so their specifications are quite powerful.

Dedicated servers are typically reserved for higher-traffic, resource intensive websites (you won’t need one for a small website about your cat) and are higher in cost than shared servers. They are a must, however, for enterprise-level websites and businesses where their website is mission-critical. Meanwhile we can bring your shared hosting account close to this perfomance with our WordPress Speed Optimisation Service.

Results

In combination with a speedy front-end, optimizing your Server-side performance can yield amazing results for your page load time. WordPress Speed Optimisation Service available for hire right here on our website. We can do this for you. Generally, the page generation time for complex dynamic sites can be kept under 1 second.

We take care of absolutely all factors mentioned here so it is time for you to avail of our great WordPress Speed Optimisation Service.