Abstract:
A lot of questions arise about security of website and how to protect them. Amongst the questions is how to active SSL on Joomla. There are a few good postings on the Joomla Forum, however I thought I would share a more –down to earth – guide on SSL.
This posting will explain briefly what SSL is, how it works, what you need to purchase and the code necessary for your Joomla Site to activate it.
What is SSL?
For the best definition of SSL I went to the authority. SSL.Com.
According to SSL.com:
"SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.
The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data file also containing your details. You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer's web browser."
I'll cover Public Key encryption in a later post, however the short response on how it works is a key is broken into two. One ½ of the key is stored publicly, and the other half, you keep private.
When a browser visits the site, they use the public key and match it up to the private key and if they match, the site is validated and turned on with the ever-so-comforting https://
SSL is based on a 'trusted-third-party' vouching for you. In our example I will use GoDaddy.com to explain how to obtain, setup and use a certificate. Please keep in mind that GoDaddy is NOT the only one who can do this.
First gather tools, then make fire!
Log in to GoDaddy.com and purchase the certificate.
For our example we'll purchase the TURBO SSL certificate. This is a quick and low cost certificate that requires very little in the way of documentation to prove your identity.
Follow the steps on screen to activate and link your SSL cert to the domain / hosting of your account located at GoDaddy. I believe you can purchase certificates to be hosted elsewhere – see their site for more information.
After you provide all the information and setup the account, you will need to wait 24 to 72 hours. Ignore the screen – its longer than 24 hours in most cases.
A couple of things will happen here.
1) They will put a "CSR", which is the actual certificate (encryption key, etc) on your hosted account. You will not be able to see this directly.
2) They WILL change your IP address. So if you are using an FTP application to reach your site by IP rather than DOMAIN, you will need to change it.
After this process is done! You are SSL.
But wait --- I don't see the HTTPS// or the lock symbol on my site!
Ah – yes – you have to 'tell' the browser and server to use the new certificate.
Open your .htaccess file up and add this near the top:
| Code: |
# require SSL
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "domain.tld"
ErrorDocument 403 https://domain.tld
# require SSL without mod_ssl
RewriteCond %{HTTPS}! =on [NC]
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
|
Replace the various fields with your domain information.
Now – when a visitor comes to your site, they will see it switch to https:// in the browser and the lock symbol will show up.
This simple installation is easy and gives your users a level of confidence that you are serious about security.
Until next time!
Tom Canavan
www.joomlarescue.com
Favoured: 0
