SSL SSL SSL

HTTPS = SSL

SSL or HTTPS is the term used to describe the encrypted transmission of data from the browser to the server. In this way, the data packets run on different computers, from the WLAN router, via our DSL provider, via Internet node points to devices in the data center where the oekobox-online.de server is located, for example.
All these computers can read everything without encryption. It’s not easy for anyone to get to the computers in our data centers, but with WLAN access in the cafe it’s easier.

The basic principle of this encryption is a mathematical procedure in which there are secret and public sequences of numbers. The public ones are managed and issued in the form of certificates (certificates that are formatted in a very specific way).

The secure transmission is triggered by https://-Protokoll in the web address. If everything works out, the locker is closed:

Even more trust of a client can be achieved through extensions, sometimes you even have to go to the notary and introduce yourself. Then there’s the name of the locker:

So what…?

The contents of my shopping cart… well, anyone can see that, right? There are many arguments that every individual communication (here: you with your seller) should remain private. But that makes us a little bit political or philosophical.

Your password, which you also use for bank access, is a more understandable scenario, but in practice it is not that common.

But: the data can also be manipulated during retrieval. Here is an example:

As a customer you can trust your Bio-Shop, click on every link that is offered to you there – or download a file that says “our top products as zip-file! There’s a virus inside that’ll destroy your computer.

So we are all pissed off: you, because you have a virus, and the bio-shop is suspected of having a dirty website – but the virus didn’t come from him at all, but was infiltrated on the way (in the cafe?).

This was just one example of many cases that SSL can help.

Why now?

The “big players” on the Internet have now taken the initiative. Not only that their offers are in principle accessible via SSL, but they also prefer partners whose contents are also offered in encrypted form. These may be links on Facebook, or search results on Google.

Google (the Chrome Browser team) and Mozilla also want to warn about non-SSL sites soon – at first only when transmitting data, but later on also when it comes to the simple retrieval of pages. That is why we should tackle this in the next few months (if it has not yet happened).

I have not driven the topic forward very much in the past with our installations – because a proper implementation of the idea can make work:

SSL is more than just a certificate

The certificate is issued on a domain name. The content of a website, however, often no longer comes from just one domain (I recommend the LightBeam-plugin in Firefox to anyone who wants to know more about it).

The browser only displays a closed (often green) lock if everything on the page is correct, i. e. all displayed (images) and not displayed content (scripts for animations, e. g.) come encrypted from providers with valid certificates.

In practice, this means work – many of them have a lot of content in CMS systems, where there are also many so-called absolute links. Even the web designer has to work carefully. Fortunately, there are tools (e. g. HTTPS Checker) that will help you to find them.

Not all certificates are supported by all end devices or servers (e. g. the shop server) – this should be clarified before the purchase.

The best way to communicate with customers is via SSL – i. e. also all links from mails should point directly to the https-page (as in this mail!) The often used logic to forward http-addresses to https- is not so good – after all this first call can be manipulated, and because this process happens automatically, the visitor has no chance to hear this.

This means that in the end, no one should have a reason to call the http variant. You can also change your Google entry accordingly and set technical tricks like HSTS.

SSL in the shop system

The shop system can always be addressed via https-. To do this, you only have to change the call within the web pages.

In the admin area the links to the website can be added, as well as placeholders, contents etc.

Non-Https references to images in the offer are automatically converted to internal links by the shop system and are thus also available in encrypted form, so there is no further work to be done here.

It will be more difficult for users who have integrated the shop with their own sub-domain (e. g. shop. schoenegge. de). Here, an individual solution must be found.

The new shop under construction will exclusively use SSL-protected content.

SSL is a permanent work – that’s why the item “SSL support” has been on the price list for some time now.