That being said, this post is intended to address the most common questions that we get regarding https and SSL.
What is SSL (HTTPS)?
SSL is the technology used to encrypt communication between your computer and the website you're visiting, and to ensure trust (the certainty that the website you're on is who they say they are). This allows sensitive information such as banking details, usernames and passwords, and private conversations to be securely exchanged between your computer and the website without risk of attackers viewing or stealing that information.
How does SSL work?
As we established earlier, SSL has two main parts: trust and encryption. Let's take a closer look at both.
The encryption part is achieved using a concept called "Public-Key Cryptography", and it relies on a pair of files (a certificate and a key) that are stored on the web server.
These are special files that contain the name of the website being secured, and a pair of very long mathematically linked numbers, which form a "key pair". One of the files is called the "Private Key", and should never be shared with people accessing the site, while the other file is the "Public Key" (called the Certificate when we're dealing with SSL) and can be freely shared. Both files are stored together on the web server, but only the Public Key (Certificate) is sent to the users who access the site.
Using this Public Key, your users' web browsers are able to encrypt the data they send to your server in such a way that only the Private Key is able to decrypt and read it. As a result, even if a malicious person was somehow able to intercept this data in transit they would not be able to read it.
Now let's talk about the trust part. Certificate trust can be thought of as a chain that starts with the Certificate Authority (or CA), which is a company or entity that issues SSL Certificates (the pair of files we just discussed). Some well known examples of these companies include Verisign, TRUSTe, Thawte, and Network Solutions, but there are many many others.
The way a certificate establishes its "trustworthiness" is by declaring who issued it, and relying on the visitor's web browser to recognize that issuer. Web browsers and operating systems come pre-loaded with a list of recognized issuers and that list is kept up to date by automatic updates. When one of your end users visits your site, their browser downloads your certificate and compares the issuer to the list of ones it knows about. When it finds a match, it realizes that it can trust that certificate and your user sees the "green lock" in the address bar.
Do I need SSL (HTTPS)?
In short, the answer to this question is yes—that is, yes if you want to ensure that your members information is secure. Essentially, it's highly recommended that any site that requires a login needs SSL since it reduces data theft and provides the protection that your users expect of you.
And there's another big reason why you should add SSL: not having it can affect your rank on Google and other search engines. So in essence, when search engines crawl your website pages, if your browser begins with a HTTP instead of an HTTPS, it'll factor into your SEO ranking, making your webpages harder to find.
Additionally, Chrome, Firefox and other browsers have began issuing warnings that non-https sites are insecure. This is obviously something you want to avoid—you don't want your members landing in your community just to be welcomed by a warning saying that your site may not be secure. That's a sure way to lose members, and fast!
Trust is one of the most important factors in community building, and knowing that their data and personal details are secure is a key part of maintaining it.
Does Vanilla Support SSL (HTTPS)?
We have partnered with Cloudflare to offer simple SSL certificate issuing services to our all of our customers. This means that we’re able to automatically issue SSL certificates for your community on your behalf once you set up a custom domain
Once properly set up, your new custom domain hosted on Vanilla will automatically have an SSL Certificate generated and installed so that it can be served over HTTPS.
SSL certificates are automatically installed for both Vanilla URLs and Custom Domain. At Vanilla, we make it easy so you don't have to worry about it
What do I do if I still have questions?
We have documentation on setting up ssl here.