If you have ever done online banking, or logged into a site that started with an https prefix, you were on a site that was using SSL. Vanilla Forums can support your SSL needs too, and this post contains answers to the most common questions we get.
What is SSL (HTTPS)?
SSL is the technology used to encrypt communication between your computer and the website you're visiting, and to ensure trust (the certainty that the website you're on is who they say they are). This allows sensitive information such as banking details, usernames and passwords, and private conversations to be securely exchanged between your computer and the website without risk of attackers viewing or stealing that information.
How does SSL work?
As we established earlier, SSL has two main parts: trust and encryption.
The encryption part is achieved using a concept called "Public-Key Cryptography", and it relies on a pair of files (a certificate and a key) that are stored on the web server. These are special files that contain the name of the website being secured, and a pair of very long mathematically linked numbers, which form a "key pair". One of the files is called the "Private Key", and should never be shared with people accessing the site, while the other file is the "Public Key" (called the Certificate when we're dealing with SSL) and can be freely shared. Both files are stored together on the web server, but only the Public Key (Certificate) is sent to the users who access the site. Using this Public Key, your users' web browsers are able to encrypt the data they send to your server in such a way that only the Private Key is able to decrypt and read it. As a result, even if a malicious person was somehow able to intercept this data in transit they would not be able to read it.
Now let's talk about the trust part. Certificate trust can be thought of as a chain that starts with the Certificate Authority (or CA), which is a company or entity that issues SSL Certificates (the pair of files we just discussed). Some well known examples of these companies include Verisign, TRUSTe, Thawte, and Network Solutions, but there are many many others. The way a certificate establishes its "trustworthiness" is by declaring who issued it, and relying on the visitor's web browser to recognize that issuer. Web browsers and operating systems come pre-loaded with a list of recognized issuers and that list is kept up to date by automatic updates. When one of your end users visits your site, their browser downloads your certificate and compares the issuer to the list of ones it knows about. When it finds a match, it realizes that it can trust that certificate and your user sees the "green lock" in the address bar.
Do I need SSL (HTTPS)?
Typically, SSL is used to secure credit card transactions, data transfers and logins. More recently, as privacy concerns increase in importance, SSL is becoming common in everyday internet usage. Although SSL is not a requirement, it is recommended if your website handles sensitive customer information such as email addresses, usernames, passwords, or any other Personally Identifiable Information.
Does Vanilla Support SSL (HTTPS)?
Vanilla has built-in (and free) SSL support for sub-domains of http://vanillaforums.com and this feature is enabled by default for all our customers. Simply change "http" to "https" on your .vanillaforums.com URL and your connection will be secured using our certificate. This works because we have purchased and installed a "wildcard" certificate which matches any vanillaforums.com domain, and we make this available to you and your end users at no charge.
Vanilla also allows customers to access their forum via a "Custom Domain" (something like forums.yourwebsite.com). In order to secure a custom domain with SSL, an extra charge (and some set-up and configuration) will apply monthly. This is because, due to the nature of SSL, we need to allocate additional resources (IP and load balancer instance) dedicated to your site in order to facilitate custom SSL configurations. You will also need to purchase an SSL certificate that matches your custom domain.
Why do I have to buy the certificate?
If we could, we would handle this entire process for you. Unfortunately, since one of the key components of SSL is trust, only the owner of the domain to be secured is allowed to register signed SSL certificates from trusted issuers. This helps to ensure that when someone visits a secure site that presents a valid certificate, they can trust that they are communicating with the site in their address bar and not some fraudulent "man in the middle". At Vanilla, we use and recommend RapidSSL as a trusted issuer.
What if I need to generate a CSR?
Some SSL issuers require that the purchaser (that's you) create a Certificate Signing Request file, or CSR, before issuing a certificate. There are numerous documents throughout the internet that describe this process and a quick visit to Google will reveal these. You can also use a "CSR Generator" which guides you through the process. We recommend the DigiCert CSR Generator.
What kind of certificate should I ask for? What formats do you support?
We support standard PEM encoded certificates. These are ASCII (base64) armoured data files that start with “
-----BEGIN". Certificates start with "
-----BEGIN CERTIFICATE-----" and Private Keys start with "
-----BEGIN RSA PRIVATE KEY-----". Please note, we do NOT want PKCS#7 or PKCS#12 formatted certificates, or anything DER encoded.
VERY IMPORTANT: Private Keys are normally protected by a password of some kind. Any time the key is used, the password must be entered. This makes a lot of sense when the key pair is being used to encrypt or decrypt email correspondence or some other manual process, but very little sense in an SSL context where these operations are occurring automatically behind the scenes. Your Private Key MUST NOT contain a password, otherwise our web servers will not be able to be restarted and your forum will almost certainly experience downtime.
What do I do if I still have questions?