HTTPS and encrypted connexions

What is SSL and HTTPS?

You may have noticed that some web sites have an extra little ‘s’ in their address just after the ‘http’ part. This little ‘s’ means ‘secure’ and tells you that the data that gets send between your computer, phone or other mobile device and the remote web site – and vice-versa – is encrypted using something called SSL (Secure Sockets Layer). This has the benefit of preventing anyone in physically in between you or the web site you’re visiting from snooping or logging your data. Someone might do this for nefarious reasons; perhaps they want to steal your on-line banking username and password; or they might be legally forced to do this: some providers in some jurisdictions are obligated to record your data and store it for six months.

How does it work?

The administrators of network23.org wanted to provide an encrypted service to protect the users’ data. They created a ‘certificate’ and paid a commercial company (called a Signing Authority) who verified that network23.org owned the web address and put their name to it by signing the certificate to let the world know that encrypted connexions to network23.org can be trusted. This certificate is also called an ‘SSL certificate’ or a ‘security certificate’.

When you connect to https://network23.org your connexion is encrypted and the stuff you do cannot be read by third-parties attempting to intercept it. They can still log that you visited network23.org but they don’t know what you did there.

What about other sites hosted at network23.org that use their own web addresses?

Network23.org uses WordPress to power it. WordPress provides an extension called ‘Domain Mapping’ that allows someone to use their own web address rather than network23’s.

For example Critical Mass London have a blog at network23.org, which you can visit at https://network23.org/criticalmasslondon/.

They also used to have their own web address, http://www.londoncriticalmass.org, which you can no longer visit because they forgot to renew their domain name and now a company is using their built-up audience – the learning is, unless you make sure you put in place the process necessary to make sure your domain is renewed regularly for the life of your project, we recommend you use your network23 address for your blog. However we can use it as an example. Note the lack of the little ‘s’? This means that you’re not using SSL and an encrypted connexion.

(When the domain was working) You could however visit it at https://www.londoncriticalmass.org but this means your browser would show you an error similar to:

<<< There is a problem with this website’s security certificate. The security certificate presented by this website was issued for a different website's address. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website. >>>

What should you do? Do you need to worry about this?

Well no not really. It means that because www.londoncriticalmass.org was actually using the certificate for network23.org behind the scenes, and the two web site addresses didn’t match, you were being warned about it: your browser says that you can’t trust that the person providing the web site and saying that your connexion is encrypted really is that person.

This is okay because it’s network23.org; so don’t worry :P You can check this in your browser before accepting the ‘dodgy’ certificate. For example when you get the warning in Firefox, under ‘Technical Details’, you can see it’s actually network23.org as in the picture below:

SSL Warning Technical Details in Firefox

You can also check any SSL certificate once you’re connected. Again in Firefox there’s a little lock icon to the left of the web site address near the top, as you can see in the following picture:

SSL certificate details clicking little lock in Firefox

In summary

So SSL is good and it protects your data and network23.org uses them. Domain Mapping allows people with network23.org blogs to use their own web addresses (for as long as they renew them). They can also use https in their web addresses but you’ll get a warning about it. Check to make sure it’s really network23.org and accept it and carry on without worry.

However, you do need to be careful, it could be that the site you’re visiting you think is your on-line banking, but you get a warning. Check the certificate and make sure that the web address is what you expect and it belongs to who you think it should. If you’re unsure don’t trust the site. For on-line banking Trusteer Rapport is available as a plug-in for your browser and this offers identify authenticity.

Finally, most of the projects on network23.org are volunteer run and self-financed. It costs about £15/year for a signed SSL certificate. If a project you’re involved in or interested in doesn’t have a valid certificate and still using network23’s one, consider donating to the project and encouraging them to buy one for their site; we can set it up for them.

ssl-cert-warning-in-browser