What happens if you install an SSL certificate?

Can someone explain to me in short (and in 'human' terms) what happens when an SSL certificate is installed?

Instead of sending information between the server and browser in a form that can be intercepted easily and read by a third party. The data is sent in an encrypted format to help mitigate someone snooping on the traffic.

Does this require extra configuration in the website source code?

No(ish)...

Maybe... If you are doing redirects explicity to http, rather than https within your code.

Also in many browsers you will get warnings if your site is loading things like images via http. As the browser will complain about the mix of https and http.

Does this mean the website can not be reached over http, and only over https?

Typically no, as the server will allow both http traffic and https. But this can be controlled at the server level. This could be achieved at the server level if you have enough control (I won't go into detail here), but it would require you to have more access than you would normally have on a shared server (unless by shared, you mean a virtual server?).

As a general note... please don't take this the wrong way.

If you are soon to be under the scrutiny of a security auditor for a web application (I assume application, rather than flat html due to the ability to load user data)... and you do not have the basic knowledge of SSL, then unfortunately you are likely to fail the audit.

Sorry I do not mean to jump to conclusions, as you could pass... I do not know the specific requirements of your security audit. But talking from experiance with working with security auditors - SSL is only the begining.

Here is a site that can get you started on security: https://www.owasp.org/index.php/Main_Page

But like they say for anything, if you do not have the skills for a particular role, get someone in to help. I wouldn't expect a developer to have the full skills of a designer and vice versa, so perhaps ask a developer friend for help?


What do you mean by "activated"?

If you lack understanding of SSL, it is high time to learn before you are expected to configure a server with it :)

Depending on the webserver you are running on, the procedures will differ.

For an apache web server, significant configuration and human interaction is required to make it work - unless your hoster has offered to do this for you.

For a Windows web server, the actions are more of the point-and-click variety, but you still need to know what you're doing :) While you CAn reach an SSl website over HTTP, this is a very bad idea - it negates much of the advantages of securing the traffic in the first place.

I can tell you right away that you will not be PCI-compliant when you do this on a money-related website (such as a bank).

PCI requirements are pretty strict, and, of course, public knowledge. You may well find that the audit company expects you to be PCI-compliant, even if the web site does not perform payment transactions directly.

The bottom line is that if this is in any way high-rpofile or production-sensitive, get a professional to do these things for you.


As for your last bullet, it's common practice to redirect requests that arrive at the unencrypted site to the encrypted site, like in this example that could be found in an Apache httpd configuration:

<VirtualHost 1.2.3.4:80>
ServerName thesite.example.com
RedirectMatch (.) https://thesite.example.com$1
[...]
</VirtualHost>

Be aware that this redirect is transmitted through the plain HTTP connection and your users are only immune to some specific attacks if they actively enter the https URL into the browser.