What is Always On SSL (AOSSL)?

March 16, 2017

Ross Ross Gerring

Always On SSL, or AOSSL for short, is the practice of ensuring that all pages of a website are always forced (in a nice way!) to be using an SSL certificate.

Q. How do you know that a web page is using an SSL certificate?

The closed padlock, the word ‘Secure’, and https instead of http, show that this page is secure. This should be visible in the address bar of your web browser.

The closed padlock and the word 'Secure' shows that this page is secure

 

 

 

Q. How you know that a web page is NOT using an SSL certificate?

The words ‘Not secure’ show that an SSL certificate is not in use. You may also see http and not https. You may also see an open padlock, not a closed one.

The words 'Not secure' prove that an SSL certificates is not in use.

 

 

 

Q. What does “secure” actually mean?

It means that information you’re supplying to a website is completed encrypted, and not visible/readable in plain text to anyone who might be snooping (maliciously or otherwise) on the data being exchanged. You are exchanging data with a website when, for example when you are:

  1. Filling in a “Contact Us” form.
  2. Logging in to a members-only area.
  3. Buying something, i.e. an e-commerce transaction.

When you are exchanging data with a web page, your data is actually travelling across multiple computer networks, with multiple owners of those networks. At an absolute minimum, there’s the owner of your internet connection (i.e. your ISP), plus there’s the data centre where the website is being hosted. In other words, there are lots and lots of touch points between your data and the destination website (hosting server), and therefore multiple potential points where someone – if they really wanted to – could attempt to capture, store and read your data.

Q. How does a web developer force a website to be always-on SSL (AOSSL)?

Here’s a test: try to visit http://google.com.au. What happens? The URL should get automatically changed to https://www.google.com.au (or possibly a local country version of Google, e.g. google.com or google.co.uk). The page went from not secure, to secure. Note 2 things:

  1. http got changed to https
  2. google.com.au got changed to www.google.com.au. See http://www.yes-www.org/why-use-www/ for information about this.

You (the visitor) went to visit the website on a non-secure (http) connection, and you got automatically redirected to the https version. And it doesn’t matter what Google web page you visit, you’ll (almost certainly!) get auto-redirected to the https version if you initially attempted to visit the http version.

OK, from a website developer perspective, what we do is:

  1. Ensure that the website actually has a valid SSL certificate associated with it in the first place. The great news here is that there’s no longer any excuse for a website to be without an SSL certificate, because some SSLs are now free: https://www.itomic.com.au/tag/free-ssl/.
  2. Add some code to your website which detects if the site is being visited on an http URL, and auto-redirects it to the https equivalent page. Getting more technical, we typically use a thing called a 301 redirect.

Q. Why not just ensure that the pages where information might be exchanged (e.g. a ‘Contact Us’ page) are using the SSL certificate, and not the others?

Two reasons:

  1. Too hard to maintain. It’s technically easier to ensure that all web pages on a website are using the SSL cert, and not just some of them.
  2. Google is actively preferring websites that always have SSL protection, versus those that don’t. Which means that, all other things being equal, a website with SSL protection will rank more highly than one that doesn’t.

Q. Why are sites only now getting on the SSL bandwagon? If all the above is true, surely all sites should have been AOSSL as standard, years ago?

  1. Until the relatively recent advent of free SSL certificates, purchasing an SSL for your website used to be a relatively expensive exercise, especially for small businesses. Therefore many have opted not to bother.
  2. Many websites – even some big ones – offer little or no functional opportunity for a visitor to supply any information. Or if they do, then the information being exchanged is considered to be of low confidentiality or sensitivity, i.e. relative to, say, credit card information.
  3. Google has recently (2016/17) ramping up the pressure to increase security on the web, and one of the ways they can do this is to strongly encourage AOSSL websites by methods that have been identified above.

Q. How do I check if my website currently has an SSL certificate?

Our favourite tool is: https://www.sslshopper.com/ssl-checker.html#hostname=www.itomic.com.au. Look for all ticks, and no crosses, of course.

Q. My website appears to have an SSL certificate, but isn’t auto-redirecting visitors to the https version. Why not?

It’s one thing for your website to have an SSL certificate available, it’s another for your site to be actually making use of it. That’s where you website developer comes in handy, see below.

Q. How do I get my website to have AOSSL?

Speak with your website developer and/or website hosting company. Don’t forget to remind them that SSL certificates can now be acquired at no cost! That said, note that it’s reasonable for a web developer to charge a small fee to make AOSSL happen on your site, given that skilled labour is required. Itomic does.