Why we need SSL, and how Domino 12 helps us get it

Over the past few years, the world and their dog has been drumming into web server administrators that they need to use SSL, and now web browsers are not-so-passively-aggressively throwing up warning messages if a site isn’t being accessed over HTTPS.

In the past, SSL has only really been enforced for login screens, or payment screens – but this is no longer considered sufficient, and there are very good reasons for this:

All traffic transmitted over the web should be encrypted. The internet is a very public global network that can be accessed by anyone and anything and, without SSL, it’s all sent in plain text. The reasons for encrypting, eg a credit card transaction, is obvious – but don’t underestimate the value some would attach to more ‘trivial’ traffic. Access to blog articles, newspaper sites, specialist sites, web forums – without SSL, the data can all be automatically intercepted by network sniffers and used to build up a profile of who you are, and what you do. Not only is this intrusive in terms of privacy, but the information could also be used for generating a spear phishing attack against you.

If your site isn’t protected by SSL, its lack of security now stands out like a sore thumb. As already mentioned, browsers now actively point out when a site isn’t secured with SSL, which reduces user trust. Yes, this was never previously an issue, but if you were to access a site which the browser now proclaims isn’t secure, how would that make you feel about it?

Search engines will penalise your site in their result rankings if your site doesn’t use SSL. Nobody knows the secret algorithms that Google uses for deciding your site’s search result position, but we do know a large factor is if the site uses SSL. So, unless you’re happy with parting with serious amounts of cash in Google’s direction, you’d be doing yourself a big favour in the organic search rankings by enabling SSL.

So, we’ve established SSL can be regarded as a Good Thing. Well why isn’t everyone using it then

Cost – SSL certificates need to be purchased. This can vary from about £20 to several hundreds or thousands, depending on how visible you’d like it (the fabled ‘green’ browser bar) and the degree of validation and financial protection you’d like it to give.

Setup – Setting up an SSL certificate is notoriously difficult, and I’m not talking just Domino here. It requires a merry dance of exchanges between web server and the SSL authority of certificate requests, authorisations, root/intermediate certificates, and the SSL certificate itself. All of which usually involves setting up key stores (which could be one of a number of formats), manual sending of cryptic text files, and a small mistake at any stage often requires the whole process to be started again.

Maintenance – For security reasons, certificates can now only last a maximum of one year. Which means everything mentioned in the previous point will have to be repeated annually.

Thankfully, however, there are organisations out there who are trying to take some of the pain away – the most notable one being Let’s Encrypt. Their laudable claim is to ‘give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web’. Hurrah!

Let’s Encrypt works by the web server requesting, authorising, and then installing certificates automatically. The certificates only last 90 days for security reasons, however that’s not a problem due to the automatic renewal process. And they’re totally free!

The only issue with Let’s Encrypt is that few web servers support the renewal process, and administrators normally have to rely on using Linux for configuring it, or third-party software if using Windows as an operating system.

However, I’ve noticed the documentation for the upcoming release of HCL Domino 12 now includes support for Let’s Encrypt!

This is major news for Domino web administrators everywhere, and means there is no reason why any internal/external browser-based Domino applications cannot have SSL.

It’s done through an updated version of Certificate Manager (you know – the one we used to use before having to switch to the OpenSSL command line). The full details can be found at the HCL documentation here: https://help.hcltechsw.com/domino/earlyaccess/secu_le_using_certificate_manager.html

We at Oval fully support this new feature and hope to be testing the process as soon as it’s released, so keep on eye out for further developments from us here.