Tag Archives: Ssl

Secure Socket Layer : It is the standard technology for creating an encrypted link between a web server and a browser that makes sure that the data passed between the web server and browser has remained private and protected. It was developed and released by Netscape in 1996 as a technology for security management. It is commonly used protocol for managing the security of the message transmission on internet. It is transparent protocol which requires little interaction from end user when creating a secure session. It is included as a part of both Microsoft and Netscape browsers as well as in most of the browsers. The “Sockets” part of the SSL (Secure Socket Layer) refers to sockets method of passing data between server and the browser or between the program layers in a same computer. In order to create a SSL connection a web server needs a SSL certification.

Secure Passwords by host department

What is SSL Certificate?

A SSL Certificate is a way by which the web servers prove their identity to the web browsers, allowing a secure site to communicate privately with the browsers through http protocol. It is digitally signed by a certificate authority that most of the web browsers trust, there are many certification authorities including government agencies . A company can purchase a SSL certificate for its web server from certificate authorities which verify the company’s identity. It inspires trust as each certificate contains identification details and the browser can share the details and it would be private and secure. It is also a bit of coding on web server to provide security for online communication.

Why is it essential and important?

Most of the people wonder as what is the need to use SSL. For people who own sites or customer who wants to make banking or any private transaction it is very important. If you are not using SSL the data transmitted or submitted is not encrypted and if the data reaches the  wrong hands it will create a problem. In order to be on safe side by using SSL data is encrypted and the information is safe.

How can you get a SSL Certificate?

For a SSL certificate first you need to create a Certificate Signing Request (CSR) on your server which creates a private key. Then the CSR should be sent to SSL certificate issuer also called as Certificate Authority or CA. CA will use CSR data files to create a public key that pairs with your private key, the CA will never see private key. After receiving the certificate, install it in your server. Also install intermediate certificates that create credibility for your SSL certificate by tying it with CA’s root certificate. Instructions for installing and testing your certificate will be different based on your server. The certificate contains organization’s identity details, time of validation of the certificate and the name of the CA that issued the certificate.

A browser trusts the certificates and comes out with a list of reputed CAs. The certificate issued by CA verifies that the organization’s identity is genuine. As the browser trusts the CA and the CA certifies your organization, automatically the browser will trust the organization. Then the browser lets know he user that the website is secure and the user will be safe and can share the personal details.

How does it work?                                                

When a user requests for a website through a browser, the browser and the server create a connection through a process called “SSL Handshake”. This is not visible to the user and happens instantly. Mainly three keys are involved in setting up a SSL connection. They are a private key, a public key and a session key. The data encrypted by public key is decrypted by private key and vice-versa.

As the process of encrypting and decrypting the data using public and private keys takes a lot of processing power and time, these are only used at the time of SSL Handshaking to make an SSL connection and create a session key. Once the session key is created  all the transmitting data is encrypted using this session key.

The process goes in five simple steps:

  1. A Browser connects to a web server and requests the web server to identify itself.
  2. SSL sends a soft copy of its SSL certificate to the browser.
  3. Browser checks the certificate and looks if the certificate issued by a CA is in the list of its trusted CAs which it already has and also checks if the certificate unexpired, unrevoked and has a common name that is asked for. If all the details are valid then it creates, encrypts a session key and sends it back to the server through server’s public key.
  4. Server decrypts the session key using its private key and sends back an acknowledgment encrypted using a session key to start the encrypted session.
  5. Now both the server and the browser transmit the encrypted data through symmetric session key.

Types of SSL Certificates

There are many types of SSL certificates. You need to know about the features of all the certificates before purchasing it. Different types of certificates are:

Extended Validation (EV) SSL Certificate: This type of certificate is designed to prevent phishing attacks. It takes few days to few weeks of time to receive this certificate but provides very high assurance. Before issuing this certificate the CA checks applicant’s right to use of the domain and also conducts thorough vetting of the organization. It verifies legal, physical and operational existence of the organization or the domain. Also it checks the identity matches with the organizations official records. If all these are satisfied then the EV Certificate is issued.

EV SSL Certificates are available for all kinds of businesses, may be a government or non-government organizations. A set of guidelines called EV Audit Guidelines must be followed before issuing EV SSL Certificates. The audits are repeated for yearly.

Organization Validation (OV) SSL Certificate: Before issuing this kind of certificate the CA checks applicant’s right to use of the domain and also conducts vetting for the organization. This certificate displays the owner of the domain, its validation and the name of the CA that issued this certificate. This is provides a good assurance to the browsers.

Domain Validation (DV) SSL Certificates: This is a low assurance SSL Certificate. It only displays the domain name but not the owner or the organization details. But authorities can easily know to whom the domain belongs to using “WHOIS”. These certificates are issued instantly and cheaper than others but provide low assurance to the customers.

Wildcard Certificate: This certificate can secure all the sub-domains under a domain name. For example if you have a wildcard certificate for *.domain.com then it secures www.domain.com, mail.domain.com etc. It will secure all the sub-domains with wildcard symbol (*).

SGC SSL Certificate: These certificates enable old browsers to connect to site using 128 bit encryption even the normal browsers have 40 bit. These cost significantly and are issued by only few vendors as there are strong arguments against SGC SSL Certificates.

Root Certificate and Chain or Intermediate Certificate: CA issues certificates in the form of tree structure. The highest is the root certificate that is, it is most trusted certificate. Certificate which is signed by the trusted root certificate is trusted. All the certificates below the root certificate inherit trustworthiness from the root.

The certificate that links your organization’s certificate with the root certificate is called Chain certificate or Intermediate Certificate. These certificates must be installed in your server so that the browsers can link your certificate to a trusted authority.

Scalable SSL Certificate: Most of the certificate authorities now are issuing this certificate. Here the encryptions can be varied from lowest 40 bit to higher rate depending upon what the browsers and servers support.


There are many advantages of using SSL Certificate:

  1. Server Authentication: The certificates protect your website. All the information of your site is stored in a server, using SSL digital certificates all your and customers information is protected.
  2. Private Communication: Your transaction conversations will be private and the SSL certificates encrypt any data that is transmitted, hence the customers feel safer and secure about their data.
  3.  Customer Confidence: The main reason for which you would opt a SSL certificate is customer’s confidence. As the data will be encrypted the customers will feel that their information is safe and have confidence and faith in your site and feel free to share information.



Over so many advantages SSL also has disadvantages. They are

  1. Cost: This is the main disadvantage as cost for a certificate is really high.
  2. Performance: As the transmitting data is encrypted, more time is consumed and hjence it decreases the performance of the site.

With so many benefits the disadvantages can be overlooked. It is very much needed to use SSL Certificates especially if you are sharing personal information on sites. If your site is with SSL certificates, customers will trust your site and can share personal information.

Host Department SSL Certificates

Host Department provides ComodoGeoTrust, VeriSign, Thawte SSL certificates starting from 11.95/ Year to the customers

Affordable Linux VPS Hosting – Cheapest Linux VPS Hosting yet powerful and secured plan on earth

One day, on a fine morning you woke up and want to see your website and suddenly you see a danger signal alarming that your website has been compromised. For a webmaster it will be the worst nightmare, do you have any such experiences? if so, who do you blame for this?. Security becomes one of the most essential part of the website management these days, as there are plenty of ways your website can get affected with any type of hacking, spamming or hijacking attacks. As a Host Department customer, you may be well protected over servers and network side, but are you really protected from your insides? That is the real question here.. how to secure your website internally?.

You may use the strongest locker in the world to protect your wealth, but what is the use if you left the doors open?. The same thing applies to your website too, we host thousands of websites and rarely receive few of such comprised website complaints. What do we do in such cases?, first we try to understand where is the loop hole and let me tell you something here, it is most of the time an application with an outdated version or some files which have full permissions (777) (read, write, execute), that means you are giving an open invitation to the hackers to compromise your website.We often try to warn our customers to update their CMSs or their blog applications such as WordPress, Joomla, Drupal etc but they ignore it and which ultimately results in to this kind of hacking attacks. Recently in a press release Joomla announced that they deprecated all the 1.x.x versions of Joomla. See this below note from their website..

Joomla! 1.0.x, 1.5.x, 1.7.x – these versions have been deprecated for a very long time and is no longer supported in any way, but there are still websites using it (shame on you!).  Generally denoted by a red stripe across the top of the page, you will find the version number at the bottom of the page.

But still there are lot of Joomla users who are using the same old versions, then how to rock solid your website security?, please read this below instructions to tighten your website security.

10 Ways to Secure your Website:

Step #1: Secure your Directory and File Permissions:

This is one of the most common cause for easily getting compromised, in lot of cases CMS type applications needs 777 permissions to execute few tasks. There is nothing wrong if you want to give full access temporarily but if you leave that file or folder with full permissions for a long time, that means that directory or file can be accessible and writable world wide by anyone. In such cases it is very easy for hackers to compromise and infect your pages. So, what is the solution?. What are the recommended file and folder permissions..?

777 permissions indicates Owner, Group and Public permissions respectively.

Directory Permissions

Recommended Folder and File Permissions:

Recommended directory permissions: 755 (rwx,rx,rx)

Recommended file permissions: 644 (rw,r,r).

Make sure that you always have these permissions assigned to the folders and files in your website, this is one of the important step to protect your website from malicious attacks.

Step #2: Use Strong FTP Passwords:

This is one of the most common blunder of the webmasters, they always use simple passwords for their FTP login, this is one of the worst mistake which can lead to some big problems. To avoid this always use secure passwords.

Secure Passwords

A strong password does NOT, in any way, use your personal information, such as name, phone number, Social Security number, birth date, address or names of anyone you know. You can make use of some great online tools to generate strong passwords, like Random password generator etc. You can also check the strengths of your present passwords using some tools like Microsoft password strength checker or password meter etc.

Also please make sure that you change your password in every week or at least in a month.

Step #3: Keep your Applications up to date:

Open source applications occupied a major part on the websites designing and development, these days a lot of people are hosting the open source CMS applications. We too encourage you to host them, but if you don’t keep them up to date, that means definitely you are in trouble. Several times we try to warn you guys on this, but most of the time webmasters ignore this.

We often try to send you email alerts about these security issues of using the old version of applications, but in mots of the cases customers ignore. We request you to keep your application up to date, there are thousands of people working on the open source projects to keep them up to date and make them secure, then why don’t you benefit out of those free and secure updates?.

Step #4: Secure your pages with SSL Certificate:

Do you have any eCommerce type website?, then do you know that having an SSL certificate for your SSL store is one of the most important thing to protect your customers valuable data and your reputation as well. Even if you have just a page which provide logins for your customers or members, then it is recommended to have an SSL certificate. This will ensure that all the information on your pages over the internet will be encrypted and almost impossible to read by any hackers.

Do you know that Host Department provides cheap SSL certificates?, our certificates starts from $11.95/month.

Cheap SSL Certificates

Step #5: Protect your .htaccess file:

.htaccess file is one of the most important yet most powerful file, which can control the behavior of your website and posses the power to even redirect your entire website to a different one. This type of attacks becomes more popular these days, in this attack a malicious hacker will inject a redirection code to a malicious website. Then, how to protect your htaccess file?, it is simple, as I said earlier do not assign full permissions to your htaccess file or you can write this below piece of code in your htaccess file which do not let any others access your htaccess file.

<Files ~ “^.*.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all

The above code will protect your htaccess file from being accessed by others and will not let hackers inject any malicious code.

Step #6: Keep your home or office PC Secure:

You may ask that how keeping your system safe will protect your web pages?, in a recent survey it is disclosed that 30 to 40% of the malicious files are uploaded by the webmasters themselves, even our experience teaches the same. If your system is infected with the virus then obviously the next job of that virus to make sure that it will inject the malicious code in your web pages while you are trying to upload them or send your login credentials to the remote hacker so he can take care of the rest.

So always keep your PC clean and scan it daily with an updated antivirus program. Check for any unusual behavior before uploading yous files.

Step #7: Use Secure Passwords for your Emails IDs:

Email IDs getting compromised because of the weak passwords is one of the fastest raising issues in the hacking and spamming era. Once a hacker can manage to guess your password using the brute-force attack, he will simply start sending bulk mails to the various emails in the same server or even outsiders. Ultimately your mail server IP get black listed and you couldn’t able to send and receive emails, again you need to request for the delisting from the blacklist.


To avoid this kind of issues, it is recommended to use secure and strong passwords for your emails IDs. In our personal experience we have seen plenty of such cases, we often used send alerts on your email about the weak password usage, please do not ignore that and change your password to a secure one.

Step #8: Secure your Private and Admin areas with IP restrictions:

It is always recommended to secure your private areas with IP restrictions or at least with an SSL encryption. IP restriction is a bit way advanced yet effective method to stop the unauthorized personnel to access a particular area of your website. If you have a static IP at your home or office PC, it is recommend to set IP restrictions with .htaccess rule, so only your home or office PC can only access that particular area.

Here is an example htaccess code to IP restrict the access to a particular location.

<Limit GET POST>
order deny,allow
deny from all
allow from

The above code restrict all other users from accessing a particular area except that allowed IP (ex: You can replace that IP address with yours and place that htaccess in the folder which you want to restrict from public access.

Step #9: Change your database table prefix:

If you have a dynamic website with back-end database support, then it is recommended to use a different table prefix than a default one comes with your application. Also if you have a raw tables without any prefixes then it is important to add a prefix which hard to guess, this will ensure that no one can able to guess what is your database username, so there is no point of hacking the password.

Database Tables

We also recommend you to please use strong passwords for your database users, do not use same password for all the users. Make sure that each of your password is unique and absolutely strong.

Step #10: Try to have your own virtual private server:

Having your own virtual private server (VPS) is always an added advantage, you can define your own rules and you will have your own server with the choice of your own OS like Windows VPS and Linux VPS. This will enable additional layer of security and make all your data placed in your own server. This may not be a security measure, but worth trying. Because you will get a lot of advantages like writing your own rules installing all type of security applications etc.

Do you know that Host Department offer cheapest VPS hosting with free Plesk panel?, so you can manage most of your tasks using a powerful panel.

I hope you learned few important tips about your website security today, please do drop your comments, questions and suggestions in the comments section below, also if you like this post please consider sharing it with others.