Transport Layer Security

Background
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, faxing, instant messaging and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same.

Why?
The normal HTTP protocol transmits information across the internet in the clear. Anyone who has access to any of the networks between the client browser and your DH server can easily peek at the data and see everything. To guard against this, use the SSL/TLS protocol instead. When using the secure protocol, your web site address will start with https:// instead of http://.

HTTPS is used both to authenticate that the user of the web site is talking to the site he/she thinks, as well as encrypting the information in transmission. In addition to personal information like credit card numbers, session cookies are protected by HTTPS. Using HTTPS is the best way to protect against session cookie theft. If you're surfing the web using a wireless connection, it is the *only* way to protect against session cookie theft.

Why not?
At DreamHost, the encryption and decryption of the data is done in software, not hardware. In 1995, this was slow, so at the time, web sites only encrypted the parts that really needed it. For example, pages that collected or showed credit card numbers or other very personal information. The best way to guard important information is to not have it. So do not collect secret information unless you must.

That being said, in 2011, computers are so much faster than the network that they are attached to, that encrypting and decrypting the network traffic would add a negligible amount of load (a few percent, at most).

How to do it
See the Wiki article on Secure Hosting for more information and detailed instructions.

Problem solving

 * If your secure site doesn't show any data, make sure that it works properly using the regular protocol: browse to http://company.com and you should see your web site in its full glory. (But without the security indicator from your browser.)
 * If you get a security pop-up message about your secure site, you may not have the certificate installed correctly or the certificate may be for a different site. Remember that a certificate for company.com will usually not work for www.company.com. Ask your certificate authority and DH for help.
 * If you get a pop-up that some elements on the page are secure and others are not secure: the problem is that a page on your secure site https://company.com includes items on the page (such as images, CSS files or JavaScript files) from non-secure websites. You need to make sure that everything on the page is from a secure site. Your images need to be on your secure site (or someone else's). Image URLs should either start with https:// or start with a relative URL (eg foo.gif, images/woof.jpg, etc).

Transport selection
Your pages won't be encrypted if your web site visitor surfed to company.com since the default transport for browsers is http, not https. To solve this, you have multiple options: Easiest is to not advertise the secure version of company.com directly. Instead, people should visit www.company.com, then use links to visit specific pages on the secure site as needed. Your links should send people to " https://company.com/whatever " don't use a link of " http://company.com/whatever "

You can write software to re-direct people from http://company.com/whatever to https://company.com/whatever (see below)

Or both

Automatic Redirection from HTTP to HTTPS
Add a .htaccess file to the root of your web directory with the following lines: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

For more information on .htaccess files see .htaccess.

Security is deeper than the HTTPS protocol
Remember that the HTTPS protocol is only a very small part of creating a secure web site. Your web site implementation, especially database web sites, must be securely written and tested.

Introduction
Any of the following vendors can be used. Differing amounts of warranties make little or no difference to web surfers, they're just looking for the little lock symbol to light up on their browsers.

Extended Validation certificates
The marketing pitch: Extended Validation SSL Certificates deliver a new level of trust to your website visitors. Starting with Microsoft® Internet Explorer 7, the address bar will turn green confirming your site identity as verified by a Certification Authority (CA) according to the most rigorous industry guidelines established by the CA/Browser Forum.

The reality: They're more expensive and take longer to get. Not yet clear how much of a difference, if any, they'll make to your web surfers. But they do look impressive when using IE 7.

Certification Authorities
^ Note that with Startcom and Godaddy, the SSL.key file you'll receive will be password-protected. To make it work with DreamHost, you'll need to decrypt it. The following command, either in your DreamHost shell, or any local Unix box you have access to, will do it.
 * Comodo --Relatively inexpensive, their Instant SSL and higher certs work fine
 * Geotrust -- Expensive. (previously a DreamHost partner)
 * GoDaddy^ -- Very cheap, and their least expensive option is confirmed to work with Dreamhost.
 * Startcom^ -- Free certificates, however these certificates currently cause your site to display warning messages to visitors using Microsoft Internet Explorer.
 * Thawte -- Expensive
 * Verisign -- Very Expensive. Famous name.

Paste the decrypted key into the DreamHost panel, and you have a free, working SSL key!

External Link

 * Transport Layer Security - Wikipedia Reference