HTTPS and TLS
Why would I want HTTPS and TLS?
TLS (previously called SSL) can be enabled on your hosting in order to encrypt the communications between users visiting your websites, and our servers. This will make your website available on a secure https:// URL, which means that any unauthorised parties (eg companies operating public WiFi) cannot intercept traffic and steal credentials, and page content cannot be read or modified. This is especially important for systems such as Wordpress, where you enter credentials to edit the site, but we would encourage you to enable it for all hosting unless you have a specific reason not to.
TLS relies on using a certificate that is signed by a Certificate Authority, in order to ensure that the website being communicated with has been verified to be the site you are attempting to access, so it also prevents impersonation of websites. Let's Encrypt is a free service which is able to verify the ownership of a domain, and sign a certificate for it - this is done by issuing a issuing a challenge, and then connecting to your website to retrieve this challenge. Therefore, this can only be enabled once a domain is live on our hosting service (but no content actually needs to be set up on the site).
Enabling HTTPS on your hosting serviceWe have Let's Encrypt support built into our hosting service, so it is very simple to enable it:
- Log into our control panel.
- Select "Hosting and Shell Accounts" on the left.
- After selecting your shell account, select "Web settings" next to the domain you would like to enable TLS for.
- Select one of the options (more detail about these is available below) under Security, and click save.
HTTPS modes on our control panel
In our control panel, you can select one of 4 modes for HTTPS:
- Disable TLS - this completely disables all requests over HTTPS, and should only be used if HTTPS cannot be used at all for your site.
- Enable TLS - this enables TLS, but still allows for plain HTTP connections. This means that depending on if users enter http:// or https:// into their browser, TLS may or may not be used. We would normally recommend against this, since many requests will still be unencrypted and susceptible to interception or impersonation.
- Enable TLS and redirect to https: - this means that if a user enters an insecure http:// URL, they will be redirected to the secure version of your site. Therefore, all requests to your site should be secure. We would normally recommend this option.
- Enable TLS, redirect to https: and enable HSTS - this works similarly to the previous option, but enforces the redirect in future; you can read more about this below.
The forth option is to enable HSTS (HTTP Strict Transport Security). This means that when a client visits your website, a header will be added to the response requesting that the browser only makes secure connections for a certain amount of time (14 days, in our case). This means that if someone is able to pretend to be our server (eg on a public WiFi connection), the connection will still be forced to go over HTTPS, and they will be unable to provide a valid certificate, so the connection will fail.
However, you should not set up HSTS unless you a certain that you can continue to provide your website over HTTPS. Therefore, you should only enable this if you are certain that your site will function correctly with HTTPS. You may want to initially test with plain HTTPS, and then switch to redirect mode, and then enable HSTS if HTTPS with a redirect has been working fine for some time.
If you are especially concerned about your site being impersonated, you can also apply for HSTS preloading. This means that your domain is included in a list shipped with various browsers, and HSTS will be enabled by default. Again, as with above, please be aware that this is very difficult to disable, so do not do so unless you are certain you can provide both your domain and all subdomains over HTTPS forever.