Sorry, that was probably as clear as mud.
Where do I buy a certificate, and where do I stick it?
Your web host will probably sell you an SSL certificate. Who are you hosting with? The price can vary, some are even offering them for free, and thanks to LetsEncrypt, you can generate a self-signed certificate yourself, for free, but you need access to the server yourself.
The easiest option for you is to probably check with your hosting provider, they likely have SSL certificates you can install and will likely direct all the traffic for you.
Easy via an htaccess file tripped me up too.
A .htaccess file (notice the full top preceding it) is a Linux configuration file that sits in the
root folder of your website. It's just a text file really, but it lets you tell the server to do certain things even if you don't have actual access to the server files. Check out the
htaccess guide for an overview.
You can add some commands in there that will tell the server to change all connections to your domain to be secure,
like this guide.
You would just create a new text file, paste that snippet from the guide in and save it as a '.htaccess' file. Then you upload it to your root folder and it will redirect all traffic to a secure connection (if you have a certificate installed, otherwise you'll get a security error).
Is there some kind of organisation who monitor these certificates that provide the safety aspect
There's certificates you can get from Certificate Authorities (
CAs), and there's
self-signed certificates like what you get with LetsEncrypt. A cert from a CA is basically them vouching that your domain is protected and safe, they are a trusted source.
Self-signed cert is basically your site saying "don't worry, we're safe." It is 'safe' (data is encrypted), but you're telling the user yourself, rather than having an actual authority confirm it.
There have been accounts of
malicious sites using self-signed certificates in Phishing scams. So a certificate does not necessarily mean a site is 'safe', just that data is encrypted and protected from third parties. It doesn't protect you from malicious first parties.
Certificates have an expiry date of about 90 days. Standard procedure is to set them to renew automatically every 30 or 60 days. When you get an error about a certificate being installed, it basically means the site certificate installed but wasn't renewed and as such the site likely isn't secure any more.
Or do I continue to upload everything with http as a prefix and then the 's' magically comes from somewhere else?
If these are links to somewhere on your site then you could continue to use HTTP and the redirect will take care of it. In fact it's better to stay with HTTP, because if you hard-code HTTPS into links and you don't have a certificate (or it expires), the browser will refuse to access the files or give you an error.
I prefer to use links without http or the domain at the start. So rather than doing something like this…
HTML:
<img src = "http://mydomain.com/images/image.jpg" />
I would do this…
HTML:
<img src = "/images/image.jpg" />
The server will find the images by looking in the
/images folder, there's usually no need to specify the protocol and domain at all, an Apache server will still find the location and file.
