Did you know that Uberflip automatically protects traffic to your Hub with HTTPS? Here's why that matters, and how it works.
This article is about a feature that may not yet be available on your Uberflip account, as it is being rolled out in phases:
- First Phase: Initially, this feature will be available to new customers who opened an account after mid-May 2019.
- Second Phase: After the initial phase ends, the feature will be progressively rolled out to all existing customers.
Note also that this feature replaces an existing feature. If you do not yet have access to this feature, you can find documentation on the existing functionality here.
What is HTTPS?
While browsing, have you ever noticed the lock icon in your browser's address bar?
If not, just take a look right now: it should be next to this page's URL in your address bar. The lock icon signifies that the website you are on is using HTTPS, the secure version of HTTP. An increasing number of websites are now using HTTPS by default — including your Uberflip Hub, which is automatically protected with HTTPS.
HTTPS exists because, from a security perspective, standard HTTP has a fundamental flaw: HTTP communications are sent in plaintext. This means that anyone from government intelligence agencies to people who are simply on the same Wi-Fi network can intercept HTTP communications and see all the data passing back and forth between a browser and a website — including sensitive information like login credentials and banking details. They can even manipulate those communications, and redirect them to a fake server.
HTTPS was originally developed to address these security issues. It improves on HTTP by encrypting data sent between between the browser and the website, so that only these two parties can decrypt and read each others' communications, and any eavesdroppers are locked out.
A Quick Note About Terminology
You may have seen the term SSL (Secure Sockets Layer) used in the context of HTTPS. SSL is part of HTTPS: whereas HTTPS is the overall name for encrypted HTTP, SSL refers more specifically to the encryption protocol that HTTPS uses. In practice, however, the two terms are often used interchangeably.
It's also worth noting that SSL is actually no longer in use, as it has been replaced by a more-secure protocol called TLS (Transport Layer Security). Even so, the term "SSL" is still widely used to mean TLS, or to refer to HTTPS as a whole. As a rule of thumb, anytime you see "SSL", this is usually intended to mean "HTTPS over TLS".
How does HTTPS work?
HTTPS is really just HTTP with a layer of encryption: the browser and the website still talk to one another using HTTP, but all of their messages back and forth are encrypted using SSL (technically TLS — see the note on terminology above). Before the encrypted connection can be established, the browser first needs to determine that the website actually is who they say they are, and not someone else pretending to be the target website.
To prove its identity, the website provides its SSL certificate, which is like its ID document. Since anyone could just create a fake SSL certificate claiming to be whoever they want, certificates are issued by third-party Certificate Authorities (CAs). Every browser has a list of CAs that it trusts, so if a website's certificate was issued by one of these trusted CAs, and the CA verifies the certificate's authenticity, then the browser knows that the website can be trusted.
Once a certificate been verified and accepted, the client and server agree on what kind of encryption they will use, then exchange the keys that they will need to unlock each others' messages. From this point on, all of their communications are encrypted, so they can't be read by anyone else.
Why is HTTPS important?
In the past, websites used HTTPS in a very limited way: it was generally reserved for situations involving sensitive data, such as website logins, banking, ecommerce payments, etc. For everything else, HTTP was considered good enough. More recently, however, there has been a push to use HTTPS for all web traffic, and the majority of the world's top websites now use HTTPS by default.
There are a few reasons for this shift away from HTTP. One of them is that all web user activity is now considered to be sensitive data, and concerns over privacy have led to a greater emphasis on securing web communications. Another major reason is that HTTP can be easily exploited: since HTTP offers no way to verify that you are actually connecting to the correct website, attackers can impersonate websites and steal sensitive data. Lastly, web functionality that needs user permission to work is now becoming more prevalent, and requires an encrypted connection. Using HTTPS is the answer to all of these things.
Over the past several years most major tech companies have championed wider adoption of HTTPS, and have taken action to encourage its use in various ways. Google in particular has strongly advocated for "HTTPS everywhere". For example, if you're a Chrome user, you may have seen this notice on some websites:
Google started marking HTTP websites as "Not Secure" in Chrome in July 2018 to highlight sites that had not yet moved over to HTTPS, and other browsers (like Safari) have followed suit. This move follows Google's earlier decision, starting in 2014, to prioritize websites that use HTTPS in its search results. As a result, continuing to use HTTP can now have detrimental effects on search engine rankings, so using HTTPS has become good for SEO.
As you can see, using HTTPS with all of your web properties is essential on today's web. That, of course, includes your Hubs, and that's why we automatically secure all new Hubs with HTTPS.
How does Uberflip set up HTTPS for my Hub?
If you have set up HTTPS for another website in the past, you already know that it can be a hassle: you need to buy an SSL certificate from a Certificate Authority (CA); you have to install the certificate on your web server (or wait for your IT team to do it); and you have to buy a new certificate every time it expires.
The good news is, you don't need to worry about any of these things with HTTPS for your Hub. Uberflip automatically obtains and sets up the SSL certificate for your Hub's domain, and automatically renews it when it expires. This means that you get all the benefits of HTTPS on your Hub, without the hassle of setting it up and maintaining it.
To set up HTTPS for Hubs, we use certificates from Let's Encrypt. Let's Encrypt is a new kind of CA run by the Internet Security Research Group, a public-benefit corporation backed by a number of major organizations, including Mozilla, Cisco, Shopify, the Ford Foundation, and the EFF. Their mission is to encourage the wider use of HTTPS by making the entire setup and maintenance process much easier. To that end, Let's Encrypt certificates are:
- Free: Unlike traditional CAs, Let's Encrypt provides and validates certificates at no cost
- Automated: The entire enrollment process for certificates is automated, as is renewal of the certificate upon expiration
- Open: Let's Encrypt uses open standards, and their code is open source
- Simple: With Let's Encrypt certificates, you don't need to worry about payment, installation, or keeping track of expiring certificates
Although they're free, Let's Encrypt certificates are just as secure as certificates from traditional CAs. And because they're automated, Uberflip can easily take care of provisioning, setting up and renewing your Let's Encrypt certificates for your Hub domains — you don't need do anything.
What do I need to do to use HTTPS on my Hub?
Whenever you add a new domain to your Hub (under Hub Options > Change Domain > Add a Domain), it will be automatically set up to use HTTPS with a Let's Encrypt certificate. We'll take care of everything for you, including renewing the certificate.
Can I enable HTTPS on my existing Hub that uses HTTP?
If you have an existing Hub that uses HTTP, and you want to switch to HTTPS, you'll be able to do so with the click of a button. This will configure a pre-provisioned Let's Encrypt certificate on your Hub, and HTTPS will be enabled automatically within a few hours.
This feature is coming soon, and will be available in the second phase of the phased rollout of this feature.
What if my Hub already uses HTTPS with a legacy certificate?
If you set up HTTPS for your Hub in the past and chose to let Uberflip handle the certificate setup, you'll be automatically moved onto a Let's Encrypt certificate. This process will be seamless, and you don't need to do anything to make it happen.
If you instead opted to use a self-managed certificate (i.e. if you sent us a PEM file), you will continue to follow the same process as before: whenever your current certificate expires, you will need to send us a new PEM file. However, we have also provisioned a Let's Encrypt certificate for you as a fallback. If your self-managed certificate expires and you do not send us a new PEM file in time, we will automatically transition your Hub onto the Let's Encrypt certificate so that it remains secure.
In addition, if you are currently on a self-managed certificate and want to switch to a Let's Encrypt certificate, you can do so at any time. There are a lot of good reasons to switch: you will no longer need to keep track of your certificate expirations, pay for renewals, or prepare and send us a PEM files. If you're interesting in moving from self-managed to automated HTTPS, please contact our Support Team, or get in touch with your CSM.