Firesheep, an add on for Firefox released in October 2010, watches connections on your LAN for anybody connecting to a website using the HTTP protocol, and lets the user of the add on steal passwords. Since the vast majority of websites still use HTTP, Firesheep was extremely effective. This woke up the tech world to the insecure and outdated nature of HTTP, by showing how easily it can be compromised.
The alternative, much more secure version of HTTP is the HTTPS protocol (the s stands for secure). HTTPS encrypts connections using strong SSL 256-bit or higher encryption. This way it is much harder for an attacker to view your password and traffic. This has pushed many websites to encrypt their connections, but the transition is happening slowly. Only recently have large websites started to add HTTPS encryption, including Facebook, Twitter, and Google (in beta).
Unfortunately, most of the rest of the web is still using HTTP. Every website should secure their connections and protect their users by switching to HTTPS.
In order to set up HTTPS, the first thing you need to do is obtain an SSL certificate which is a digital signature which assures users that they’re connecting with you. Many organizations called “Certificate Authorities” (CAs) can verify your identity by providing SSL certificates, including Thawte (thawte.com), Comodo (instantssl.com), and GeoTrust (geotrust.com). You will need to request a certificate and provide information about your organization and location.
In order to implement the SSL encryption, edit your .xml configuration file by adding secure=”true” as an attribute, and the keystore information from your CA to the body of the code. Finally, update the server’s xml file with the correct name of the configuration file to install the new version of the website. Now your users should see https in their browser and everyone can sleep a little easier.