Dedicated Hosting

HTTP vs. HTTPS : What is the difference?

Wolfram Donat October 14, 2015 by under Dedicated Hosting 0 Comments
Target audience

This article is geared toward a general reader with a basic understanding of how the Internet works.

Introduction

When you surf the Internet, most web pages are delivered to your computer using a communications protocol called HTTP, which serves the vast majority of web pages on the World Wide Web. However, it can be a vulnerable communications scheme, which is where HTTPS comes into play.
.

HTTP

When a user types a web address into the browser’s address bar and presses ‘Enter’, a lot happens behind the scenes before the web page is displayed in the browser window. The client computer first queries a DNS (Domain Name System) server for the actual numerical IP address of the web server associated with the web address. Once it knows the IP address, the client computer makes a request for the requested resource from the web server. The server then responds and the web page is delivered to the user’s computer. All of this usually happens within milliseconds and uses a protocol called HTTP.

HTTP (HyperText Transfer Protocol) is the mechanism by which the vast majority of web pages are delivered over the World Wide Web. It is a server/client request protocol, in which the client (usually the user’s computer) requests a data package (usually a web page) from the server.   For Example, When a cloud server hears a request, it responds with a status response, normally “HTTP/1.1 200 OK”. It then follows with the requested data. So a request/response from a client to a server might look something like this:

CLIENT:
GET /index.html HTTP/1.1
Host: www.example.com
User-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0

SERVER:
HTTP/1.1 200 OK
Date: Wed, 16 Sept 2015 23:59:59 GMT
Server: Apache 1.3.3.3 (Unix)
Content-Type: text/html
Content-Length: 1922
<html>
<head>
<title>Welcome to my site!</title>
</head>
<body>
This is a very simple web page, written in HTML.
</body>
</html>

.
The protocol has been in use since 1991, and is a recognized, valid, useful communications protocol. However, it was never designed with security in mind. The exchange is unencrypted, meaning that if it is intercepted, anyone can read the contents of both the request and the response. It is particularly vulnerable to the ‘man-in-the-middle’ attack, in which an unauthorized computer acts as an intermediary between the user’s computer and the Internet, reading and logging all messages sent and received.

Securing the Web with HTTPS

There is another protocol, however, that works similarly to HTTP but is significantly more secure: HTTPS, which stands for HyperText Transfer Protocol Secure. HTTPS uses TLS (Transport Layer Security) to encrypt the communications between the client computer and the server, rendering the data useless and unreadable if it is intercepted. You may also hear TLS called SSL (Secure Socket Layer). SSL was the predecessor to TLS and many still use that term when talking about the technology that helps to secure HTTPS.

TLS works via digital certificates. Upon request, a Certificate Authority (CA) issues a certificate to a server, which serves to authenticate that server to any connected clients. In an HTTPS transaction, a client contacts a TLS-enabled server and requests an encrypted session. The server then responds with a copy of its digital certificate. That certificate includes the trusted CA that issued it and the server’s public key for encryption.

The client receives the server’s certificate information and can verify from the issuing authority that the certificate is valid. Once the client has satisfied itself that the server is authentic, it generates a random number. It then uses that random number to generate a session key. The client then encrypts the random number using the server’s public key, and sends it to the server. Because it’s encrypted using the server’s public key, the server is the only one able to decrypt the message with its private key. Once the server decrypts the client’s message, it has the same random number to generate the same session key client generated. From that point on, all communication between the server and the client is encrypted and decrypted using that session key. The information that is transmitted is just like the HTTP traffic, only now it is encrypted before sending, so if it should happen to be intercepted, the intercepting entity would be unable to decipher the information. Compare what the below HTTPS traffic looks like with the earlier example of HTTP traffic:

...........s.....*...."..*.....r.].di.s0.$. .<...v.b..'.....O..Z|.~$..!N...X...+./.
.......3.9./.5.
.............www.atlantic.net......
.................#..zS...$z.W..0.......c...#.;qu..*...3...... -.E;[email protected]/P.rU..0.....5P......#X...n.b.......C.&...tRgW.a.....{v.......)...-1..J9S.V..G.In......|..u..O0.....mU...|..q..Ja.O.n..G..E.W}8E.Q...0..k3t.........h2.spdy/3.1.http/1.1..........
...........................c...................................................................................................
....Q...M..V.Q$._...9.&ye.L.i..T'.l.y..3`]| .<...v.b..'.....O..Z|.~$..!N...X./..................([email protected]#8....u
..........(...........[[email protected]
.............g.m4..a..V&!B..d....bv.......3......&...c......
.....G...z..x.....SzV...H.P...L`...T.....s.{...ip....PY..)Z.[.<N.f}WOv$.>........../.....^.....hc ..e.\..`.L.!.c.m.=`...[....An...c2.N..?......$.|....M.?WA.x......NCIk.....j+VUZ..p...\ZM....=.<....Ra..S..% .o...{....\ nc..~c=.......'.]...D.t..p0.-b.8*g$Yo....!c...y.#......d..H9.o.+..'..xn\.... q.....H}-....Q>..D!...~.yV..v..
\Vi.P.....K.FV-........W.>]y....M...A\....>....i/o.+..b.P.."..H..xP..:......'...VX.......j.........0D...J..Zw....b.;b.
.....*.(..h.V.F.K..8..L.M.s...rwdc.{F%o.j....=.C...w.<.|..).3.. =32..g..>...h8(..;\}.h<....yP\6r.y..3.......592.W...r..pT.*.-D....e.]..).....
.....<.i..o`[email protected]_d"....m..!L .G.{........U.....[..r..S....a)?.SY...%....>...jl.....
.W.4.....X.Nd.....Z...%...a.;...om..mH..B.._...*......H..}(fi...,0..8..,}.[Z8.N..H...F....yj.N..b.^...].S.'......u..Z.j....spS.p.C.vhk...O..!..Y".|.w)El....t........R..h.....L.0i.M.)...E..V.C.....U........u..i.w......H..;.F.......u..
2Op.%........Z.>2.N2),.o..M..
...f.Z........7r9
.....

.

Obtaining a TLS Certificate from a Certificate Authority

Certificate Authorities offer a wide variety of TLS certificates. Prices vary depending on the extent of authentication desired. A very basic certificate (perhaps used to validate users within an organization, for example) is free. The three most common levels of validation are DV, or Domain Validation, OV, or Organization Validation, and EV, or Extended Validation. DV certificates are the most common, and are usually verified by emailing the controller of a domain name. OV certificates offer a bit more trust; the CA verifies not only control of the domain, but also the business uses that domain. EV certificates are the most trusted, and require significant documentation from the organization to prove that they are legitimate. These certificates are often used by organizations that want to present a secure web experience, particularly if they have a financial relationship with their visitors.

While the encryption process is strong, making the HTTPS messages particularly secure compared to unsecured HTTP transactions, there is one weak link in the chain: the Certificate Authorities operate on trust. If a CA were to be hijacked, for example, it could issue a trusted certificate for any domain that would be accepted as valid and trusted by all browsers. An attacker with such a certificate could then set up a fraudulent copy of that domain that would appear to be trusted with the intention of intercepting traffic to that domain. Such an event happened in 2011, where a Dutch CA was compromised by the government of Iran and used to intercept Iranian citizens’ browsing sessions. It is not a common occurrence, but it is one that security-conscious users should definitely be aware of.
.

Identifying an HTTPS Connection

The easiest way to verify your HTTPS connection is secure is to look at the address bar of your browser. Most browsers identify HTTPS connections with a padlock icon somewhere near the web address, while unencrypted HTTP connections have no such icon. Below is an example of a regular HTTP connection in Firefox, followed by example HTTPS connections in Firefox and Google Chrome.

HTTP connection in Firefox

HTTP connection in Firefox

HTTPS indicator in Firefox

HTTPS indicator in Firefox

HTTPS indicator in Chrome

HTTPS indicator in Chrome

You may also see a green lock icon that includes the organization or site name next to it. This more noticeable icon shows that the organization has acquired an EV certificate, as below.

HTTPS indicator (with EV TLS Certificate) in Firefox

HTTPS indicator (with EV TLS Certificate) in Firefox

.

Conclusion

HTTPS fulfills a need that HTTP leaves open — that of security. The exchanges and the protocol used are the same; only HTTPS adds an extra step of encryption that helps protect information passed across the Internet. While nothing is absolutely secure, it’s worth checking to make sure that a website is using HTTPS encryption before sending sensitive information such as passwords or credit card/bank account numbers across the wire.

Atlantic.Net

Since 1995, Atlantic.Net has been providing internet services to customers, including managed, cloud and dedicated hosting.   In 20+ years of service, our solutions have been focused on providing the very best in web solutions to our valued customers!


How to Install hMailServer MTA on Windows

Atlantic.Net NOC September 18, 2015 by under Dedicated Hosting 0 Comments
Verified and Tested 09/18/15

Introduction

HMailserver is a free software that will allow you handle e-mail delivery. MTA, mail transfer agent, is just another name for this process. Since Windows Server 2003, there have not been roles or feature included with the Windows Server operating system to host an MTA, so if you’re looking to run a mail server on a Windows host you need to look at third-party applications, and hMailServer is one of the more popular choices. There are paid versions available, but licensing for them can be very expensive when you can use a free software that can manage multiple domains.

Prerequisite

We will be using a Windows 2008 R2 SP1 Datacenter 64-bit. This will also work on Windows 2012 R2 Datacenter 64-bit. Be sure to download the installation files by having the Internet Explorer security changed for the account you are logged in with. You can see a guide on that depending on your OS.

https://www.atlantic.net/cloud-hosting/how-to-disable-internet-explorer-enhanced-security-configuration-server-2008/

or

https://www.atlantic.net/cloud-hosting/how-to-disable-internet-explorer-enhanced-security-configuration/

Install hMailServer MTA on Windows

Let’s get started. Visit the download page, https://www.hmailserver.com/download/ and get the Latest Version. Previous versions of the software are also available and can be downloaded here.

In this example, we’re using the Latest Version, 5.6.4 – Build 2283, and we are using the default installation options.

IE HMail download

hMail download

Once you have chosen and downloaded the version, click run if you would like the file to start downloading, and run as soon as the download is finished. You can also click save, to install the program later.

HMail run/save box

hMail run/save

When the download has completed, and the install begins you are prompted with a Setup window. Click next to proceed.

You are then prompted to accept the license agreement. Please be sure to read over the terms of the agreement, and if you accept, click the radio button that corresponds to your selection. Then click next.

HMail license agreement

hMail license

Next you are prompted for the location the program will install. The default is C:\Program Files (x86)\hMailServer. If you would like to change this, click on the browse button and choose the directory you want the program to be installed to. Once you have chosen a directory, click next.

HMail install directory

hMail install folder

Now you can select your components. The default setting is Full installation, providing the Server and the Administrative tools. You can change this by using the drop down at the Full installation line, and choosing Custom installation and only keep the components you want selected. When you have your desired components selected, click next

HMail full or custom install

hMail install options

Going with a standalone model, we will be using the built-in database engine. If you have another host configured as a database server, you can select “Use external database engine”. Keep in mind you will need to provide the database information at a later time to start using the external database. Click next to continue.

hMail database option

hMail database option

Choose whether or not you want a start menu folder. You can also change the name of the folder at this time. If you do not want a start menu folder click the check mark on the bottom left of the window. The folder name window will gray out if you do, this is expected. Click next.

HMail start menu folder

hMail start folder

Now you get to choose a secure password for the hMailServer program. Be sure to enter the same password in both fields. Click next when the password has been entered.

HMail Secure password

hMail password

Finally, review all of your settings, and go back to fix any errors. If there are no errors, click install.

HMail settings confirmation

hMail settings

When the install has completed, you can choose to run hMailServer Administrator now, or starting it later. If you do not want to run it now, remove the checkmark. Click Finish to end the installation.

HMail installtion complete

hMail complete

If you choose to run it now and see the following, your installation is successful and complete.

HMailServer Admin

hMailServer Administrator


How to Install and Secure phpMyAdmin in Ubuntu 14.04

Jose Velazquez February 7, 2015 by under Dedicated Hosting 0 Comments
Verified and Tested 01/31/2015

Introduction

This document will help you install phpMyAdmin and describe some basic steps to take in order to secure it.

Prerequisites

You need an Ubuntu 14.04 server that is configured with a static IP address.

You will also need to have LAMP (Linux, Apache, MySQL and PHP) installed on the server.

Installing phpMyAdmin

Install phpMyAdmin

sudo apt-get install phpmyadmin

phpMyAdmin is now installed on your server. Now we begin the Apache configuration.

 

Setup phpMyAdmin under Apache, edit the apache2.conf file.

sudo nano /etc/apache2/apache2.conf

Add the following code to the bottom of the apache2.conf file.

Include /etc/phpmyadmin/apache.conf
Add your config file for phpmyadmin

apache2.conf

Save your changes by pressing Ctrl + X then Y to accept.

Restart Apache.

sudo service apache2 restart

Verify that your installation works, type the following link in your browser http://YOURIP/myphpadmin

(Log in with the username and password that was created during the installation)

Securing myPHPAdmin

Setup security for phpMyAdmin, edit the apache.conf file:

sudo nano /etc/phpmyadmin/apache.conf

Locate the <Directory /usr/share/phpmyadmin> and add the following rule under DirectoryIndex index.php

AllowOverride All

 

Add directive AllowOveride All to apache.conf

apache.conf

Save your changes by pressing Ctrl + X then Y to accept.

Create the .htaccess file that will handle the authentication.

sudo nano /usr/share/phpmyadmin/.htaccess

Paste the following text in the file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/.phpmyadmin.htpasswd
Require valid-user
Sample: .htacess

Sample: .htacess

Save your changes by pressing Ctrl + X then Y to accept.

Create a user and password that you would like to use for security access by pasting the following code. Then you will enter and re enter your password. (Note:Replace username with the actual user that you want to create. I will be using admin).

sudo htpasswd -c /etc/apache2/.phpmyadmin.htpasswd username

Restart Apache.

sudo service apache2 restart

Verify that everything works by typing the following link in your browser http://YOURIP/myphpadmin and typing your security username and password

Sample Login Prompt

Sample Login Prompt

Congratulations! You have just installed and secured phpMyAdmin on your server. Thank you for following along in this How-To and feel free to check back with us for any new updates.

Atlantic.Net

Since 1995, Atlantic.Net has been providing internet services to customers, including managed, cloud and dedicated hosting.   In 20+ years of service, our solutions have been focused on providing the very best in web solutions to our valued customers!



Discussion about Windows, Linux and cPanel VPS – Part II

Kent Roberts July 23, 2014 by under Dedicated Hosting 0 Comments

<<< Go to Part I – Scripting Languages & Windows

In the first part of this two-part series, we discussed advantages and disadvantages of the two major operating systems used for hosting: Linux and Windows. The basic differentiation was that Linux is open source, more widely available, and usually much less expensive; but Microsoft is necessary for coding with .NET & ASP. After discussing the pros and cons of each OS, the first part took a closer look at Windows VPS hosting (specifically with Windows Server 2012 R2).

Read More



Using Google AdWords Banners to Market Legal Services

Adnan Raja April 23, 2014 by under Dedicated Hosting 0 Comments

Using Google AdWords Banners to Market Legal Services

Google AdWords has been around for years, but it remains both incredibly popular and reasonably effective. According to WordStream, as of 2012, businesses averaged a 200% return on investment (ROI) with the system, earning $2 for every dollar they paid into AdWords. 1.2 million businesses used the Google service at that time. Attorneys and other legal services use AdWords to drive traffic to their sites just as companies do in other industries.

Read More


Maintaining and Testing the Speed of a Website is Critical

Kent Roberts April 11, 2014 by under Dedicated Hosting 0 Comments

Maintaining and Testing the Speed of a Website is Critical

It’s sometimes difficult for customers of hosting services to determine which plans and companies will best meet their needs. This challenge has become more pronounced in the era of virtual private servers (VPS’s) and cloud computing. Although distributed virtualization has strongly positive attributes – speed, reliability, redundancy, cost-effectiveness, etc. – it also can be unclear exactly what you are getting.

Read More



Hosting Voice and Data is Beneficial for Small Businesses

Adnan Raja September 5, 2013 by under Dedicated Hosting 0 Comments

Small and medium-sized businesses need to be adaptable in order to stay competitive and grow. The ability to change and adapt due to economic or market changes is a characteristic of a smart business, which allows for economic growth and new opportunities. A fast- growing trend is enabling organizations to move their server infrastructure and telecommunication services to a hosted environment. The rate at which SMB is adapting new voice and data technologies is growing at a phenomenal rate. The trend is to move data and voice into a data center environment, most recently into a cloud or virtual server, commonly referred to as cloud computing or VPS Hosting.

Read More


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

Resources

We use cookies for advertising, social media and analytics purposes. Read about how we use cookies in our updated Privacy Policy. If you continue to use this site, you consent to our use of cookies and our Privacy Policy.