Getting your domain protected means purchasing and installing an SSL Certificate.
To get started, you need to decide what type of SSL Certificate is right for your business.
EnCirca recommends Extended Validation Certificates. EV Certificates are superior because:
In order to fully meet your needs, we also offer the following different types of certificates:
Once you’ve chosen and paid for your certificate, you need to be validated by the SSL Company.
You need to prove that the domain is yours and that you are a legitimate business. There are 2 steps to this process.
First, Obtain a CSR for your Domain
A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. You may need to request this from your hosting service. For more information, see an overview here: https://en.wikipedia.org/wiki/Certificate_signing_request
Then, Validate your SSL Certificate
After the verification process is completed, you should receive your SSL Certificate by email. This cert should be given to your hosting provider to install and check. You may also be given a logo to place on your site to verify its security.
HTTP Strict Transport Security forces browsers to make secure HTTPS connections with websites.
HTTP Strict Transport Security is a web security policy sent via header, that forces browsers to make secure HTTPS connections when they visit a specified website. This prevents cookie hijacking and protocol downgrade attacks. This is accomplished by setting a Strict-Transport-Security parameter that forces all connections to be made securely and disregards and scripts that attempt to load assets over unsecure HTTP. The header sets a period of time that the paramater applies for.
The HSTS Preload list a set of pre-loaded websites that employ HSTS. This effectively closes the window for a first connection protocol downgrade or cookie hijacking. When a web browser arrives at a website on the HSTS preload list for the first time it already knows to only make secure connections.
The only problem with the HSTS preload list is that it can take a while to get on. You’re at the mercy of the browsers as to when they update before you’ll be included on the list itself. With some browsers that’s nearly on a monthy basis – so the wait will only be a few weeks – but for others, it can be months. That’s why Google’s decision to register all of its TLDs on the list is so powerful. Now any website with those TLDs – that is secured with an SSL certificate – is already on the list by default.
Look for plenty of other domain registrars to follow suit in the coming months.
Yes. We definitely recommend employing HSTS. Even with an SSL certificate, there are still ways to exploit a site. Especially one that uses 301 redirects to send traffic to the HTTPS versions of its original HTTP pages. Not having HSTS is like putting a nice big padlock on the front door of your website, but accidentally leaving a window unlocked. There’s still a way to get in, you just have to be a little more sophisticated to find it.
So yes, we recommend implementing HSTS. Not only HSTS, but we recommend writing the header with the “includeSubDomains” and “preload” prompts included as well.
Here is an example of a good HSTS header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
There are a few things worth noting about HSTS before you go ahead and add the appropriate header:
We support your domain needs from start to finish.
There are many internet browsers that support Handshake domains such as Opera and various Chrome plugins.
Please visit Access Handshake names for more options on how to view your Handshake domains
NextDNS is one of the most popular methods for accessing Handshake domain names. Install NextDNS. You can click “try it now” on nextdns.io to connect your device and resolve Handshake domains. Scroll to the Setup Guide at NextDNS to select the option for your device, confirm with the green button at the top of the page, and then go to the “settings” tab to “resolve Handshake domains.”
Install the Resolvr add-on to view Handshake names directly in the search bar of your Firefox browser.
Try searching your site with the HNS.to gateway, which allows you to access Handshake names without downloading software or modifying your DNS settings. You may also conduct searches directly by prefixing Handshake domains with “hns.to/,” such as “hns.to/welcome.nb/.”