SSL provides a secure link between a client and a server. An example is a browser communicating with Falcon Deploy web application. Data transferred through an SSL/HTTPS connection is encrypted to provide a high level of security. It also helps with data integrity, by way of hashing, making sure the communication between the client and the server is not tampered with. It also helps with mutually authenticating a client and server thereby preventing a man in the middle attack. We recommend securing your installation using SSL.
A certificate is required to enable SSL/HTTPS. There are two options. You can create a self-signed certificate, or you can get a certificate from a certificate authority (CA).
Certificate Authority (CA)
A certificate from CA implies that your website is secure as it is certified by a trusted source. CAs verify the ownership of the domain and even check the trustworthiness of the business before issuing an SSL security certificate. The browser’s trust store can verify these certificates and it can securely communicate to the server. When using a CA-signed certificate, you usually get a secure lock symbol. For certain certificates, the browser shows a green address bar indicating the site is secure or in other words, the communication between the browser and the server is secure.
Security certificate from a certificate authority is not free. You have to pay for an SSL security certificate. To optimize costs, you can use a self-signed certificate as an alternative. With both certificates, data is sent over an HTTPS connection, or SSL, and will be encrypted regardless of whether the certificate is signed or self-signed.
There are some free options available and it usually requires certain additional setup to get it working. You still have to verify ownership of the domain. One of the popular CA is Let’s Encrypt – a free, automated, and open Certificate Authority.
Self-Signed Certificate and Browser
Note that self-signed certificates are not recommended for production use. Also, the problem with using a self-signed certificate is that nearly every Web browser checks that an HTTPS connection is signed by a recognized CA. If the connection uses self-signed certificate, this will be flagged as insecure and error messages will pop up asking you do not trust the site, even if it is secure.