This is part of a series on diagnosing your website outage issues. This is part five; links to the other parts are here.
In Part 1 of this series we covered the overview of what could have broken to cause your website to go down. In Part 2, we started working through those possible issues by diagnosing DNS issues. In Part 3 we diagnosed routing issues. In Part 4 we looked at how to diagnose problems with any architectural layers such as firewalls. Now that we know all that is good, we need to look at what is going on with the web host itself. If your site runs over HTTPS, there are a myriad of issues that broken certificates or broken code can cause and that is the subject of this article.
This is not an article on what SSL is or how it works, but some basic terms and knowledge are necessary to understand the content of this article so I will lay them out.
Although secure web sessions are referred to as ‘SSL’ and certificates that provide this security are called ‘SSL Certificates’ the more correct term is TLS. The Transport Layer Security (TLS) standard replaced the Secure Sockets Layer (SSL) standard. But to avoid confusion I will use SSL since it is in more common use even though this guy will kill me.
SSL certificates are the mechanism by which secure Hyper Text Transport Protocol (HTTP) sessions are created. Those secure HTTP sessions are referred to as HTTPS (note the ‘S’ denoting Secure). Therefore, the proper way to think of this is that traffic between your website and your visitor is encrypted when they connect to your web server using https:// links and that encryption is implemented by means of the SSL certificate installed on your host.
Lastly before we jump in, it’s important to understand what SSL certificates actually do. They have two jobs:
- Encrypt the traffic between your website visitor and your website so that it cannot be read if it is intercepted by bad guys. Intercepting traffic is easier than you probably think but if the requests are encrypted, bad guy only gets a bunch of encrypted blobs.
- Provide non-repudiation to your browser meaning that it assures your browser that it is connecting to the website it asked for. Imagine if you told your browser to connect to your bank, but it connected to some other bad site and you entered your username and password into that bad site. SSL non-repudiation prevents that. I wrote an article on the others things SSL certificates do for the Sucuri blog here if you’d like more information on that.
So, knowing the two main jobs SSL does, what can go wrong on your SSL-enabled site? Here are some of the most common: