Programming with Brighid – Explaining SSL, HTTP/HTTPS

As part of our efforts to fix the performance issues with our server, some abrupt changes were made to how we manage our incoming traffic to the server.  This in turn created an impromptu “programming with Brighid” moment, which will explain SSL, HTTP/HTTPS, and a little bit about how we route to websites.

The Midrealm manages something called DNS – domain name system. Think of this like the yellow pages for the internet. Every server has an IP address – a string of numbers – that identifies it to other computers. This is obviously not easy for humans to remember, so we have DNS that turns those numbers into domain names. Using the phone book analogy, the IP address is the phone number and the domain name is the person’s name.

When you request a website via domain name, there’s a series of steps that happens that routes you to the right location. Moving on from the yellow pages analogy, you can now think of this like requesting directions to someone’s house. There’s a handful of external entities that assist in that routing for everyone, because we all need to cooperate to get the internet to work right, and these organizations do the communal parts of the routing for us. Google Domains, which allows you to buy domain names and then handles one part of that routing process. But the entities doing the routing have to have all the right information to get you to the right spot. Part of setting up a website means making sure these entities all have the information they need.

Now let’s talk about SSL – secure sockets layer. This is getting really down into the weeds now of how the internet works, so I don’t have a great way to explain it because this is the point where I start to struggle. But I can explain why it’s important. It is what establishes an encrypted connection between your computer and the server. When you have SSL setup on the server, you can now use https – the encrypted version of http. This is important because it’s a lot safer but also because more and more of the big tech players are forcing people to https. If you’ve ever seen your browser warn you about a website being unsafe, it’s because that server only uses http and the people that make browsers like Chrome are part of that effort to force websites to use SSL.

I’ll talk a tiny bit about the process we use to get SSL enabled. It’s interesting, but again, I don’t understand the specifics super well, I just know how to do it. Basically you have to request a certificate from an entity that issues them. There’s an agency that provides them for free out there that we use. What happens is I go onto the server and initiate a “challenge” with the certificate agent. The agent gives our server a token, the server puts that token in a file on the server in a specific folder, and then the agent tries retrieving that token. Like the gate guards at Pennsic wanting to see your token around your neck. If that whole back-and-forth works, the agent is like yep, you can use SSL, here’s a certificate so you can prove it to web browsers. Those certificates expire every 90 days. Fortunately, the renewal process is super easy once you have the right tools in place, and can be automated. Why it’s done this way is currently beyond my abilities to explain.

All the sites that run on our MultiSite instance have SSL taken care of for them. I requested a certificate that covers everyone, installed it, and renew it so none of the groups have to do that.

As part of our changes to improve site stability, we did some work on our routing in an effort to improve site security and performance. Part of this change means that we have another layer in our routing process and they are not playing nicely with http. I could make it so http works, but honestly I’m not sure how (most of tech is learning on the fly), and https has been the standard for a long time now.  All of the supported Midrealm servers work on https and have been on https for years now.

We do have sites using the domain that we do not have access to and cannot fix. That is because it is a server that is not managed by the Midrealm, but we route to it as part of our routing setup so they can use our name. Basically, we’re sending you to the neighborhood across town that happens to have the same street name as the Midrealm neighborhood. Except now we only support https and the person giving you the directions can’t find anything that isn’t on https.

So if a site was down for a little bit, but now it isn’t, send a thank-you to the people who manage those servers!