It’s no secret that a secure sockets layer (SSL) encrypts data as it moves between a visitor’s browser and the site host. For many people, a single SSL appears to be sufficient for protecting data exchanged between visitors and their website.
But what happens to your SSL protection when you add a web application firewall like the Sucuri WAF? Protecting that additional data transit point is a topic we often discuss with customers, and it’s relevant for anyone to understand.
Some providers like Sucuri include free SSL to protect data exchanged between a browser and firewall. But due to the unique DNS configurations of each individual user, it isn’t possible to extend SSL protection between firewall and host for every firewall plan.
Admittedly, this can be an awkward conversation with customers who just purchased the Sucuri WAF. It’s why we created a video about how SSL works with a website firewall — which we’ll break down below.
SSL, firewalls, and… armored cars?
The best way to frame the relationship between SSL and firewalls is by focusing on the transit points that data covers on its way between a browser and website host. We’re looking to safely transmit data across every point.
In that sense, SSL is like an armored car. It safely locks away data all the way from origin to destination — ideally without any stops along the way.
The Sucuri WAF includes free SSL encryption between the browser and firewall, but not firewall and host. It’s also important to note the Sucuri SSL only covers one domain or subdomain at a time. Fortunately, both those issues can be resolved with very little expense or inconvenience.
If you have a wildcard SSL certificate (or can make this modest investment), uploading it to your web host is all you need to do for end-to-end encryption.
Let’s look at why that’s the safest and most cost-effective option. Imagine your data is valuable cargo being transported to a bank. To hide the packets from bad actors, that SSL is like an armored car. Here are three scenarios for how it can play out.
Scenario #1: Uploading your SSL certificate
You hire the biggest, toughest armored car out there. It can carry all the packets the whole way without stopping at the firewall. Getting that armored car is like uploading your own wildcard or multi-domain SSL certificate.
Packets are securely transported from origin to destination.
Data is encrypted between browser, firewall, and host — including any subdomains you have. This custom SSL certificate allows you to cover multiple subdomains, known as a SANS or wildcard certificate.
Scenario #2: Using your SSL, but not uploading it
You hire a fleet of smaller, but equally secure armored cars. They have to hand off packets between cars when they reach the gate (a.k.a. the firewall edge).
That’s like using the Sucuri SSL, but not uploading your custom SSL certificate.
Data is encrypted between browser and firewall by Sucuri, and then again between firewall at host by your own custom certificate.
This doesn’t affect security or performance. But remember, your free Sucuri SSL can only cover a primary domain on the firewall server — not subdomains like blog.yourwebaddress.
Scenario 3: Using the Sucuri SSL, but nothing else
You hire a smaller armored car, and it must stop and hand off the packets at the gate. There’s no other armored car on the other side of the gate. Some guy with a lunchbox has to carry the packets in broad daylight for the rest of the trip.
Let’s hope it works out.
That’s relying solely on the Sucuri SSL. Between browser and firewall, traffic on your primary domain is encrypted. This introduces risk, however small. Between firewall and host, it can get intercepted, although this is very uncommon.
And now, a PSA from Sucuri!
A Sucuri SSL actually can cover any subdomains you want! But… you would need to purchase a plan for each of your subdomains. At Sucuri, we love it when people buy our stuff. But please do compare the costs of a custom SSL certificate and our website firewall.
We have a guide on how to install a free SSL certificate, and your hosting company is often more than happy to help.
The more you know…
Seriously, just install your SSL
Uploading your SSL for encryption between browser and host is the smartest move to securely transfer information from point a and point b while using the Sucuri Firewall. It saves you money, too. If you get stuck, just email firstname.lastname@example.org or visit sucuri.net and start a chat with us.
We’ll help get it fixed.