Have you ever used free WiFi in the airport or at your local café? If so, then HTTPS plays an essential role for your data security. It’s important both for your websites and for the people that use your website for personal information. Let’s look into this essential element of web security…
What is HTTPS and Why Do You Need It?
HTTPS is ‘Hypertext Transfer Protocol Secure’ and is a safer version of the HTTP protocol which uses very strong public-key cryptography to encrypt the connection between a user and a web server. Normal HTTP website traffic is unencrypted. Every server that your traffic flows through on the way to the website’s server can read that data. If a website you visit uses HTTPS, the data is encrypted, so in theory only you and the website you visit can see what you’re doing on that website. The encryption within HTTPS is intended to provide benefits like confidentiality, integrity and identity. Your information remains confidential from prying eyes because only your browser and the server can decrypt the traffic. Integrity protects the data from being modified without your knowledge. When you connect to most websites, your web browser uses the standard HTTP protocol, for some other websites you may have seen the green lock icon in your web browser’s address bar, knowing what it means is important as it has serious implications when shopping online, banking and avoiding phishing.
HTTPS uses SSL (Secure Socket Layer) to establish an encrypted link between the client and the server. After Google’s announcement that SSLv3 is open to exploitation and should not be used any longer, a new security layer was created called TLS (Transport Layer Security). TLS is significantly more secure and fixes many of the vulnerabilities present in SSL.
HTTPS is especially important when you are logging into a website that requires payment details or sensitive login credentials. Without HTTPS security, websites usually send your sensitive data in plain text format to the receiving server; this makes it possible for a third-party to intercept the data sent by the site and alter it before sending it on to the browser. A security certificate guarantees the information a browser is receiving originates from the expected domain. It’s a guarantee that when a user sends sensitive data, it’s being sent to the right place, and not to a malicious third-party.
The main reason for implementing HTTPS security is to protect your customers’ data, after all If they do not feel safe they will not want to do business through your website.
Securing your website also has some Search Engine Optimisation benefits, in an effort to protect its users from web attacks, Google announced that it will start prioritising secure HTTPS URLs over standard HTTP ones. In December 2015 Google reported:
Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content— while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
Are there any disadvantages?
One reason for resistance could be concern over slower performance, but when Google switched Gmail to 100% HTTPS, using no new or specialised hardware, it found that encryption accounted for less than 1% of CPU load, less than 10KB of memory per connection, and less than 2% of network overhead.
Browser Caching Will Not Work
This should not be of much concern for over 95% of potential users, however the the only browser that can’t handle caching for HTTPS connections is Internet Explorer 6. Microsoft announced that it will stop supporting older IE versions after January 12th 2016 so this should not be a problem for most organisations.
How do I secure my website?
Securing your website has recently become easier and cheaper; there are also some free services such as Let’s Encrypt that automate most of the certificate registering process.
For developers, the main concern is the warning sign that users might face if any scripts, assets or iframes are served by a standard HTTP protocol:
This can often be fixed by replacing asset links beginning with http://www.example.com to //www.example.com. This allows them to be served from both HTTP and HTTPS origins.
If your website is already serving on HTTPS, you can test its security level and configuration with the Qualys Lab tool.
If you are sending any of your website users sensitive data over a standard HTTP protocol, then you should definitely obtain a valid certificate so that your customers have confidence in your service.
For websites that do not handle any connections that could possibly be hi-jacked then it may be worth using a free SSL certificate service to future proof your website and to take advantage of the (albeit small) increase in search engine rankings.