If you own a website then I can guarantee that cyber security is a serious concern. Nowadays we share so much of our private information online that, whether we are sending an email or doing our online banking, it is always important to know that the page we are on is secure. The first sign of this is often indicated by that wonderful green padlock in the address bar of the browser, but what about when a page is not secure, would you notice?
Everyone, including technology giants like Google and
Mozilla, wants secured websites with the prefix HTTPS instead of HTTP.
However, the question is “What is HTTP vis-a-vis HTTPS?”
HTTP is a twenty-year-old protocol on which the World Wide Web was built. HTTP stands for “Hypertext Transfer Protocol”
and offers a method of data communication for the Internet. The problem
with HTTP connections is that they are unsecured. This means that any
data transferred with the HTTP protocol is out in the open which means the data
being transferred can be intercepted and even manipulated by third parties.
To combat this, a Secure Sockets Layer(SSL) was
created. SSL is a protocol for encrypting communication so that it can no
longer be seen or affected by third parties. As SSL evolved it was replaced by Transport
Layer Security(TLS). Both SSL and TLS accomplish the same
goal, but TLS is a more secure way of encrypting that information.
If anyone wonders what HTTPS really is and why you
see a padlock sign/icon in your internet browser, now is the time to explain
it. You may have seen 'https://' before a domain address in
the browser's URL bar when using the Internet. But have you ever wondered what
HTTPS means and what the full form of HTTPS is?
{tocify} $title={Table of Contents}
What exactly is HTTPS?
HTTPS is an acronym for Hyper Text Transfer
Protocol Secure which is an encrypted version of HTTP, a
security-enhanced version of Hypertext Transfer Protocol (HTTP),
the application protocol through which all data communication on the web
happens. It is an internet communication protocol that protects the integrity
and confidentiality of data between the user’s computer and the site. It is
also the main protocol used for transferring data over the World Wide Web.
HTTPS uses a combination of Transport Layer Security(TLS) and Secure Sockets
Layer(SSL). This establishes and ensures a secure encrypted connection between
the host server and the browser.
So, “HTTP versus HTTPS” is the difference between providing
a secure, encrypted connection to your website and not choosing to do so. The
former HTTP is an insecure way of communicating via the internet, whereas the
latter HTTPS is not.
The human mind operates by association. With one item in its
grasp, it snaps instantly to the next that is suggested by the association of
thoughts, in accordance with some intricate web of trails carried by the cells
of the brain.
What does 'Hypertext' in HTTP(S) mean?
Hypertext is a specific type of text that contains a link.
This means that if we click on a word or text on a webpage that has a link with
it, we will be redirected to a new web page based on the specified link.
Hypertext is the presentation of information as a linked
network of nodes which readers are free to navigate in a non-linear fashion. It
allows for multiple authors, a blurring of the author and reader functions,
extended works with diffuse boundaries, and multiple reading paths.
Hypertext, at its most basic level, is a DBMS [database
management system] that lets you connect screens of information using
associative links. At its most sophisticated level, hypertext is a software
environment for collaborative work, communication, and knowledge acquisition.
Hypertext products mimic the brain's ability to store and retrieve information
by referential links for quick and intuitive access.
In 1990, the internet as we now know it was born. Right
from the start, it has always used the Hyper Text Transfer
Protocol (HTTP) for moving information around the world. That is why the
beginning of web addresses starts with HTTP.
However, plain old 'HTTP' is not secure because it
transports information in plain text. This means that anyone who
intercepts the traffic can read it. That includes not only the hacker who is
monitoring the coffee shop’s Wi-Fi, but your internet service provider (ISP) as
well. It is like a switchboard operator at a telecom company who can listen in
on any phone call.
Due to continuous innovation, the use of the internet
evolved and people started using the internet for sensitive data (like credit
card numbers), internet banking, shopping online, etc. So a way had to be
figured out to make HTTP secure so that no one could see your passwords, or credit
card numbers as they zoomed between your browser and the web server.
So in 1994, Netscape Communications enhanced HTTP with some
encryption. They basically married a new encryption protocol named Secure
Socket Layer (SSL) to the original HTTP. This became known as “HTTP
over SSL” or “HTTP Secure” otherwise now known as HTTPS.
The idea, as stated by many, is to migrate the entire
internet into a completely HTTPS environment, where all website traffic is
encrypted by default.
In HTTPS, transactions are carried out with the help of a
key-based encryption algorithm. The Public Key Infrastructure(PKI) is used
because it is supported by most web browsers, while the private key is used by
the webserver of the particular website that you want to access. The
distribution of public keys is done through certificates that are maintained by
web browsers.
So why encrypt the entire internet?
HTTPS does as much for privacy as it does for security. It
is one thing to keep hackers from reading your data or injecting their own code
into your web sessions (which HTTPS prevents), but privacy is the other side of
the coin which is important for each and everyone of us.
We know that Internet Service Providers(ISPs), governments
and Big Data collection firms like snooping on us and storing our traffic for
what ever their reasons maybe. Some of us may not care or be bothered by that
until for example you are surfing information on a personal medical condition.
You may ask, whose business is that? That kind of information is always useful
to someone, which is why they want it and keep it forever.
This is why many websites choose to encrypt your traffic
even when you are not sending sensitive information. Your behaviour online
should remain as private as possible.
How HTTPS Works
HTTPS pages typically use one of two secure protocols to
encrypt communications – SSL (Secure Sockets Layer) or TLS (Transport Layer
Security). Both the TLS and SSL protocols use what is known as an ‘asymmetric’
Public Key Infrastructure (PKI) system. An asymmetric system uses two ‘keys’ to
encrypt communications, a ‘public’ key and a ‘private’ key. Anything encrypted
with the public key can only be decrypted by the private key and vice-versa.
The ‘private’ key should be kept strictly protected and
should only be accessible to the owner of the private key. In the case of a
website, the private key remains securely lodged on the web server. The public
key is intended to be distributed to anybody and everybody that needs to be
able to decrypt information that was encrypted with the private key.
Basic Work Flow of HTTPS:
Step 1*– A user requests any website which uses an
HTTPS certificate client open url as https://web-page
Step 2*– Then the server immediately responds to the
initial connection by offering a list of encryption methods the webserver
supports.
Step 3*– The client selects a connection method. Then
the client and server exchange certificates to authenticate their identities.
Step 4*– The web server and client exchange the
encrypted information after ensuring that both are using the same encryption
key, and the connection is closed.
Enabling HTTPS requires the use of a valid SSL/TLS
certificate. This digital certificate is a file that contains information
about your organisation to help it authenticate as well as other cryptographic
information that helps the site users communicate with it securely through
encryption.
What is an HTTPS SSL certificate?
SSL is an abbreviation for Secure Sockets
Layer. SSL technology developed by Netscape was created for exchanging private
information and documents on the internet.
SSL Certificates are small data files that digitally bind a
cryptographic key to an organisation’s details. So an SSL (Secure Socket Layer)
Certificate is a digital certificate that provides authentication for a
website. SSL certificates create trust with users by verifying that websites
are secure and legitimate. These digital credentials are small data files
that activate the padlock icon and https protocol.
When installed on a web server, it activates the padlock and
the https protocol and allows secure connections from a web server to a
browser. Typically, SSL is used to secure credit card transactions, data
transfer, and logins, and more recently it has become the norm when securing
browsing of social media sites. Through SSL, an encrypted connection is
established primarily between the web server (host) and the web browser (user).
An SSL is very essential if you have an online store,
process credit card details or have any kind of user login, especially if
it accesses personal information.
SSL Certificates bind together:
- A
domain name, server name or hostname.
- An
organisational identity (i.e. company name) and location.
An organisation needs to install the SSL Certificate onto
its web server to initiate a secure session with browsers. Once a secure
connection is established, all web traffic between the web server and the web
browser will be secure.
How Do SSL Certificates Work?
SSL Certificates use something called public key
cryptography. This particular kind of cryptography harnesses the power of
two keys which are long strings of randomly generated numbers. One is called a
private key and the other a public key. A public key is known to your server
and available in the public domain. It can be used to encrypt any message. If A
is sending a message to B she will lock it with B’s public key
but the only way it can be decrypted is to unlock it with B’s private
key. B is the only one who has his private key. So B is the only
one who can use this to unlock A’s message. If a hacker intercepts the
message before B unlocks it, all they will get is a cryptographic code
that they cannot break, even with the power of a computer.
If we look at this in terms of a website, the communication
is happening between a website and a server. Your website is A and
server is B.
How SSL Works
- When
a browser wants to connect a web server with SSL certificates, the web
browser gives its identity before connecting with the server.
- The
web server then sends its web certificate to the browser.
- The
browser checks the web server to be trusted and sends a message to the web
server.
- Then
the browser and web server shows digitally encrypted data.
- This
compatibility shows only the web browser and the web server, displaying
data trustable amongst themselves and it shows the data security.
Why Do You Need An SSL Certificate?
SSL Certificates protect your sensitive information such as
credit card information, usernames, passwords, etc.
They also:
- Keep
data secure between servers
- Increase
your Google rankings
- Build/enhance
customer trust
- Improve
conversion rates
When a certificate is successfully installed on your
server, the application protocol (also known as HTTP) will change to HTTPs,
where the ‘S’ stands for ‘secure’. Depending on the type of
certificate you purchase and what browser you are surfing the internet on, a
browser will show a padlock or green bar in the browser when you visit a
website that has an SSL Certificate installed.
When you request an HTTPS connection to a webpage, the
website will initially send its SSL certificate to your browser. This
certificate contains the public key needed to begin the secure session. Based
on this initial exchange, your browser and the website then initiate the ‘SSL
handshake’. The SSL handshake involves the generation of shared secrets to
establish a uniquely secure connection between yourself and the website.
When a trusted SSL Digital Certificate is used during an
HTTPS connection, users will see a padlock icon in the browser address bar.
When an Extended Validation Certificate is installed on a web site, the address
bar will turn green.
All communications sent over regular HTTP connections are in
‘plain text’ and can be read by any hacker that manages to break into the
connection between your browser and the website. This presents a clear danger
if the ‘communication’ is on an order form and includes your credit card details
and or other important personal details. With an HTTPS connection, all
communications are securely encrypted. This means that even if somebody managed
to break into the connection, they would not be able decrypt any of the data
which passes between you and the website.
How to Identify the SSL-Certified Website?
The URL of an SSL certified website starts with HTTPS.
So when you see HTTPS on your website URL then you know it is verified with an
SSL certificate. As mentioned earlier, the last "S" in HTTPS
means a secure server.
Benefits of having SSL Certificates:
- There
is no fear of providing personal information. Personal information
such as credit cards, usernames, passwords and other important personal
information that may be required on a website, go to your receipts by
passing multiple PCs. If they are interrupted by a hacker, then your
valuable information can be stolen. If you send information via SSL
certificate, then you can be sure that it is not visible to anyone other
than the recipient.
- SSL
trust increases. SSL gives a green signal at the beginning of the
website, which gives a message of security to the visitor. Anyone can't
take any information from you or your visitors through the phishing attack
on the SSL Enabled Web site. It makes the visitor's credible for your
website.
- Undeclared
Brand Promotion. SSL increases the visitor's trust in using your website.
So your brand automatically engages the visitor. Information Technology
experts believe that SSL works as the undeclared brand of any digital
company.
SSL works as additional security for your website. If you
have created your website as a membership site or by taking a user's data
through a form, and if your web portal is secure then the third person will not
be able to get access to the information.
How does HTTPS (SSL) encryption work?
An https connection is established by using Asymmetric
Cryptography. The Server provides a certificate that demonstrates the server’s
identity. At this moment, the Server is in possession of a Public and a Private
Key.
Process when a sender and a recipient wants to exchange
data securely
The Recipient transmits his public key (The public key can
be given to anyone without any worries), but keeps the private key. So, the
Sender can encrypt the message with the Recipient’s public key. This encrypted
message can only be decrypted by the Recipient, because he’s the only one on
this planet who is in possession of the private key.
When using HTTPS the Sender is the Client and the
Recipient is the Server.
Below is a very simplified picture representation:
- The
Client tries to establish a connection to the server. (Hello!) The server
responds, that it accepts only secure communication.
- The
Server sends its Public Key to the Client.
- The
Client generates a random value (in this case it is 243) and encrypts this
number by using the Server’s public key.
- The
Server is the only one that can decrypt the data with its Private Key.
After decryption, it can read the secret key (243).
- Then
the transfer of data begins.
To prevent an attacker from guessing the secret key(243), it
is regenerated from time to time. The secret key is regenerated at regular
intervals.
Credit card companies and other regulatory bodies have also
declared war against sites that are not secure. (Think PCI DSS, HIPAA, GDPR,
CCPA, etcetra.)
As you can see in the picture above, public key (asymmetric)
encryption is only used briefly in the beginning to exchange the third key
which is used for the rest of the connection. But what’s the point of switching
from asymmetric to symmetric? There are a number of reasons.
First, public key encryption only goes one way. Your
encrypted data going to the website is secure only because the web server keeps
the private key a secret. But if the server tried sending encrypted data back
to you with the same key-pair, it would not be secure
because everyone has access to its public key. That means anyone
could decrypt it. You would have to establish two asymmetric sessions, one
going each way. It is not feasible for your computer to do that securely.
Secondly, the mathematical overhead for asymmetric
encryption is far higher and therefore requires much more computing power to
sustain. It is not suitable for long sessions because of the processing power
it takes to keep it going. Public key encryption uses much longer
keys, which makes it far more labour intensive.
Mobile Security with HTTPS
HTTPS also protects traffic on mobile devices. This is
extremely important as more and more people are using their phones and tablets
to surf the Internet and make e-commerce purchases. The good news is that the
vast majority of SSL/TLS certificates are mobile friendly, meaning
that once you purchase one, install it and configure your server correctly, you
are good to go on mobile devices.
But what about Apps? Both Apple and Google, two of the
leaders in the mobile phone industry, are pushing mobile apps towards
encryption by default. Apple has App Transport Security(ATS) on its iOS,
while Google has the CleartextTraffic manifest attribute on Android.
Apple’s ATS is pushing towards encryption a little harder as its default
setting is to have encryption on, while on the Android platform it’s not. But
both are making a clear indication that HTTPS will be and is the standard.
What HTTPS Does Not Do
It’s easy to think of HTTPS as a miracle security solution
for the internet, but there is a lot that it cannot do.
HTTPS does not;
1. Hide the names of websites that you are visiting
This is because the name (aka “domain”) of the website is
sent using DNS (domain name service), which is not inside the HTTPS tunnel. It
is sent before the secure connection is made. An eavesdropper in the middle can
see the name of the website you are going to (e.g. TipTopSecurity.com), they
just can’t read any of the actual content that’s being transferred back and
forth. It won’t be until DNSSEC is fully implemented that this will
change.
2. Protect you from visiting a dangerous website
HTTPS does not ensure that the website, itself is safe. Just
because you are connecting securely doesn’t mean you are not connecting to a
website run by bad guys. We try to fix this problem can be fixed with trusted
Certificate Authorities but the system isn’t perfect.
3. Provide anonymity
HTTPS does not hide your physical location or personal
identity. Your personal IP address (your address on the internet) has to be
attached to the outside of the encrypted data, because the internet wouldn’t
know where to send it if your IP address was encrypted, too. And it also doesn’t
obscure your identity to the website you’re visiting. The site you visit still
knows everything about you that it would on a non-secure connection.
4. Prevent you from getting viruses
HTTPS is not a filter. It is possible to get viruses and
other malware over an HTTPS connection. If the web server is infected or you’re
on a malicious website that’s handing out malware, it will be sent inside the
HTTPS stream just like everything else. HTTPS does, however, prevent
anyone in the middle from injecting malware into your moving traffic.
5. Protect your computer from being hacked
HTTPS only protects the data while it’s moving between your
computer and the web server. It does not offer any protection for your actual
computer or the server, themselves. This also means that if there’s malware
that’s monitoring traffic on one end of the connection, it can read the traffic
before and after it’s encrypted inside the HTTPS stream.
So, HTTPS only protects your information while it’s flowing
through the wires (or the air). It cannot protect your computer, your identity,
or hide which sites you are visiting. HTTPS is only one part of a safer
internet. If you are looking for more privacy then a VPN service would be the
next step. If you want more info about VPN, check out my article about
VPN.
Advantages of HTTPS:
- It
uses SSL technology to protect user information from unauthorised
sources which builds the trust of users.
- It encrypts
the connection and helps users to do secure online transactions such as
online banking
- HTTPS
users the redirect option to provide increased security. This means
that if a user enters http:// instead of https://, it will automatically
redirect to an https:// and establish a secure connection.
- An
independent authority verifies the identity of the owner of the
certificate. So each SSL certificate contains unique, certified
information about the certificate owner.
- Secure
Communication: https makes a secure connection by establishing an
encrypted link between the browser and the server or any two systems.
- Data
Integrity: https provides data integrity by encrypting the data and
so, even if hackers manage to trap the data, they cannot read or modify
it.
- Privacy
and Security: https protects the privacy and security of website users
by preventing hackers to passively listen to communication between the
browser and the server.
- Faster
Performance: https increases the speed of data transfer compared to
http by encrypting and reducing the size of the data.
- SEO:
Use of https increases SEO ranking. In Google Chrome, Google shows
the Not Secure label in the browser if users' data is collected
over http.
- Future:
https represents the future of the web by making internet safe for users
and website owners.
Disadvantages of HTTPS:
• HTTPS is comparatively slower as it takes a little
bit of time during encryption.
• Because of the encryption process, HTTPS includes
extra overhead during data transfer.
• You have to pay for an SSL certificate to use HTTPS.
• It can cause browser caching issues for legacy
browsers (e.g., IE6).
How HTTPS helps SEO
Most of all the benefits of HTTPS tie back
to SEO:
- Lightweight
ranking signal
- Better
security and privacy
- Preserves
referral data
- Enables
the use of modern protocols that enhance security and site speed
Lightweight ranking signal
Google announced that HTTPS is a
lightweight ranking factor way back in 2014. It is more like a
tiebreaker than something that would skyrocket your rankings if other ranking
factor variables remained unchanged.
This is basically Google’s contribution to faster
worldwide HTTPS adoption.
Preserves referral data
If your website is still on HTTP and you are using
web analytics services like Google Analytics, then no referral data is passed
from HTTPS to HTTP pages. Most of the web runs
on HTTPS these days, the source of most referral traffic (clicks on
links from other websites) will be labelled as direct in most analytics
software.
One disadvantage of this is that it makes your data messy
and skewed. Another is that you are unable to see your best referral sources.
Enables the use of modern protocols that enhance security
and site speed
On paper, HTTPS is slower
than HTTP because of the added security features. However,
having HTTPS is the prerequisite for using the latest security and
web performance technology.
In other words, besides security, HTTPS also
enables your website to improve its page speed when you use protocols
like TLS 1.3 and HTTPS/2. And apart from better user experience,
Google considers page speed as a lightweight ranking factor similar
to HTTPS.
How to set up HTTPS
This depends entirely on your particular scenario.
1. If you are launching a new website
Go with HTTPS from the beginning and you won’t
ever have to worry about HTTP and errors associated with the
migration.
All you need to do is to have a good hosting provider that
will guide you through the process, and that supports the
latest HTTP and TLS protocol versions. After all is up and
running, implement HSTS as the last step in order to seal the security.
2. If you already have an HTTPS-enabled website
The fact that you are reading this article shows that it is
probably not set up correctly.
3. If you still have a website running on HTTP
It will take a while to get everything prepared and
done. The complexity of the migration depends on:
- The
size and complexity of your website
- What
kind of CMS you use
- Your
hosting/CDN providers
- Your
technical abilities
There are a lot of variables at play. I suggest you
check the documentation of your CMS/server/hosting/CDN and proceed
accordingly with caution.
If all of this sounds too technical for you, hire a
professional. It will save you hours of your time, save your nerves, and ensure
future-proof implementation.
How HTTP Puts You At Risk
When you connect to a website with regular HTTP, your
browser looks up the IP address that corresponds to the website, connects
to that IP address, and assumes it’s connected to the correct web server. Data
is sent over the connection in clear text. An eavesdropper on a Wi-Fi network,
your internet service provider, or government intelligence agencies like the
NSA can see the web pages you’re visiting and the data you are transferring
back and forth.
There are big problems with this. For one thing, there’s no
way to verify you’re connected to the correct website. Maybe
you think you accessed your bank’s website, but you are on a
compromised network that’s redirecting you to an impostor website.
Passwords and credit card numbers should never be sent over an HTTP
connection, or an eavesdropper could easily steal them.
These problems occur because HTTP connections are
not encrypted. HTTPS connections are.
How HTTPS Encryption Protects You
HTTPS is much more secure than HTTP. When you connect to an
HTTPS-secured server—secure sites like your bank’s will automatically redirect
you to HTTPS—your web browser checks the website’s security certificate and
verifies it was issued by a legitimate certificate authority. This helps you
ensure that, if you see “https://bank.com” in your web browser’s address
bar, you’re actually connected to your bank’s real website. The company that
issued the security certificate vouches for them. Unfortunately, certificate
authorities sometimes issue bad certificates and the system breaks down.
Although it is not perfect, HTTPS is still much more secure than HTTP.
When you send sensitive information over an HTTPS
connection, no one can eavesdrop on it in transit. HTTPS is what makes
secure online banking and shopping possible.
It also provides additional privacy for normal web browsing,
too. For example, Google’s search engine now defaults to HTTPS connections.
This means that people can’t see what you’re searching for on Google.com. The
same goes for Wikipedia and other sites. Previously, anyone on the same Wi-Fi
network would be able to see your searches, as would your Internet service
provider.
In some countries, your Internet service provider
is allowed to snoop on your web browsing history and sell it to
advertisers. With HTTPS, your Internet service provider can’t see as much of
that data. They only see that you are connecting to a specific website, as
opposed to which individual pages you are viewing. This means much more privacy
for your browsing.
HTTP allows your Internet service provider to tamper with
the web pages you are visiting, if they want. They could add content to the web
page, modify the page, or even remove things. For example, ISPs could use this
method to inject more advertisements into web pages you visit.
Look Out for Phishing Tricks
The presence of HTTPS itself is not a guarantee that a site
is legitimate. Some clever phishers have realised that people look for the
HTTPS indicator and lock icon, and may go out of their way to disguise
their websites. So you should still be wary. Don’t click links in phishing
emails, or you may find yourself on a cleverly disguised page. Scammers can get
certificates for their scam servers, too. In theory, they are only prevented
from impersonating sites they don’t own. You may see an address like
https://google.com.3526347346435.com. In this case, you’re using an HTTPS
connection, but you’re really connected to a sub-domain of a site named
3526347346435.com—not Google.
Other scammers may imitate the lock icon, changing their website’s
favicon that appears in the address bar to a lock to try to trick you. Keep an
eye out for these tricks when checking your connection to a website.
Conclusion
HTTPS was originally intended for passwords, payments,
and other sensitive data, but the entire web has now moved towards it.
It is a good idea to build a website over HTTPS or move from
HTTP to HTTPS. Previously, websites being served over HTTP would receive
browser warnings about being unsecured. This can dissuade potential traffic
from visiting and have adverse effects on your website. HTTPS was mostly used
by websites that have online payment gateway support. This helped secure
confidential details of users such as credit card details and other personal
information. But, after Google recommended sites to use HTTPS to achieve better
search engine rankings, most sites switched to HTTPS. Nowadays, almost every
website uses HTTPS.