What is HTTPS and why you should care?
Google does most of its business and is arguably the most important force on the Internet. Because of that one of the main concerns of theirs is Internet Security. In the last couple of years, Google has made some steps in providing incentives for people to use HTTPS in the interest of security. And we can expect more of the same in the coming months.
To better understand what HTTPS is, we will talk about its precursor HTTP that is in still in wide use today. HTTP stands for Hypertext Transfer Protocol, and it is basically a set of rules that enable users (web browsers) to communicate with sites (servers). Basically, whenever you visit a webpage, the data is transferred with HTTP and a bit less often with HTTPS.
The problem?
[su_box title=”Man in the middle attack is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. ” class=”trap small right”][/su_box]
Unfortunately, there are inherent safety issues with HTTP. First, all the data that goes through HTTP is transferred in plain text. That means that if anyone watches your communication they can see the content of it.
Second, as everyone knows the rules that make up HTTP, anyone can use them to intercept and sometimes-even change the communication between you and the site you are visiting. And there are some important bits of data there, like your IP address, the browser you are using etc. This is called a Man in the Middle attack (MITM), here a third party gets in between the communication of the site and the user. It can then forward the communication just observing it, or change it before forwarding.
In 1994 Netscape started making a solution to the safety issues of HTTP.
HTTPS as the solution
HTTPS an acronym for HTTP over SSL (or HTTP Secure depends on who you ask 😀 ), and it is a secure version of HTTP. It works by encrypting all data that goes through http and making it unreadable to anyone who should not be a part of the communication.
So if someone tries to do a MITM, they would not be able to change anything without the user noticing, nor would it be possible to read the content of the communication. This is done with the help of a SSL certificate.
Additional HTTPS benefits
While the main advantage and raison d’etre of HTTPS is security, that is not its only benefit in today’s world. HTTPS is much better for SEO. Google has made an announcement in 2014 stating that they rank HTTPS sites better than HTTP ones.
[su_box title=”In October 2017, Chrome will show the “Not secure” warning when users enter data on any HTTP page including search bars” class=”trap small left”][/su_box]
Google seems resolute in its intention to label all HTTP results as unsafe, and divert more and more traffic through HTTPS. The next step towards that goal seems to be coming in October with the new version of Chrome, where the lack of security when browsing will be clearly visible. Even pages with any kind of input will be affected if browsed through HTTP. This includes webpages with search fields and search bars. And the changes probably won’t stop there.
Another great thing about HTTPS is that it is now much faster than the older HTTP. Check out the following gif illustration.
These results may vary quite a bit. But they are significant never the less. You can check this yourself by visiting this link.
Certificate Authority and SSL
And we’re back to SSL. As we’ve mentioned before, all these benefits come from encrypting the communication, and for that you will need an SSL certificate. You can get a certificate from a CA (Certificate Authority). It is a CA job to certify that when you encrypt your data and send it to your customers, the key used to decrypt the data is really yours. In that way, it is ensured that your customers have been communicating with you and that the data has not been tempered with.
CA are trusted parties like: Comodo, Symantec, Thawte, Let’s Encrypt etc.
Types of SSL certificates
There are a couple of types of SSL certificates. Those are:
- Single Domain – Can only secure one domain
- Multi Domain – Can secure multiple domains. It’s a bit more technical
- Wildcard – Can secure virtually all subdomains of a given domain.
Price for an SSL certificate is in the range of 40$ to over a 1000$ depending on the type of the certificate and many other factors. For most sites and blogs cheaper ones are the way to go. And with Let’s Encrypt there is a free alternative. On shared hosting environments Let’s Encrypt support may be sketchy, but it is worth asking your hosting provider if they support this or you can check this list of providers that guarantee Let’s Encrypt support. And if you have cPanel and the AutoSSL plugin installed, you may install Let’s Encrypt certificate there.
Of course, you can still opt in for one of the traditional certificate authorities. There are some advantages to them, like: better support, longer certificate duration etc.
Conclusion
Internet is a big place, and going forward security will be an issue. HTTP is old, outdated and not cutting it anymore from the security standpoint. Considering all the advantages that HTTPS has, like: security, speed, SEO and the new Chrome related issues of HTTP, migrating to HTTPS is almost a necessity. It can be daunting, doing this for the first time, but there are good guides online. And if you are not completely sure you can do this, you could seek help from a professional. It will be well worth it!
Majority of secured websites are based on HTTPS, which cooperates with another protocol called in order to move data safely to the right destination. If you want to read more about transfer protocols, check out this blog post.
[conversion-boxes title=”Want more information on HTTPS and SSL?” text=”You’ve come to the right place. Subscribe to the .ME newsletter for more of everything .ME-related!” secret=”” button=””]
