HTTP or HTTPS?

E-commerce sites and other websites that handle sensitive data should (though we would say need) to have a website secured through HTTPS in order to provide a secure browsing experience. But what does HTTPS mean and why does it apply to your website?

What is HTTPS?
HTTPS stands for hypertext transfer protocol secure. Think of it as a website, which looks and behaves exactly as it should, but with a big security blanket wrapped around it.

It helps prevent what are known as man in the middle attacks, where a third party steps in, has access to and can interfere with communications between a user and a website. Communications which may include, but are not limited to username, passwords, credit card numbers, any data which is submitted from a user to a website.

The address of the website you are reading is: https://www.cargocreative.co.uk/ notice the address https://. Compare this to http://www.bbc.co.uk Notice the lack of (s) in http://. This means the Cargo Creative site has an extra layer of security wrapped around it.

You will be able to tell if a website is using HTTPS because it will appear in the address bar of your web browser either as a lock (usually black or green) or a green HTTPS appearing before the rest of the address. If you can’t see either of those, then you are visiting a website not using HTTPS.

How does HTTPS work?
It works through authentication, data integrity, and encryption. Authentication ensures that you are talking with the website that they claim to be. Data integrity ensures that the data being transmitted between the user and the website hasn’t been tampered with. Encryption ensures that no one can eavesdrop on your conversation with the website.

All three elements need to work together to make websites secure. You can have encryption but if a website has not been authenticated, then you could be having a secure conversation with someone who has hacked into the website and secured the channel.

As great as HTTPS is, your website can still be insecure if you use weak passwords or do not regularly update your plugins. HTTPS is only one part of the overall security picture.

How does a website get this extra layer of security? 
By obtaining a SSL (secure socket layer) certificate. They are purchased from most websites which sell hosting and/or domain names. There is a brief verification process to ensure the certificate is being issued to the correct website/company then it is installed on the server hosting the website.

Why isn’t every site using HTTPS? 
The reasons are historically fairly simple in that it was expensive and technically difficult to implement. Shared hosting companies typically add considerable markup to purchasing and installing SSLs, often costing more annually than hosting itself, unsurprisingly this puts many off.

Technically it is much easier to implement, the arrival of web hosting services Serverpilot and Forge (which sit on top of cloud servers like Digital Ocean, Linode and Amazon Web Services) make it as easy as launching a website or adding a user to a database.

Financially its much cheaper than it used to be. Namecheap offers SSL for a little over a fiver for example. Perhaps the biggest game changer of all is the arrival of Let’s Encrypt which offers free (as in free beer) SSLs, the only downside is they need updating every 90 days.

So what’s the point if not everyone is using HTTPS?
It comes down to good citizenship of the web, privacy for you and your users and an SEO incentive from Google.

HTTPS is particularly beneficial for when users are accessing your website over insecure wifi. With insecure wifi and websites that are HTTP only, there is the potential for hackers to see which content you are accessing and for how long. HTTPS prevents this from happening by encrypting the data, which means people can’t see the data going back and forth between users and the website.

So this means privacy for you and for your users. While being able to see a single website that a user visits might not be that interesting or important, it’s becomes more important when someone is able to monitor whole browsing sessions and gather intel and paint a bigger picture with all the websites you visit as a whole. Even if you are accessing websites that are innocuous, it is the principle of privacy that is at stake as we all have the right to a secure browsing experience.

Google wants to try and make the internet experience the best it can for people, which is why they are penalising websites that do not migrate to HTTPS. This was announced in August 2014 but has not been rolled out as a major penalty.

Google’s Web Security blog has said “For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”

Should I migrate my website to HTTPS?
The short answer: yes. While Google hasn’t been been blacklisting websites and dropping them from the search engine ranking page yet, we don’t know what further steps Google will take on using HTTPS as a ranking signal and if you rely heavily on Google as a traffic source, it’s usually wise to follow their recommendations. And for the privacy of your website and your users, HTTPS is important. The internet is a great resource, but we all have to do our part to make it a better place.

Ready to move your website to HTTPS? Get in touch.