This article was originally published on 09/17/2015 and has been updated as a guide for HTTPS in 2018.
Do you know the fastest way to turn a popular website into a ghost town: neglect its security. Bright red warnings and broken pages are a terrible way to greet your website’s visitors and you can’t blame them for giving up on your page.
Instead, it’s better to welcome your guests with a secure and breezy browsing experience. One of the most important ways involves something you may have missed: going from HTTP to HTTPS.
Sidled up next to our URLs are a series of important letters that refer to the way communication happens online: HTTP and HTTPS. Continuing in 2018, Google is leading a charge for all websites to migrate from HTTP to HTTPS-a more security-respecting protocol which is big on encryption. Believe it or not, that extra “S” plays a vital role in keeping your sensitive data-and your customers’ data-safe online.
Last year the internet reached an HTTPS milestone-according to Mozilla, in 2017 more than 50 percent of all major web traffic crossed the finish line to better encryption by becoming HTTPS compliant.
Despite half the web being encrypted, 2017 was also host to a parade of data security letdowns-Equifax, Yahoo, Uber-which has shaken peoples’ trust in how safe it is to share personal data online. We need more HTTPS compliant websites now more than ever.
To tip the scales toward a 100 percent fully encrypted website owners need a strong understanding of HTTPS. In this article you’ll learn:
What is HTTPS?
What does HTTPS do?
What's the story with the little green lock?
Why the days of HTTP are numbered?
Should the sites you visit and your own site use HTTPS?
Where do I get started with HTTPS?
To understand what HTTPS is you’ll need to understand what HTTPS means, and for that you’ll need to define HTTP.
HTTP stands for Hypertext Transfer Protocol, which is the mechanism in which online data exchanges happen over the internet; it’s how we interact with websites and communicate information.
HTTPS is a combination of standard HTTP with enhanced web protections-the “S” in HTTPS actually stands for “secure.” The heightened security takes the form of two techniques to protect web traffic:
Transport Layer Security (TLS)
Secure Sockets Layer (SSL)
But like most acronym-heavy tech terminology, the devil is in the details.
HTTPS protects information online via a multifaceted approach-let’s call it the three vowels (I,A,E) of HTTPS security:
Integrity: locks down connections to avoid any unseen corruption or vandalized data during transmission.
Authentication: prevents “man-in-the-middle attacks” by assuring the intended website is the bonafide version.
Encryption: encodes or scrambles information to protect data transmissions from the prying eyes of hackers or other snooping parties.
Phil Hagen, a SANS instructor on Advanced Network Forensics and Analysis and evangelist at Red Canary explains that HTTPS insulates online communications with better encryption-this creates a kind of secure transaction between the user and website to protect data.
“The use of encryption minimizes the opportunity for a third party to eavesdrop on or modify those communications. To establish the secured connection, the web browser and web server software first negotiate the security parameters then mathematically establish a set of values (“key material”) required to properly encrypt the traffic,” Hagen said.
Here’s a simplified way to think about HTTPS encryption and key material: imagine that in order to encrypt and decrypt data you have to shake hands.
There are two ways to give a handshake:
"Public" handshake- shared with everyone.
"Secret" handshake- kept private.
Everyone-clients (you) and servers (websites)-has both a “public” and “secret” handshake at their disposal. Through a combination of these handshakes, the encoding and decoding process happens. For example, if you visit GetApp.com, your browser and GetApp negotiate the security of the connection through a back-and-forth of handshakes. At this point, a sort of referee to validate the agreement steps in called a certificate authority (CA). If the CA is unable to authenticate one or both parties, the connection is cutoff immediately to protect against impersonation by a hacker. For a deeper dive, take a look at a technical definition of this process which is known as public-key cryptography.
While cruising around online, you may have noticed a padlock icon to the left of the URL. This icon represents the level of security of the current webpage you’re touring. Think of it like a check engine light on a car, spitting out a helpful code to convey status or diagnose a problem.
These locks all have to do with the verification of the certificates used for the site. Those certificates are purchased from a certificate authority (CA) and they’ll verify that the site you’re visiting is genuine. Certificates can be purchased from a variety of certificate authority providers at various price points.
This article will not go further into best practices for selecting a trustworthy CA, though a good rule of thumb is to choose same/similar CAs that major authority websites or big-name domains are using.
Below is a helpful visual guide of certificates with examples provided using Google Chrome:
Little green lock: The site’s certificate has been authenticated by a reputable certificate authority. You’re good to go.
Little green lock and a name in green lettering: This means the site has an extended validation certificate. The site has gone through more vetting with their chosen certificate authority to prove their site is legitimate-that they are who they say they are-to earn this certificate. This is the URL version of Twitter’s blue check mark. An example of this would be paypal.com.
Red triangle with an exclamation mark, “https” with a red slash through it, or warnings: This is when you should find an alternative site or proceed with extreme caution. Don’t panic (but also don’t hand over sensitive info) if you see this warning. It could be due to a number of reasons including an expired certificate, malware or something amiss going on with the site, or something as simple as your computer having the date/time wrong (certifications need to sync with your date/time to pass authentication).
(Only in Google Chrome) Lower case “i” with a circle around it: This is a “not secure” flag for sites that haven’t made the transition fully from HTTP to HTTPs. It’s typical of older domains that possess sizable archives of legacy web content-and are therefore collecting personal information or credit card data without using the HTTPS protocol.
From the standpoint of security, the benefits of HTTPS are clear, and Ondrej Krehel, founder and CEO of the cybersecurity intelligence firm LIFARS captures the heart of HTTPS’ value to site developers.
“Using HTTPS on your website builds trust with your visitors and especially if you are running an online store or accepting credit cards and/or collecting personal information, you should always use HTTPS, otherwise you are risking not just your data, but your visitors’ data as well,” Krehel said.
The value of HTTPS has been made plain to site owners, and yet Pure Oxygen Labs, a technology services company focused on mobile deep linking and SEO, estimates that 40 percent of the internet retailer 100 (IR100) are electing to stick with using HTTP in the face of security risks to customer data.
Google, in efforts to put pressure on these holdouts and incentivize a move to HTTPS have put in effect the following changes across the G Suite:
HTTPS has been given a slightly elevated status as a SEO rank influencer.
HTTP Websites with text fields collecting any personal data now emit a "Not Secure" warning in Chrome browsers.
Launched a Chrome blog series to help evangelize Google's "Encryption Everywhere" movement, to inform site owners of the better privacy, security, and performance gains when using HTTPS.
But It’s important to be clear on this: HTTPS encrypts the transmission of your data, but as Ondrej Krehel of LIFARS reminds us, that does not mean that your computer is protected against other methods of cyber-attack.
“HTTPS will not help prevent that your website will not be hacked. It will also not protect you from malware or DDoS (Denial of Service) attacks. It will, however, ensure that you are securely transmitting information to and from a website.” Krehel said.
HTTPS isn’t foolproof, but it is one of the best security methods to protect data and secure web traffic. With improvements over HTTP and SEO incentives to make the switch, HTTPS is the future of the web (for now).
There’s lots of information out there, but here are a few links to get you started with adopting HTTPS for your site. Make sure to check out GetApp’s listing of IT security solutions to bolster your company’s total security coverage: