More than half of the pages viewed on the Web are now delivered by HTTPS and SSL. Your site should be among them. It improves not only your site’s security but its search engine performance.
There are two ways to access Web pages: By the HTTP and the HTTPS protocols. HTTP sends everything as unencrypted data. Internet connections go between the client and server over a series of hops. Anyone along the path can read or even change the data. If they do it cleverly, no one on either side will notice. This is called a “man-in-the-middle” attack.
HTTPS encrypts data so that no one along the path can read it. Any attempt to change the data will break the communication. As an extra benefit, it assures the browser that the information is coming from the right server and not an impostor.
How secure Web connections work
HTTPS uses a communication architecture called SSL (Secure Sockets Layer) or TLS (Transport Layer Security). TLS is the correct name for the modern versions, but the name SSL has stuck. It provides two-way secure communication using a Public Key Infrastructure (PKI). A domain has a private key, which no one else ever sees, and a public key, which is part of its SSL certificate.
A site needs to get an SSL certificate in order to serve pages by HTTPS. It can generate its own certificate, using free software, but that doesn’t establish its identity. The certificate needs to be digitally signed by a certificate authority (CA) to verify that the site owns it. A small number of CAs are root authorities. Their certificates are widely available, and most browsers have them built in. A trusted certificate needs to have a chain of CA signatures that leads back to a root CA.
Why connection security is important
This is especially important to online stores and anyone else handling money or credit cards online. It isn’t enough to have the forms submit secure data. Everything on the site should be HTTPS. A MITM attack can pull confidential data out of a form that isn’t itself secure. Session cookies are vulnerable if some pages are HTTP.
In the worst case, MITM interception can redirect all your traffic to another site that impersonates it. The fraudulent site can damage your reputation by replacing your content with pornography or a bigoted manifesto. It can trick users into giving it personal information.
An eavesdropper doesn’t have to do anything overtly harmful to invade users’ privacy. A public Wi-Fi hotspot can collect data on users for any purpose. Have you ever logged into a hotspot in a shopping mall that demanded your email address to let you connect? It could collect information about the sites you visit for its own marketing purposes. A less honest hotspot operator might use the information for blackmail. The people who use your website deserve more privacy than that.
Google is starting to warn users of the Chrome browser when pages with password or credit card fields aren’t secure. Eventually it may extend this warning to all HTTP pages. If it did that today, it would flag almost half of all pages accessed, and users would just ignore the warning. Google is clearly hoping that the push to HTTPS will become big enough that pages without security will become rare. Once that happens, its expanded warnings will give the remaining site owners a push to catch up.
Over the years, fewer sites will neglect security. Those that do will become prime targets, since the “HTTP” in the browser will become a message that the site isn’t keeping its defenses up in general. A site that doesn’t use HTTPS very likely isn’t paying much attention to SQL injection or cross-site scripting weaknesses. It’s like having a “Please hack me” sign on the page.
Using HTTPS helps search ranking
Having HTTPS helps with SEO as well as security. In 2014, Google started giving a better search rank to sites that use HTTPS and SSL. So far it’s not a large factor, but its weight is sure to increase over time.
There’s a right way and a wrong way to do it. Changing all URLs from HTTP to HTTPS and doing nothing more is the wrong way. All old links will break. Another wrong way is to add HTTPS, but to use it only when explicitly requested. Most people are lazy and will type “www.example.com” rather than “https://www.example.com”. That will get them the unsecured HTTP version.
The right way is to redirect all the HTTP links to their HTTPS equivalents. On the site, all internal links should be HTTPS or relative URLs. After making the changes, site administrators should check their analytics and run Google Webmaster Tools on the site. A mistake can cause a huge drop in traffic, and it’s important to catch it as fast as possible.
The Electronic Frontier Foundation is pushing “HTTPS Everywhere.” The project includes a browser extension for automatic redirection to HTTPS pages on sites that don’t do it properly. This helps people who have the extension installed, but a site should make HTTPS the default to gain all its benefits. The plugin is just a stopgap.
HTTPS enables new features
Another benefit of HTTPS is that it enables advanced features on the server. Progressive Web applications are a hot trend in Web development. They provide the speed and power of installable applications while residing on the user’s browser. They load faster and provide some functionality even when they’re offline. Using HTTPS is a requirement for progressive apps.
New HTML5 APIs, for actions such as using microphones and cameras, require explicit user permission to operate. They work only on HTTPS pages, since otherwise an intruder could insert a false permission into the data and trick the browser into turning on a webcam. A plain HTTP page can’t use those features.
Moving to HTTPS
The steps to moving a website to HTTPS aren’t very difficult.
- Use a hosting service that supports the latest version of TLS (SSL). Old versions have security problems and are vulnerable to attacks such as the “Heartbleed” bug, so being up to date is important.
- Obtain an SSL certificate through a reliable certificate authority and install it.
- Set up your server to deliver all pages by HTTPS, and to redirect HTTP requests to the HTTPS versions.
- Update all links under your control to point at the HTTPS version.
- Test thoroughly using Google Webmaster Tools.
- Fix any problems immediately.
If everything goes well, this will be a smooth transition, but it’s best to do it during a slow time such as a holiday. Make sure you can roll back to the old version if things go seriously wrong. Once your HTTPS site is working, you and your users have better security, there won’t be any warnings to scare people away, and you’ll get a benefit in your search rank. Contact us to get started on setting up a securely hosted website.