When I look at a lot of local websites in the local area and even some more national websites, I am amazed by how many are still not using HTTPS for their website. Google essentially made HTTPS a requirement for any reputable website starting with the Google Chrome 68 in July 2018. The other major browsers including Firefox, Safari, and other soon followed suit. Websites that still use the old HTTP designation are now listed as being insecure and in fact in some cases Chrome will not take you to the website without a warning if you want to proceed.
What is HTTP and HTTPS?
HTTP stands for “Hypertext Transfer Protocol” and HTTPS is this with an “S” for secure. In the old days of the internet most website transmitted data with the HTTP protocol using plain text that was unencrypted. But, if there was a middleman watching the data transfer then any of the data could be intercepted and recorded including credit card data, passwords, or anything else in the stream. Most of the time the data was not intercepted, but it sometimes happened and why incur the risk.
Netscape, one of the older browsers from the early days of the internet invented the HTTPS protocol, which encrypts the data from the website to the user and back, thereby blocking the ability to intercept the data in a meaningful way. Around 2017 Google started to recommend the security on websites and essentially made it a requirement in 2018, including upgrading the Search Engine Optimization (SEO) of those sites that had it as a carrot.
The two protocols also use two different internet ports. HTTP uses Port 80 and HTTPS uses Port 443.
What is HTTPS and why should I use it?
HTTPS includes an SSL (Secure Socket Layer) or TLS (Transport Layer Security) to encrypt the data going between the user and the website and vice versa. This is done through a certificate that is either bought through a certifying authority such as Verisign or free certificates can be acquired from Let’s Encrypt. Because the free certificates are so ubiquitous, there is really no reason your website should be insecure.
HTTPS provides Encryption, Intergrity, and Authorization for your website in the major search engines. In addition, as stated above HTTPS improves your search engine rankings, and also improves your reputation as a website owner that cares about the end user thereby getting more leads.
The HTTPS protocol allows your site, if you are doing eCommerce, to be PCI compliant and is a requirement for this. You also need the HTTPS protocol to use AMP (Accelerated Mobile Pages) on smartphones.
How exactly does the Security work?
The SSL or TLS are an example of Asymmetric Encryption where the encrypting and decrypting keys are different. In this case, a public key is used for the encryption and a private key, held on the website server, decrypts the incoming data. There is also Symmetric Encryption, which is what WIFI uses, where the router and computer use the same password.
How can you the User tell if a site is using HTTPS?
Besides looking at the address of the website, which will show the https, sites that use the security protocol will also have a padlock to the left of the address. If the padlock is there, you can rest assured that the site is protected and that your privacy is protected. As stated above, it also shows that the site owner is concerned about the users of the site.
To sum the above:
It is always best practice to incorporate SSL or TLS in your website. Let’s Encrypt is a non-profit that provides free SSL certificates that are arguably as good as the paid ones. Going further some web hosts provide SSL certificates as part of their hosting plans. If you have a site that is still using HTTP, try to add an SSL certificate or ask your webmaster to add one. It will best for you and for your users.