If I ask you what HTTPS is would you be able tell me? Let's be honest, a large proportion of people aren't going to have a clue. Some might know a bit about it - "It's the green padlock" or "It's the thing in the address bar on some sites" whilst others may understand it but not see the importance. (High five if you're a believer in it whether you understand it or not!)
In this article, I'm primarily aiming to convince those who don't see the importance why they should use it. But if you're not one of those people you may well find it to be interesting anyway.
What is HTTPS?
HTTPS stands for "Hyper Text Transport Protocol Secure" and is the secure version of HTTP which is used to send data between your browser and web servers. As you may or may not know, the easiest ways to tell if a website is using HTTPS is via the green padlock, the "Secure" message or the start of the URL "https://" - all of which you can see here:
Now, by "secure version" I mean encrypted. The encryption applies to all the data flowing between your browser and the website and (providing everyone's using modern encryption) can't be intercepted (and importantly, can't be altered).
Why should I use HTTPS?
HTTPS is faster and (ignoring the "coolness" of a super-fast website) speed is widely regarded as one of the main factors affecting user interaction. Obviously, if a site is slow people are going to look elsewhere which I'm sure we can agree, isn't a good thing. Here's some of the main features that increase speed:
There's a newer version of the HTTP protocol called "HTTP/2" and it has massive advantages in many different areas including speed. In order to use HTTP/2 you need HTTPS as modern browsers (such as Chrome, IE, Firefox, Safari, Opera, Edge etc) only support it via HTTPS.
One of the main advantages of HTTP/2 is its multiplexing capability which basically allows for multiple requests for resources to be main simultaneously rather than one at a time. Obviously, this provides a rather nice performance boost.
It stops Content Injection
Now this one is quite interesting; some network owners feel they should alter the websites you visit to show advertising or other information. Unfortunately, this is awful for security and could easily be used maliciously. Oh, and do I need to mention it's downright annoying?
The best example of this that I've seen is this one posted by Troy Hunt on Twitter:
The image is a screenshot taken on a phone viewing his website, the problem is the "Norwegian" bit at the top. This has been added into the page's code by Norwegian airlines who intercepted and altered it during transit. They wouldn't be able to alter content like this if the site was accessed over HTTPS.
Users are most likely going to notice the warning browsers now display on websites not using HTTPS. Rather than the green "Secure" and the padlock, Chrome for instance, now shows a "Not secure" message to the left of the URL on HTTP pages with password or credit card fields. Other browsers such as Firefox also do this.
It's worth mentioning that Chrome will be regarding any HTTP page with an input form of any kind (including things like search boxes) as not being secure and will display the "Not Secure" message. This change will be coming to Chrome in the near future.
I'll go off topic slightly here because I want to share a quick story. A little while ago now a (what quickly became well known) site http://oilandgasinternational.com/ posted a bug report with Mozilla (the makers of Firefox):
Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.
Not at all unsurprisingly their site was swiftly hacked and their database deleted, all because they complained about the "Not secure" warning that was shown on the login form because they weren't using HTTPS. Nice work.
In the world of SEO (Search Engine Optimization) every tiny boost is worth a lot in the highly competitive world of the internet. Back in 2014, Google announced that they'd give a small SEO boost to sites that use HTTPS. It's likely that the difference it makes is only going to increase as time goes on.
Browsers require HTTPS for cetain features
Chrome announced a fair while back that certain features wouldn't be usable for insecure origins. These features are as follows:
- Device motion / orientation
There's also the fact that both the Apple and Android app stores require HTTPS (as I'm sure others do as well) if you want the content to be accessible in the app.
HTTPS is easy and cheap
Nowadays it's super simple to enable HTTPS on your site and the once relatively high costs of buying a certificate are no longer a problem thanks to Let's Encrypt (free certificates! Woooooo!) and the ACME protocol.
Encryption also requires very little in the way of resources and a Google employee said that encryption accounts for around 1% of the load on their servers for Gmail back in 2010. It's true that TLS (Transport Layer Security) used to be computationally expensive but it's simply no longer the case.
To summarise, HTTPS doesn't just encrypt login details and other information that users enter on a website. It encrypts all the data transferred between the user and the web server including things like HTTP headers. Also, providing the private key is kept securely HTTPS guarantees integrity of the website and also authenticity. Finally, it does all of this whilst providing access to a valuable performance boost and user trust.
Am I basically saying there's no downsides to using HTTPS? Well, basically - yes. If someone complains that it causes problems or doesn't work with something then it's likely that the "thing" isn't up to scratch for the threat riddled online world which we all live in. So website owners, go over to Let's Encrypt, grab yourself a free certificate and get encrypting! Oh, and feel free to tell anyone you know who runs a website why they should be using HTTPS if they aren't already.
Short link: on-te.ch/https