Hyper Text Transfer Protocol Secure (HTTPS) is the process which data is sent between a
browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for
‘Secure’ and means all communications between a browser and a website are encrypted.
HTTPS is used to protect highly confidential online transactions like online banking and
online shopping order forms. Web browsers such as Internet Explorer, Firefox and Chrome
display a padlock icon in the address bar to show that a HTTPS connection is in effect.
“Both Google and Mozilla now report that at least 50 percent of web
traffic from their respective browsers is encrypted with HTTPS, the
secure Internet protocol that helps protect users from tracking and
other malicious activities.”
How Does HTTPS Work?
HTTPS pages typically use one of two secure protocols to encrypt communications:
SSL – Secure Sockets Layer
TLS -Transport Layer Security
Both the TLS and SSL protocols use an ‘asymmetric’ Public Key Infrastructure (PKI) system.
An asymmetric system uses two ‘keys’ to encrypt communications, a ‘public’ key and a
‘private’ key. Anything that is encrypted with the public key can only be decrypted by the
private key and vice-versa.
The private key should be kept strictly protected and only be
accessible the owner of the private key. In the case of a website, the private key remains
securely hidden on the web server. The public key is intended to be distributed to anybody
and everybody that needs to be able to decrypt information that was encrypted with the
What is a HTTPS certificate?
When you request a HTTPS connection to a web page, the website will initially send its SSL
certificate to a browser. This certificate contains the public key needed to begin the secure
session. Based on this exchange, a browser and a website then initiate the ‘SSL handshake’.
The SSL handshake involves the generation of shared secrets to establish a uniquely secure
the connection between the website and yourself.
When a trusted SSL Digital Certificate is used during a HTTPS connection, users will see a
padlock icon in the browser address bar. When an Extended Validation Certificate is installed
on a website, the address bar will turn green.
Why is an SSL Certificate Required?
All communications sent over regular HTTP connections are in ‘plain text’ and can be read by
any hacker that manages to break the connection between a browser and a website. This
presents the clear danger if an order form, which includes credit card details or social security
numbers are put into an unsafe site. With a HTTPS connection, all communications are
securely encrypted. This means that even if somebody managed to break the connection,
they would not be able to decrypt any of the data which passes between you and the website.
Accessing information publicly
With public-key cryptography, an attacker can watch every single byte of data exchanged
between your client and the server and not know what you are saying to each other beyond
roughly how much data you are exchanging. However, your normal HTTP traffic is still very
vulnerable on an insecure Wi-Fi network, and a fragile website can fall victim to any number
of workarounds that somehow trick you into sending HTTPS traffic either over plain HTTP
or just to the wrong place completely.
For example, even if a login form submits a username/password combo over HTTPS, if
the form itself is loaded insecurely over HTTP then an attacker could intercept the form’s
HTML on its way to your machine and modify it to send the login details to their own
Advantages to switching to HTTPS
HTTPS makes your website more secure. However, there are limits to this as it’s not going to
prevent your website from getting hacked. It’s not going to stop phishing emails getting sent,
either. If you’re using a content management system (CMS), like WordPress, or you have any
other login where you host any kind of sensitive data, then setting up a secure HTTPS login
is the absolute minimum precaution you should take.
In reality, HTTPS is the basic price of security these days. It’s the very minimum you can offer
your visitors. Aside from security, HTTPS also improves trust.
According to research performed by GlobalSign, more than 80% of respondents would abandon
a purchase if there was no HTTPS in use. There is also evidence that the use of security seals can
improve lead generation by over 40%.
HTTPS improves conversion and trust for businesses who don’t take online payments. Your
visitors pay attention to your site’s security and who does Google. Security is important to
Google’s SEO and they rank companies with HTTPS higher. The best reason to switch to HTTPS
is to future-proof your website.
Disadvantages against switching to HTTPS
Recent research has shown that for smaller B2B websites, the importance of HTTPS is low. The
reasons include a lack of awareness of the growing significance of SSL or the apparent difficulty
of switching to HTTPS, and in particular, the potential negative SEO impact.
SEO is one of the most important considerations, especially for websites that have a good ranking.
Pages accessed by HTTPS can never be cached in a shared cache. Since the conversation between
browser and server are encrypted, intermediate caches are unable to see the content to cache it.
— Maria Johnsen (@iMariaJohnsen) March 15, 2017
Some firewall or proxy systems may not allow access to HTTPS sites. Sometimes this is simply
because the administrators have overlooked the allowance for HTTPS. However sometimes it is
a conscious security decision: since HTTPS connections are end-to-end encrypted, they can be
used to carry any traffic at all. Allowing them through a firewall, which then has no way to look
inside the data stream, could allow any sort of data transfer (in either direction).
HTTPS offers the base level of website security. Whether or not you should switch to HTTPS is a
decision increasingly being driven by Google’s search algorithm. Switching to HTTPS is fairly
straightforward for smaller websites. For larger websites, it’s more complicated, from an SEO
perspective and requires skilled technical staff to make the changes.
HTTPS is not unbreakable, and the SSL process has to evolve constantly due to new attacks against it
are discovered. However, it is still an impressively strong way of transmitting secret data without caring
who sees your messages. The key thing to remember is that whilst HTTPS keeps data safe on the wire
to its destination, it in no way protects you (as a user or a developer) against XSS or database leaks or
anything else. Be careful and stay vigilant.