Picture this scenario: you’re creating a website for your boss. But, your boss is adamant about making sure that you use HTTPS. You have heard of the term. And, perhaps you have worked on an HTTPS site or two. But, maybe you’re not exactly sure what the technical details are all about?
In simple terms, HTTPS is a protocol used to encrypt information sent from one computer or device to another. When you visit a website via your web browser, the site uses HTTPS to ensure that all communications are encrypted and safe from snooping eyes.
HTTPS, or hyper-text transfer protocol (secure), has been around since the early 1990s but only recently has it become widespread in terms of both adoption and usage. In fact, according to Google, the majority (99%) of global web traffic uses HTTPS now. This means that you should also start using it, because it does a lot more than simply encrypt data before it gets sent from one place to another. It also makes sure that no third party intercepts or modifies the communication between two parties.
HTTPS was created to ensure safety and privacy online. The protocol requires every site to be secured with SSL certificates. These certificates contain sensitive information such as username, passwords, credit card details, etc., and they prevent those credentials from being intercepted. That said, HTTPS offers other benefits too, such as preventing session hijacking attacks and ensuring security during e-commerce transactions.
For websites, HTTPS provides a number of advantages. First off, it prevents browser errors and improves user experience (UX). Second, it protects sites against cyber crime by blocking malicious redirects. Finally, HTTPS helps you rank higher in Google searches, especially for mobile devices.
There is good reason why Google decided to move forward with implementing HTTPS as a standard, and why it’s of great importance to anyone surfing the web worldwide.
Why is HTTPS Important?
HTTP (a normal web connection) is not encrypted by default. You need to explicitly tell your web browser that you want to send data in an encrypted way. The most common method of doing this is via the “s” flag on the URL.
This tells the browser that it’s a secure connection, and verifies the identity of the owner of the website. If the site owner does not have a valid certificate, then the browser will display a warning message to the user.
Notice that there are no flags at all with regular HTTP. This means that the connection between the browser and the server is unencrypted. Anyone who intercepts the request could read the contents of the page.
In contrast, when we add the “s” flag, we’re telling our browser to encrypt the entire connection. In addition, we’re also verifying the authenticity of the site. This allows us to be sure that the information we receive from the site is coming from the actual site itself, rather than someone else pretending to be the site.
This is why HTTPS is so important. When you visit a website using HTTPS, you know that everything you see is being sent securely, and that nobody is reading or modifying your data before sending it back to you.
How Does HTTPS work?
When you connect to a website through your web browser, the connection is made via TCP port 443. Port 443 is reserved for Secure Sockets Layer (SSL), which is a cryptographic protocol used to create a secure connection between two computers.
To make a secure connection, the first step is to authenticate each computer involved in the transaction. To do this, the browser sends its public key to the server. The server responds with its own public key, which is used to verify the identity of the server. Once the keys match, the connection is established.
Once the connection is established, the browser and the server exchange messages. These messages include the headers, body, and footers of the HTML document. They also include any cookies set by the server.
After the initial handshake, the browser and the servers continue communicating until the browser closes the connection. At this point, the browser sends a close_notify message to the server. The response contains the status code indicating whether the connection was successful.
If the connection fails, the browser displays a warning message to the end-user. For example, if the server doesn’t respond to the authentication challenge, the browser may show a warning like this:
Warning!
Your connection is not private
Attackers might be trying to steal your information right now (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
What Happens If I Don’t Use HTTPS?
If you browse the web without HTTPS, you run the risk of having your personal information stolen. Your browsing history, search queries, and other activities are recorded by third parties. This includes advertisers, social media sites, and hackers.
For example, let’s say you go to a website that collects your email address. Without HTTPS, anyone watching your activity would be able to see what websites you’ve visited, as well as the content of those pages.
Without HTTPS, your browser will send your credentials to every website you visit. Even worse, if the website uses JavaScript to record your login details, they’ll be stored in plain text. Hackers could then access these records later, and try to log into your account.
Hackers could also use your IP address to track your movements online. By looking up your IP address on a site such as Whois, they could find out who owns the domain name. From there, they could learn more about you, including your home address, phone number, and employer.
Why Should I Use HTTPS?
HTTPS provides many benefits to users. Here are just a few reasons why you should start using HTTPS today:
Encryption
HTTPS encrypts all communications between your browser and the remote server. This means that no one else can read your data while it travels across the internet.
Data Integrity
HTTPS guarantees that the data you receive from a website is exactly the same as the data you originally requested. This prevents malicious software from tampering with your data.
Security
HTTPS makes sure that your data remains safe when traveling through the internet. In addition, it protects against eavesdropping attacks, which allow someone to listen in on your conversations.
Privacy
When you connect to a website via HTTPS, the site cannot view your browsing history, search terms, or other activities. This helps keep your privacy intact.
How Can I Tell Whether My Website Uses HTTPS?
There are several ways to check whether your website uses HTTPS. You can use a free tool called SSL Labs to test your website.
SSL Labs tests your website’s security by simulating how a hacker would attempt to break into your site. It checks for common vulnerabilities, such as weak password requirements, outdated certificates, and outdated versions of TLS protocols.
SSL Labs also looks at the performance of your website, and gives recommendations based on its findings. The results of the test include a grade, which ranges from A+ to F.
You can also look at the URL bar of your browser.
What Are the Benefits of Using HTTPS?
Using HTTPS offers several benefits to both users and developers. Let’s take a closer look at them.
When you use HTTPS, you increase security because it encrypts data as it travels across the Internet. When you connect to a website via HTTPS, your browser sends a request to the server. The server responds with the requested content, but instead of just displaying the response text, it encrypts it first.
Only after the browser decrypts the response text can it send it back to you.
This means that any eavesdroppers cannot see the contents of your messages. All they see is gibberish.
HTTPS also makes it easier to detect tampering. Because the data is encrypted before being sent, it becomes difficult for hackers to see your private information.
The Benefits of HTTPS to Users
HTTPS allows you to browse the web securely. When you’re logged into your bank account, you don’t want someone to steal your username and password. With HTTPS, your information is encrypted before it leaves your computer.
HTTPS also lets you know that the website you’re visiting is legitimate. If the website doesn’t have a valid certificate, it won’t appear in the list of trusted sites.
The Benefits of HTTPS to Developers
HTTPS is beneficial to developers because it reduces errors. For example, if you’re developing a mobile app, you may need to make API calls to external services. These calls often require authentication, but without HTTPS, you’d get a “401 Unauthorized” error message instead.
With HTTPS, however, you can simply add the necessary headers to your requests, and everything works fine.
What Are Some Common Problems That Could Occur When Not Using HTTPS?
Not using HTTPS can cause a number of issues. Here are a few examples:
Insecure Content
If you visit a website that isn’t secured, you might see content like this:
Since the page isn’t secured, anyone who visits the page will be able to access the file.
Malicious Software
If you visit a page that isn’t secured, it’s possible that malware could infect your system. Malware includes viruses, spyware, adware, and other malicious software.
Phishing Attacks
A phishing attack occurs when a person attempts to trick you into giving up personal information. They do so by sending you an email that appears to come from a trustworthy source. Instead of clicking on a link in the email, they’ll click on a link that takes them to a fake website. Once they’ve given away their login credentials, the attacker gains access to their accounts.
This type of attack is more likely to happen when you’re not using HTTPS. Since the connection between your device and the website is unsecured, hackers can intercept your communications and gain access to your sensitive information.
How Do I Know Whether My Website Uses HTTPS or Not?
There are two ways to find out. You can check the address bar of your browser, or you can look at the URL.
Address Bar
Your browser should display a lock icon next to the URL. If it does, then your site is protected by HTTPS.
URL
To view the URL of your website, go to the home page of your domain name. Then copy the entire URL. Paste it into a new tab in your browser, and press Enter.
Your browser should show the URL, including the protocol.
How Can I Use HTTPS?
There are several ways to use HTTPS. One way is to configure your web server to automatically redirect requests to HTTPS pages to their corresponding HTTP counterparts. Another way is to use a proxy server to force all connections between your users and your servers to be encrypted. Some offer more features than others.
To do this, you have to have an HTTPS certificate issued by a valid certificate authority. The most popular ones include Comodo, Symantec, DigiCert, GoDaddy, RapidSSL, Entrust, GeoTrust, GlobalSign, Thawte, and Verisign.
You also need to install the appropriate certificates on your web server. There are many different types of certificates available, depending on what you want to achieve. For example, there are wildcard certificates, which allow multiple domains to share a single certificate; Extended Validation Certificates, which verify the identity of the owner of the certificate; and Server Authentication Certificates, which authenticate the server itself.
Once you’ve installed the certificates, you must tell your web server how to handle incoming requests. In Apache, you would create a VirtualHost directive. In Nginx, you’d add a location block.
How Do I Know Whether My Site Should Be Using HTTPS?
If you run a website, you should always use HTTPS, especially if you are collecting user data. There are many reasons why this is important, including:
- Your users want to know that they are accessing your site securely.
- If you allow your users to log in to your site, then they will expect to be able to login securely.
- You want to make sure that your customers’ data is safe when they enter it into forms on your website.
- You want to ensure that your visitors are protected from malicious sites masquerading as yours.
- You want to avoid having your site listed in Google’s search results as “Not Secure.”
There is also a relatively minor ranking “boost” for HTTPS websites as opposed to HTTP. And it is quite minor, as it is only used as a tie-breaker factor.
Why Not Use Both HTTP And HTTPS?
It is possible to use both HTTP and HTTPS simultaneously. For example, you might use HTTPS for any pages that contain sensitive information, and HTTP for all others.
However, there are some disadvantages to doing this. Firstly, it makes it more difficult for users to find your site. Secondly, it means that you need to maintain two different versions of each page. Thirdly, it increases the load on your server. Finally, it means that your users will see two different URLs for the same page.
When Can I Switch From HTTP To HTTPS?
There are three main times when you should switch from HTTP to HTTPS:
- When you first launch your site.
- When you change your domain name.
- When you add a new subdomain.
When You First Launch Your Site
This way, people visiting your site will immediately know that they are accessing a secure site.
Changing Your Domain Name
If you have changed your domain name, you may wish to redirect old links to your site to the new address. This is done by adding a line like this to your.htaccess file:
This tells Apache to send anyone who visits the old URL to the new one.
Adding A New Subdomain
If you have added a new subdomain, you will need to update the DNS records for your domain to point to the correct IP address. If you do not do this, your visitors will be unable to reach your site.
HTTPS Best Practices
Best practices for implementing HTTPS include using a certificate authority. In addition, you want to make sure that you’re using a wildcard certificate. This helps make sure that any errant links you might have on your website don’t go to the wrong version of the URL that’s not currently covered by your certificate.
Source: developers.google.com
“Decide the kind of certificate you need: Single certificate for single secure origin (www.example.com). Multi-domain certificate for multiple well-known secure origins (for example, www.example.com, cdn.example.com, example.co.uk). Wildcard certificate for a secure origin with many dynamic subdomains (for example, a.example.com, b.example.com).”
Source: developers.google.com
Use Permanent Redirects When Redirecting from HTTPS
Permanent redirection is a technique used to direct users away from a non-secure URL to a secure version of the same URL. This is useful because browsers often cache the results of previous requests, so users don’t always get redirected back to the original URL.
To implement permanent redirection, create a .htaccess file containing the following lines (assuming you have an Apache server):
This would be the starting code:
<IfModule mod_rewrite.c>
RewriteEngine On
</IfModule>
Then, the syntax for the redirect is:
Redirect 301 /whatever-the-old-page-is.html https://domainexample.com/whatever-the-new-page-is.html
This instructs Apache to redirect all requests for the old URL to the secure URL.
Note that the above code uses mod_rewrite rules. These allow you to rewrite URLs without having to modify your HTML or CSS files.
This is important: do not use mod_rewrite unless you know 100 percent what you are doing. Otherwise, you could potentially break your webserver and you will need professional help from their tech support to fix it.
Don’t Forget to Make Sure That Google Can Crawl and Index Your HTTPS Pages
The URL Inspection tool allows you to verify whether Googlebot can crawl and index your HTTPS pages. If you use HTTPS, make sure it works properly. You don’t want to find out later that Google isn’t able to crawl your site because you blocked Googlebot’s access via robots.txt.
Don’t include noindex tags in your HTTPS pages. These are used to prevent search engines from crawling certain URLs. However, there is a way around this: including the rel=nofollow attribute in the HTML code.
This tells the crawler that the link doesn’t contain anything useful, so it shouldn’t follow it. In addition, don’t block your HTTPS pages by a robots.txt file. Instead, you want to add a noindex, nofollow tag to the page and make sure that your pages can be crawled via robots.txt.
Be Sure to Support HSTS
HSTS stands for HTTP Strict Transport Security. It is designed to help force browsers to use HTTPS if it is available. This would be true even if someone types in www or http:// in the address bar.
How Does HSTS Work?
When a user visits a website that supports HSTS, their browser will automatically switch to using HTTPS. This means that they won’t have to manually change any
settings on their browser.
Why Should I Support HSTS?
There are several reasons why you should support HSTS. First, it helps to reduce the risk of phishing attacks. Second, it prevents people from accessing your site through a proxy or VPN service. Third, it reduces the risk of session hijacking. Finally, it makes it easier for users to browse securely.
How Do I Enable HSTS?
If you want to enable HSTS, you first need to install a certificate authority (CA) into your web server. Then, you need to configure your web server to send the appropriate headers. The steps below show how to set up HSTS on a Linux web hosting system with Apache and htaccess capabilities.
Install the CA certificate on your web server. For example, you could install the Let’s Encrypt certificate into your Apache virtual host configuration.
Then restart Apache.
Add the following header to your .htaccess file:
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L,E=HTTPS:1]
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS
Finally, reload the site.
Please note: these instructions are HIGHLY server-dependent. If you do not know what you are doing, it is strongly advised that you contact your support department and provide them with general instructions to enable HSTS on your HTTPS installation.
Avoiding Common HTTPS Pitfalls
Pitfalls can be easy with any endeavor. Especially if you are not familiar with it beforehand. By following these tips, you can avoid some of the more common pitfalls that can occur when implementing HTTPS.
Avoid These Common Pitfalls
A number of things can go wrong during the SSL/TLS migration process. Here are some common mistakes we see and how to avoid them.
1. Expired Certificates
The most obvious mistake is to use an expired certificate. This makes it easy for attackers to impersonate your site. If you haven’t renewed your certificate recently, check the expiration dates listed on your certificate. You’ll want to renew your certificate within 30 days of its expiry date.
2. Incorrect Website Name
Another common mistake is registering your domain name incorrectly. Make sure that you’ve registered the correct domain name with the appropriate registrar. For example, if you’re migrating from HTTP to HTTPS, make sure that you register www.example.com rather than example.com. Also, don’t forget to update your DNS records.
3. Certificate Registered to Inaccurate Hostname
If you’ve already migrated to HTTPS and are now trying to migrate away from HTTP, make sure that your certificate is correctly associated with your new hostnames. Check the IP address of your server and ensure that the hostname listed in your certificate matches what appears in the browser bar.
Make sure that you’ve installed a valid certificate authority into your web server. Otherwise, your site won’t work properly.
You may receive a message stating that your certificate was invalid. This usually happens when you try to access a page that requires a signed certificate. To fix this problem, simply add the missing certificate authority to your web server.
Server side validation is another common mistake. When using self-signed certificates, browsers will warn users about the lack of trustworthiness. Unfortunately, there isn’t much you can do about this warning. Instead, you should focus on ensuring that your website works as expected.
You can also use a third party certificate authority (CA), such as Comodo or Symantec. These CAs offer more security by providing additional features, including revocation lists and extended validation.
When you migrate from HTTP to HTTPS, you must include a special header in your response. This header tells the browser whether or not your site uses server side validation. Without this header, the browser will display a warning dialog box indicating that the connection is untrusted.
When you visit Google’s home page, you’ll notice that the URL doesn’t have any protocol information. This indicates that the site uses server side validation, which means that the site is safe to browse.
HTTPS Is Not Going Away Anytime Soon
While many people think that HTTPS is going away, it’s actually here to stay. The main reasons why HTTPS continues to remain so popular are:
- Security – HTTPS provides a way to encrypt data between two parties. This allows websites to be protected against eavesdropping attacks.
- Privacy – HTTPS prevents anyone who sniffs packets at the wire level from seeing the contents of communications.
- Speed – HTTPS reduces latency because it eliminates the need to re-transmit requests.
- Compatibility – HTTPS is supported across all major browsers.
- Cost – HTTPS is free.
- Trustworthy – HTTPS sites are trusted by most browsers.
- Reliability – HTTPS connections are reliable.
- Scalability – HTTPS is scalable.
- Usability – HTTPS is easy to use.
- Performance – HTTPS is faster than HTTP.
- Standards Compliance – HTTPS is compliant with current standards.
- Ease of Use – HTTPS is easier to set up than HTTP.
- User Experience – HTTPS improves user experience.
- Security – HTTPS protects against man-in-the-middle attacks.
- Encryption – HTTPS provides end-to-end encryption.
- Authentication – HTTPS authenticates both sides of a transaction.
- Authorization – HTTPS verifies the identity of a user before granting them access to resources.
- Integrity – HTTPS ensures that content hasn’t been tampered with during transit.
- Confidentiality – HTTPS guarantees that sensitive information remains private.
- Data integrity – HTTPS ensures that data hasn’t been corrupted during transmission.
- Availability – HTTPS ensures that a website is always available.
- Authenticity – HTTPS ensures that a site is genuine.
- Nonrepudiation – HTTPS ensures that a sender cannot deny having sent something.
- Transparency – HTTPS ensures that a recipient knows exactly what they’re getting.
- Auditing – HTTPS enables auditors to track down problems quickly.
- Audit trails – HTTPS makes it possible to trace changes made to a resource.
- Versioning – HTTPS supports versioning.
- Revocation – HTTPS supports revoking certificates.
- Certificate Transparency – HTTPS supports Certificate Transparency.
- Extended Validation – HTTPS supports Extended Validation.
- Signed Certificates – HTTPS supports Signed Certificates.
If you plan on making sure that you have the best possible chances of being a site that breaks that tie-breaker ranking signal, you will want to make sure that you implement HTTPS on your site.