Why HTTPS Matters
Hypertext Transfer Protocol (HTTP) is the underlying data communication system for the Internet. A simple example of the protocol is when you landed on this page, your browser (e.g. Chrome, Safari, etc.) made an HTTP request to the computer that’s hosting this website, and then the hosting computer sent back an HTTP response that contains this page’s information.
The “S” in HTTPS stands for secure. HTTP without the S is not secure. If you’ve made a request and the server responded using a non-secure connection, the messages going back and forth are considered open and may be hijacked along the way. You also can’t be sure that the website you’re communicating with is what it advertises itself to be.
HTTPS uses encryption technology to lock down these messages. This means that no one can gain access to your messages, and if a website uses HTTPS, you can trust it.
Why is HTTPS Important?
You already know that if you’re using HTTP, messages are open and may be tampered with, but what does this mean in the real world?
Non-secure HTTP is vulnerable to eavesdropping and content injection. Content injection is when someone adds code or data to your HTTP messages.
Some Internet Service Providers (ISPs) have taken advantage of this by injecting extra content into HTTP messages.
A major, leading ISP in the United States, for example, injected tracking code to monitor their customers’ web browsing for marketing purposes, which lead to the exploitation of user data.
Another major ISP was able to create popup ads with content injection. Imagine a user visiting your site, and then seeing an advertisement for the ISP popup blocking your entire webpage. On top of this being a bad experience for the user, the user is likely to blame you (the site owner) for serving these unwanted ads.
HTTPS blocks these types of attacks from happening. And is considered a baseline for user’s security on the Internet.
Why Use HTTPs on All Pages and NOT Just Login Pages?
Protecting secrets like passwords and credit card numbers is a given. If you’re not using HTTPS on pages that collect personal information, you need to. But there’s an argument to be made for using HTTPs on your entire website, rather than just your login pages.
For instance, the two examples above, where ISPs were injecting content into HTTP messages, were not contained on pages where personal information was given. Those examples demonstrate that if your entire website isn’t using HTTPS, your users are still vulnerable.
Popular browsers, like Chrome, have been showing warning messages on HTTP pages where personal information is given. This is to warn the user that they may be sharing their personal information on an unsecured website.
These warning messages make a website look suspicious and unprofessional. Soon, browsers are going to be pushing these warnings further. Chrome and Firefox have plans to show a “Not secure” warning for all unsecured HTTP pages, not just login pages. We highly recommend switching to HTTPS for all your website’s pages before this happens.
Performance and Cost Reasons
Performance and cost may come up as reasons for not using HTTPS on your website, but they shouldn’t stand in your way given the importance of security.
In regards to performance and optimization, most slowdowns in web applications are caused by the site content or database layers. These two components of websites and web apps are most likely your main bottlenecks for performance.
Gmail uses HTTPS for the entire web application. In this blog post about making Gmail faster, the authors describe how developers go through great pains to increase the performance between the content and database layers where most of your website’s performance gains will be realized. While most websites don’t have the load Gmail handles – (the number of users on the site and the amount of data it handles) – Gmail uses HTTPS on all pages and focuses on the content and data layer to make it faster.
Also, consider that there’s a new version of HTTP. It’s called HTTP/2. It’s the first new release since 1997 when HTTP 1.1 was released. Most of the major browsers added support to HTTP/2 by the end of 2015. HTTP/2 is faster than its predecessor. The most popular browsers (Chrome, Firefox, Edge, IE, Safari) only support HTTP/2 with encrypted HTTPS. So if you’re using HTTP still, you’ve been missing out on the newest protocol.
An additional bonus? It’s free.
Let’s Encrypt is an organization with the goal to help encrypt all HTTP messages on the Internet. Anyone who owns a domain name can use their service to obtain a trusted certificate at no cost to enable HTTPS for websites. Let’s Encrypt is free. Many hosting providers will happily help you set up a certificate with Let’s Encrypt.
How to Switch To HTTPS
Hopefully, you’re convinced by the benefits of moving your entire website to HTTPS. Here are some tips and general advice for getting started.
Don’t use mixed content (some HTTP and some HTTPS)
It’s common in a website’s architecture to split up the workload among different services when building a complete web page. For example, you could load images, videos, and PDFs from a storage service like Amazon S3. Text for the page could be sent from your servers with the font loaded from Google Font.
If your content and font are being sent over HTTPS and your images are sent over HTTP, you have mixed content on the page. Users are still vulnerable to attack with mixed content. Make sure all the content on the page is being sent over HTTPS.
Set up HTTPS Redirects
Redirect HTTP requests to the equivalent HTTPS resources. Once you have HTTPS set up on your entire site, users and old links may still try to access your site over HTTP. For example, I would still be able to type https://yoursite.com, and if you’re not redirecting me to the new HTTPS URL, all your hard work would be pointless. Remember to set up those redirects, and realize your hard earned HTTPS encrypted gains.
Double Check Authentication
Double check that your authentication type messages – for example, when a user logs in – are sent over HTTPS. You’ll have to look at the code for this one. If this is out of your wheelhouse, ask your developer.
If you’re switching to HTTPS yourself…
Consider contacting your web hosting service and checking to see if they have a configuration option for Let’s Encrypt. You may be able to set up HTTPS on your site in only an hour or two.
Some hosting services do HTTPS on your whole site and HTTPS redirects by default. Developers at Fresh have recently started using Zeit Now hosting for small projects and they provide these services at no extra cost. You don’t have to do anything but deploy your website.
Why Security Matters
In a digital world that’s becoming increasingly prone to hacking, security is more important than ever. Google Webmaster noted an increase of 32% in sites hacked between 2015 and 2016, and that number is likely to grow as technology becomes more varied, less simple to secure.
But HTTPS is one approach that can set you on the path toward creating a secure digital experience. Thousands of websites are hacked a day – there are many approaches you can take to avoid being hacked, but the fundamental reality is that security is vital.
We recommend employing HTTPS – using the rationale and tips above as a starting point – to create a high-end, secure digital experience.