HTTPS – Understanding what it is, and isn’t

Google Chrome version 56 is set to be released this month. One of the major changes to the browser will be the addition of the words “not secure” to the address bar of all pages that collect passwords or credit card information served over HTTP instead of HTTPS.

This isn’t going to be an in-depth explanation of HTTPS or how it works, just a very basic overview of what it is, why you should use it, and what it isn’t.

What is HTTPS?

HTTPS stands for Hyper Text Transfer Protocol Secure. When you send or receive  information to or from a site using standard HTTP that information is sent in plain text. So when you type your user name and password, that information is sent across the network exactly as you typed it. This is bad because that information can be intercepted anywhere along its path and read by anyone.

HTTPS adds bidirectional encryption, meaning that the information exchanged between your browser and the site is encrypted and needs to be unencrypted at either end to actually read the data. This does not stop an attacker from intercepting the transmission, but it does mean what they intercept will be undecipherable gibberish instead of your password or credit card number in plain text.

Why you should use HTTPS

There are a few good reasons to use HTTPS to serve your web site. The most important, as explained above, is security. Your users, and you, are protected from eavesdroppers and  man-in-the-middle attacks.

The second reason is perception. Users are becoming used to seeing that little green lock in their address bar and it gives them some comfort that they are dealing with a trusted organization (more on this later). Anything you can do to help your users feel secure on your site is going to improve their user experience.

Finally, there is a small bonus to your site’s SEO when serving your pages via HTTPS. Google has been pushing for the adoption of HTTPS for over 2 years now, and it appears to be working.

What HTTPS isn’t

Personally I do have one concern about this whole push towards HTTPS. It has nothing to do with it being bad, it isn’t, I fully believe that your site should be served over HTTPS, this site is and it has no log ins, and no credit card collection.

My concern is the public perception that I mentioned above and I’m a little worried that the average user equates that little green lock with a safe site and that is absolutely not what HTTPS means.

It means your connection to the site is secure. It does not mean the site you are entering your credit card information into, or all of your personal data to sign up for some service is safe! So my concern is that users are going to be lulled into a false sense of security because the site they are on is “secure”.

Don’t mistake secure for safe. They aren’t the same thing!

The Downsides of HTTPS

At this point in time, there aren’t any real significant downsides to implementing HTTPS. There are barriers, especially when implementing it on a complex existing site. There can be issues with SEO initially and there are issues with handling all the content your site delivers, CSS, Javascript, images etc. But these issues can all be handled and certainly are no reason not to  upgrade to HTTPS. Wired has written about their experiences upgrading a very complex site (if you’re the size of Wired you probably aren’t reading my blog, if you are, share the link lol!).

The other “issue” is performance. Notice the word issue in the previous sentence is in quotations. That’s because this used to be somewhat of an issue, but really isn’t any more. It’s one of those things that remains a concern mostly because people don’t realize it isn’t a concern any more.

HTTPS adds a layer to communication between a web server and your browser, that is still a fact so connections are indeed slower. Negligibly slower though. We’re talking milliseconds here. This is a pretty in-depth subject which is beyond the technical level of this post, but if you’d like to read more about it MaxCDN wrote an article The SSL performance Myth discussing the issue.

Adding HTTPS to your site

There are a number of options available these days for adding HTTPS to your site. Most shared hosts offer an option to purchase and SSL certificate and will help you install it on your site. The new kid on the block Let’s Encrypt offers automated and free certificates, although this isn’t something that is easy for the average user to do themselves. Some companies like SquareSpace are using Let’s Encrypt as a single click option to add HTTPS to their user’s sites.  CloudFlare offers a shared certificate at their free tier with options to upgrade.

There are some concerns when upgrading your site to HTTPS, and some pitfalls that can be confusing to resolve for the average user. If you want help upgrading your site we can help!

Contact Us (* required)