Most likely, you already know that some websites use “http” and some use “https”. And you probably also know that anytime you are being asked to enter personal information into a site, you should first check to make sure that it has that extra “s” and the lock icon. But do you know what HTTPS really is, how it works, or why it even matters for your business?
What is HTTPS?
HTTPS stands for Hyper Text Transfer Protocol Secure. It’s the secure version of HTTP, which is the standard protocol over which data transmits between your browser and the websites you visit.
That extra “s” (which stands for secure) is what confirms that between your browser and the site, they have agreed on a code that encrypts their communications. Essentially, it’s allowing you to have a private conversation between just two parties.
In this way, no one can eavesdrop and see the webpages you’re visiting, or any data that is in transit between that website and your browser. HTTPS is what makes it possible for you to safely shop or bank online, or access your personal medical records.
Regular HTTP communications, on the other hand, are NOT encrypted. They are transmitted in clear text making them vulnerable to so-called man-in-the-middle attacks.
HTTP was the procedure originally used for exchanging information on the Internet, as network administrators had to come up with an agreed-upon format. The trouble with HTTP arose when everyone knew the protocol, making it incredibly easy to intercept.
Thus, the secure protocol – HTTPS – was born.
It is important to note that an HTTPS site means that the information is encrypted while it is traveling between the server and the client. Having HTTPS does not guarantee that the site owner has also secured its server and is taking all the necessary steps to protect your information once they receive and have decrypted it.
How are Sites Secured?
In order to secure a site and make it HTTPS, a Secure Socket Layer (SSL) Certificate is installed. The SSL cert encrypts the online data, using a code that only the sender and the recipient know, meaning they are the only ones that can decipher the messages.
The SSL Certificate also authenticates the identity of the site, which assures visitors they aren’t on a spoofed or malicious site.
Setting up SSL is relatively simple, and once the certificate is activated and you have updated your site to use HTTPS, then your website visitors will see that in your URL and will feel more secure in interacting with your site.
Moving Towards a More Secure Web
Originally, HTTPS was used only on sites that require passwords, credit card or banking information, personal health data, or other private or sensitive information. It was generally agreed that sites that didn’t collect this type of information had no such need for this level of security.
But all website owners should be on notice that the entire web is officially moving in this direction, regardless of whether or not this type of data is collected.
Google signaled this shift with an announcement this past fall that they were going to start flagging sites that don’t use HTTPS as unsafe in Chrome.
Since January 2017, Google has been clearly marking any HTTP pages that collect passwords or credit cards as non-secure.
And this is only the first step in a plan by Google to mark ALL HTTP sites as non-secure in Chrome.
In a blog post on this topic, they confirmed that labeling HTTP sites clearly and accurately as non-secure will take place in gradual steps. The next phase will extend to labeling HTTP pages as “not secure” in Incognito Mode.
Eventually they intend to label ALL HTTP pages as non-secure, using the red triangle that they currently use to flag any broken HTTPS links.
Mozilla Firefox is also now flagging as non-secure any HTTP pages that request a password.
Beyond that, the major web browsers all seem to support HTTPS encryption being a requirement for all new standards that are designed to make the web faster and better.
In a time of uncertainty around internet privacy laws and what it means for individuals, HTTPS sites also offer at least an increase in privacy. Using secure sites prevents your Internet Service Provider from seeing quite as much of your web browsing history. They will still be able to see that you’re connecting to a specific site, but not the individual pages.
HTTPS Takeaways & To-Do's
The biggest takeaway from this – besides gaining an understanding of what that “s” even means – is that any business with a website should be looking at moving to HTTPS sooner rather than later.
Any business currently serving password fields over HTTP pages should immediately implement HTTPS and ensure that the password fields are only on pages with a valid SSL certificate.
Not only will this reassure your website visitors, it ensures that your site will be able to take advantage of new features that are being introduced to improve speed, performance and the overall user experience. And it will save you from being flagged as “non-secure”, causing potential visitors to steer clear of your site altogether.
Finally, as either an individual end-user or a business leader managing many end-users, it’s important to simply be aware of HTTPS and make sure that no one within your organization is entering sensitive information on non-secure sites. So train your staff to look for the “s” in HTTPS and look for the padlock symbol before proceeding with any type of website data submission.