Editor’s note: This HTTP vs. HTTPS article was originally published on October 25, 2016, and was updated on July 25, 2018.
Cybersecurity has spent the last few years emerging from a relative obscurity to a topic grabbing worldwide headlines. But despite internet security’s growing importance, a lot of folks are unaware of what they can do to make a difference. A lot of those people, I’d bet, don’t know about the differences between HTTP vs. HTTPS and how it lets anyone with a website make the internet a safer place for everyone.
If you’re a little fuzzy on the difference, we’ll help you understand what this is and why you should care. If you’re someone who owns a website, we’ve got all of the information you need to move to HTTPS right now (and it’s easier than you think).
HTTP vs. HTTPS: What’s the difference?
The first thing to understand is that HTTP is just a technical way of talking about how websites load in your web browser. When you’re on a website, the website’s sent to your computer using HTTP. When you send information back to the website, for example to log in to it, your computer also communicates with the website using HTTP.
However, during that transfer, the data is visible to anyone on your network. If you’ve ever watched a movie that features hackers (either nefarious or noble), it’s easy to imagine that exposing any kind of data can be really problematic. This is where the secure version of HTTP, known as HTTPS, comes in.
However, both your computer and the website have a secret code that lets them unscramble (or decrypt) the HTTPS information. To anyone else on the network trying to eavesdrop on the conversation, though, the communication just looks like a garbled, unintelligible mess. Hackers, at this point, are totally thwarted.
If you’re already convinced that you need HTTPS for your website, we’ll give you a spoiler: All you need to make this happen is an SSL certificate.
The sad, vulnerable state of HTTP
Armed with a sense of what HTTPS does, let’s look at the kinds of problems it actually solves. According to a spokesperson from Mozilla (makers of Firefox, an incredibly popular open-source browser), “There are reports of major attacks that HTTPS mitigates a few times a year.” Our friends at Mozilla provided us a quick list of what they were aware of (you might recognize some of these names):
- AT&T and Verizon were both caught tracking customers’ browsing habits … without their consent.
- China Telecom and China Unicom both injected malware into users’ computers on HTTP connections.
- Chinese authorities launched attacks to bring down websites by exploiting non-HTTPS security issues.
- Airtel of India spied on The Pirate Bay’s users by abusing (you guessed it) an insecure HTTP connection.
Let that soak in for a moment. Some major cybersecurity issues involving huge technology companies can be seen as little more than a problem of HTTP vs. HTTPS.
On top of that, companies in the U.S. alone lost more than $3 billion in online fraud, some of which is almost certainly attributable to attackers gathering data from insecure connections.
As attackers (and less scrupulous companies) become more sophisticated, these kinds of issues are likely to become more commonplace and/or harder to detect. So much like you keep your front door locked just in case, it’s becoming wiser and wiser to do the same thing for your website’s data.
And to sweeten the deal, leading technology companies are already incentivizing the move from HTTP to HTTPS.
Mozilla and Apple love HTTPS
The internet is one of those inventions that has changed the world dramatically, and big technology companies are trying to be careful stewards of it. Given the issues with HTTP we covered in the last section, it’s no wonder so many household names are independently undergoing efforts to entice, coerce, and cajole everyone to move to HTTPS as quickly as possible.
Mozilla: Requiring HTTPS for full support
Mozilla intends to stop supporting some features of websites that don’t use HTTPS. If that sounds dramatic, hearing Mozilla’s belief in the importance of security casts the decision in a different light. They explained the decision to me as:
“We support HTTPS because security on the web is a core part of our mission …
Rather than targeting specific issues, HTTPS establishes general rules that keep users safe on the web. It ensures that their communications with websites are kept private, and it ensures that the website the user gets is really what the server sent.
Without HTTPS, none of this is guaranteed … billions of people use the web in ways that are critical for their lives, attackers can exploit non-secure sites to cause real damage. We can’t afford to have a non-secure web any more.”
As part of building a safer web, Mozilla’s disabling persistent access to visitors’ webcams and microphones for non-HTTPS websites. Users will have to explicitly allow the connection every single time.
Apple: In-app links must use HTTPS
Apple, for its part, is requiring all apps link only to sites via HTTPS by the end of 2016. A strong stance that signals Apple understands the value of security on the internet.
This means that for an app (any app) to link to your site, you should support an HTTPS connection.
Google now requires HTTPS
Google has encouraged HTTPS for many years but has taken a much stronger stance in recent years.
Google originally modified it’s search algorithm to boost content with HTTPS. This would help HTTPS-based content rank higher in search, and thus, would allow such content to potentially receive more website visits.
In July of 2018, Google is stepping up the requirement for HTTPS websites and blogs. Google’s Chrome browser has started to alert website visitors of non-HTTP websites by marking them as not secure.
“Chrome’s ‘not secure’ warning helps you understand when the connection to the site you’re on isn’t secure and, at the same time, motivates the site’s owner to improve the security of their site.”
This truly ups the game and the debate of HTTP vs HTTPS becomes a bit of a mute point. All websites and blogs need to have HTTPS enabled.
Adding HTTPS to your website or blog
At this point, we hope you’re convinced. There’s no compelling argument as to why your site should choose the losing side in the decision between HTTP vs. HTTPS.
“Sounds great,” I hear you say. “I’ll definitely get around to this.” But here’s the thing: you need to prioritize moving to HTTPS because HTTP is going the way of the dial-up modem and the dinosaur. Plain-old HTTP is insecure and leads to real compromises. You should get on board with the great migration to HTTPS right now.
And the kicker, like I mentioned earlier, is that it’s incredibly easy.
Assuming you’re using a shared hosting account (and you probably are as a small business):
- Buy an SSL certificate from a CA (a.k.a. a Certificate Authority). GoDaddy, for example, is a CA who sells SSL certificates.
- Let the CA know which website you want to use by setting up your SSL.
- Verify that you control the website. If your SSL certificate and domain are in the same account, this step is often taken care of for you automatically.
That’s it! And if you’re only in need of a domain-validated (DV) SSL, the certificate can be issued within minutes.
Supporting HTTPS connections is an incredibly important first step, but there are also other ways of ensuring your site’s well guarded against prying eyes (or prying code).
Always use strong passwords for your accounts. Brute-force guesses at your hosting account’s password can undermine any other kind of effort you make.
With that, we hope you’ve taken the opportunity to migrate to HTTPS and will share your newfound knowledge about the differences between (and importance of) HTTP vs. HTTPS.
Also published on Medium.