Security Month is a great time to reassess some assumptions we have about what it means to be secure online — and this year the subject of debate is HTTPS.
SSL/TLS certificates and the HTTPS protocol have been around for 20 years now. At their heart, HTTPS and SSL/TLS certificates work together to create an encrypted communications channel between a website and the end user, and in some cases to supply verified identity information about the website to the end user.
In the past, common thinking has been that HTTPS is only needed for high-value websites such as those used for online banking, shopping and healthcare.
HTTPS for encrypting private data
The most obvious reason that websites should encrypt communications is when the data is valuable and/or private. Passwords and credit card numbers are the most obvious examples of this, but there are some less obvious yet equally critical benefits to using HTTPS.
HTTPS for safeguarding cookies
Many websites maintain information in cookies stored in the browser.
Without SSL, cookies can be intercepted and used in a “replay attack” where someone else uses the data.
For example, someone using a browser on a public WiFi network to read their email could be susceptible to having their authentication cookie stolen, allowing the attacker to read their email as if they had logged into the victim’s account. This is one reason that most popular web-based email services now use HTTPS the entire time, not just when someone is logging in.
HTTPS to maintain integrity
Another reason to use HTTPS even if the website isn’t transmitting sensitive information is integrity. Without encryption, a third party can modify the content of your website. A good example of this is when an ISP injects tracking cookies or ads into the content of a web page before delivering it to the end user.
Carrots for using HTTPS
If you’re not yet convinced of the need for HTTPS on your website, read on.
Many of the biggest internet companies are creating incentives to move every website to HTTPS. One of the best known of these is Google’s move last year to use HTTPS as a factor in their search ranking algorithm. The benefit is small, but if you use your website to attract customers, even a little boost can give you an edge over your competitors.
HTTPS used to slow down websites, but in recent years, numerous improvements have erased that performance loss.
A new version of the HTTP protocol called HTTP/2 was finished last year, and its primary benefit is that it improves website performance. Apple, Google, Microsoft and Mozilla have all committed to only support HTTP/2 when using an SSL/TLS certificate and HTTPS! As the internet moves to HTTP/2, you’ll need an SSL/TLS certificate to take advantage of the shift.
Google recently announced that they will begin to display some web pages as insecure if they are not using HTTPS. Specifically, whenever the Chrome browser detects a password or credit card form field on an HTTP (unencrypted) page, an “insecure” warning will be displayed to the user. This change goes into effect early next year.
Google also has begun to block some of the more powerful features of Chrome when using (insecure) HTTP. Mozilla has proposed going further and limiting all new features to HTTPS after some future date.
HTTPS: The end game
These changes are all driving us toward a day when every website will need to have an SSL/TLS certificate and use HTTPS only. Both Google and Mozilla have announced this as their intent but neither has yet set a date for this change. When this happens, sites using HTTPS will become the norm and the traditional “green lock” icon representing HTTPS will go away.
If your website doesn’t use HTTPS, a warning like this will be displayed:
To be clear, this last change is likely years away, but it is coming. HTTPS and SSL/TLS certificates are the new normal, and considering all the benefits, now is the time to get an SSL/TLS certificate for every website.