Cyber security has spent the last few years emerging from a relative obscurity to a topic grabbing worldwide headlines — and even airtime during presidential debates. But despite internet security's growing importance, a lot of folks are unaware of what they can do to make a difference. A lot of those people, I'd bet, don't know about the differences between HTTP vs. HTTPS and how it lets anyone with a website make the internet a safer place for everyone.
If you're a little fuzzy on the difference, we’ll help you understand what this is and why you should care. If you're someone who owns a website, we've got all of the information you need to move to HTTPS right now (and it's easier than you think).
HTTP vs. HTTPS: What's the difference?
The first thing to understand is that HTTP is just a technical way of talking about how websites load in your web browser. When you're on a website, the website's sent to your computer using HTTP. When you send information back to the website, for example to log in to it, your computer also communicates with the website using HTTP.
However, during that transfer, the data is visible to anyone on your network. If you've ever watched a movie that features hackers (either nefarious or noble), it's easy to imagine that exposing any kind of data can be really problematic. This is where the secure version of HTTP, known as HTTPS, comes in.
HTTPS scrambles (also known as encryption) communication between your computer and the website.
However, both your computer and the website have a secret code that lets them unscramble (or decrypt) the HTTPS information. To anyone else on the network trying to eavesdrop on the conversation, though, the communication just looks like a garbled, unintelligible mess. Hackers, at this point, are totally thwarted.
(If you're already convinced that you need HTTPS for your website, we'll give you a spoiler: All you need to make this happen is an SSL certificate).
The sad, vulnerable state of HTTP
Armed with a sense of what HTTPS does, let's look at the kinds of problems it actually solves. According to a spokesperson from Mozilla (makers of Firefox, an incredibly popular open-source browser), “There are reports of major attacks that HTTPS mitigates a few times a year.” Our friends at Mozilla provided us a quick list of what they were aware of (you might recognize some of these names):
- AT&T and Verizon were both caught tracking customers’ browsing habits … without their consent.
- China Telecom and China Unicom both injected malware into users’ computers on HTTP connections.
- Chinese authorities launched attacks to bring down websites by exploiting non-HTTPS security issues.
- Airtel of India spied on The Pirate Bay's users by abusing (you guessed it) an insecure HTTP connection.
Let that soak in for a moment. Some major cyber security issues involving huge technology companies can be seen as little more than a problem of HTTP vs. HTTPS.
Each of these compromises could've been mostly (or totally) mitigated by more widespread adoption of HTTPS.
On top of that, companies in the U.S. alone lost more than $3 billion in online fraud, some of which is almost certainly attributable to attackers gathering data from insecure connections.
As attackers (and less scrupulous companies) become more sophisticated, these kinds of issues are likely to become more commonplace and/or harder to detect. So much like you keep your front door locked just in case, it's becoming wiser and wiser to do the same thing for your website's data.
And to sweeten the deal, leading technology companies are already incentivizing the move from HTTP to HTTPS.
Mozilla, Apple & Google <3 HTTPS
The internet is one of those inventions that has changed the world dramatically, and big technology companies are trying to be careful stewards of it. Given the issues with HTTP we covered in the last section, it's no wonder so many household names are independently undergoing efforts to entice, coerce, and cajole everyone to move to HTTPS as quickly as possible.
Mozilla: Requiring HTTPS for full support
Mozilla intends to stop supporting some features of websites that don't use HTTPS. If that sounds dramatic, hearing Mozilla’s belief in the importance of security casts the decision in different light. They explained the decision to me as:
“We support HTTPS because security on the web is a core part of our mission ...
Rather than targeting specific issues, HTTPS establishes general rules that keep users safe on the web. It ensures that their communications with websites are kept private, and it ensures that the website the user gets is really what the server sent.
Without HTTPS, none of this is guaranteed … billions of people use the web in ways that are critical for their lives, attackers can exploit non-secure sites to cause real damage. We can’t afford to have a non-secure web any more.”
As part of building a safer web, Mozilla's disabling persistent access to visitors’ webcams and microphones for non-HTTPS websites. Users will have to explicitly allow the connection every single time.
Apple: In-app links must use HTTPS
Apple, for its part, is requiring all apps link only to sites via HTTPS by the end of 2016. A strong stance that signals Apple understands the value of security on the internet.
This means that for an app (any app) to link to your site, you should support an HTTPS connection.
Google: HTTPS gives higher search ranking
Google acknowledges the need for HTTPS and is more likely to promote websites with secure connections. By simply adding an SSL certificate to your website, you can attract more visitors and grow your business. Seems too good to be true, but it's totally real.
Get with it: Getting HTTPS on your site
At this point, we hope you're convinced. There's no compelling argument as to why your site should choose the losing side in the decision between HTTP vs. HTTPS.
"Sounds great," I hear you say. "I'll definitely get around to this." But here's the thing: you need to prioritize moving to HTTPS because HTTP is going the way of the dial-up modem and the dinosaur. Plain-old HTTP is insecure and leads to real compromises. You should get on board with the great migration to HTTPS right now.
And the kicker, like I mentioned earlier, is that it's incredibly easy. Assuming you're using a shared hosting account (and you probably are as a small business):
- Buy an SSL certificate from a CA (a.k.a. a Certificate Authority). GoDaddy, for example, is a CA who sells SSL certificates.
- Let the CA know which website you want to use by setting up your SSL.
- Verify that you control the website. If your SSL certificate and domain are in the same account, this step is often taken care of for you automatically.
That's it! And if you’re only in need of a domain-validated (DV) SSL, the certificate can be issued within minutes.
Supporting HTTPS connections is an incredibly important first step, but there are also other ways of ensuring your site's well guarded against prying eyes (or prying code).
Always use strong passwords for your accounts. Brute-force guesses at your hosting account's password can undermine any other kind of effort you make.
Consider security scanning software for your website. Unlike the software that alleges to scan your computer for viruses, this stuff actually works. If you're interested, GoDaddy has a partnership with Sucuri that gets the job done affordably.
With that, we hope you've taken the opportunity to migrate to HTTPS and will share your newfound knowledge about the differences between (and importance of) HTTP vs. HTTPS.