What is HTTPS and How Does It Work?
In May, Google hosted their annual I/O conference, where they hold a variety of technical sessions related to their applications. As we all know, Google’s first product to the world was search. With search being more prominent in daily life, security and privacy have become more important than ever. One of the I/O sessions featured Emily Stark, a Google software engineer discussing the importance of a secure connection for your website, or HTTPS.
What Exactly is HTTP and HTTPS?
HTTP stands for Hypertext Transfer Protocol – this is the protocol that is used to transfer data between the server and the website. HTTPS stands for Hypertext Transfer Protocol Secure, which is the secure version of HTTP. It’s used for the purpose of securing sensitive information on sites such as bank accounts and online shopping websites like Amazon. But these aren’t the only kinds of websites that should consider HTTPS.
Reasons to update
Non-secure websites are vulnerable to attackers. One method would be ad injections. These ad injections may look similar to your own ads on your website and could fool users into clicking on them and infecting them with malware. Yikes! Furthermore, there are many public APIs that can be used to optimize the user experience. Many of these APIs running on dependent on a secure connection, and will not work on your non-secure website. For example, a GEO location API will automatically disable the functionality to prevent privacy concerns for the user.
Making the switch to HTTPS
The website owner will need to set up 301 redirects from the old HTTP to the new https. Now the TLS handshake will take place, and with this, the client will request to connect to the server with the SSL Certificate. The server will then investigate the request if everything checks out accordingly. The secure connection will then load for the user.
Attacks on HTTPS
As time goes on and technology improves, vulnerabilities will arise. To counter this, there are SSL Scanners available to provide updates to your website – these should be implemented on a routine basis.
How much does it cost?
To purchase an SSL Certificate, just search for SSL Certification Authorities and purchase one. SSLmate provides a standard package around $15 per year, or Let’s Encrypt is free of charge.
Third-party partners
When doing business with a third-party that doesn’t have a secure connection, you can install a referral on the website which will automatically strip the secure connection when going to their site (so sensitive data isn’t leaked in plain text over the network). To provide a secure connection, you must install a Referral Policy on your website. This allows the user to navigate to a third-party safely without information being leaked over the network. The Referral Policy will only provide the third-party with the index page and not the full URL. Features such as iFrames will be stripped on secure websites from the third-party vulnerabilities.
What’s been your experience with HTTPS so far? Let us know in the comments below!