Quite a lot really, I know that’s not how the song goes but, HTTPS, the common abbreviation for Hyper Text Transfer Protocol Secure, is a requirement of all sites you visit, and really you should be questioning the authenticity of any site without it. Even if you are not logging in or giving over payment details, it is important for a number of reasons.
What really is it?
HTTP, or the Hyper Text Transfer Protocol, is the protocol of the web, it is how web pages are delivered to you, it is stateless, which means that each request is independent of another (essentially you arrive on the site and the server and request a page and the server responds, you click on a link to get another page and as far as the server is concerned you are a completely new person). One thing you should always be aware of is that the information sent over HTTP to the server and back to you is plain for anyone to see, read or modify.
HTTPS is end-to-end encrypted HTTP traffic using TLS (Transport Layer Security) or SSL (Secure Sockets Layer). Both the TLS and SSL protocols use what is known as Public Key Cryptography. An asymmetric system uses two ‘keys’ to encrypt communications, a ‘public’ key and a ‘private’ key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa. As the name suggests, the ‘private’ key should be kept strictly private and should only be accessible the owner of the private key. In the case of a website, the private key remains securely held on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.
When you request an HTTPS connection, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the SSL handshake. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website. At this point, the certificate is checked against a certificate authority to check that it is valid and you are really communicating with the website you think you are communicating with.
HTTPS protects more than just form data! HTTPS keeps the URLs, headers, and contents of all transferred pages confidential. Any website that requires login credentials should be using HTTPS. In modern browsers such as Chrome, sites which do not use HTTPS are marked differently than those that are, in April 2018, Google Chrome has started flagging all non-HTTPS websites as insecure, which they are because your information is not protected between the server and the end user over HTTP.
You’ll hear a number of arguments against using HTTPS, most of which are based on old information or are just plain wrong.
I don’t have anything sensitive on my site. It is just a static HTML page.
The internet is not just your computer connected to their server, there are a lot of other pieces of hardware, organisations, and governments, in-between, such as your coffee shop, their Internet Service Provider, a government (not necessarily yours). Do you really want someone injecting scripts, images, or ad content onto your page so that it looks like you put them there? Or changing the words on your page? Or using your site to attack other sites? HTTPS prevents all of it. It guarantees the integrity of the data and the ability to detect tampering.
HTTPS certificates are expensive
No, letsencrypt provides certificates free of charge. This used to be the case 10 years ago, but most certificate issuers now provide HTTPS certificates free of charge, and the ones that do charge are only charging for support or administration.
HTTPS is slow
This was because the server had to do more work, to encrypt the data, but this argument is no longer valid. In fact with the invention of HTTP/2, due to the compression that it offers, HTTPS is now faster than HTTP.
We hash our passwords and encrypt our data at rest.
Great! But what about when it travels between the server and the visitor to your site. Don’t get me wrong, this is good security practice, to encrypt your sensitive data but only protects data at rest. If you are not using HTTPS, your data is transmitted as plain text for anyone to read.
Attackers can still impersonate my website, even if I use HTTPS.
They can certainly try, this is the reason for Certificates, to make sure you are communicating with is authentic, i.e. is who you think you are communicating with. If attackers present a mismatched or invalid TLS certificate. And if the attacker does not use HTTPS at all, browsers should mark the imposter page as insecure.
Phishing sites use HTTPS
Yes, so what, does that mean you shouldn’t use it yourself?!
HTTPS impacts SEO.
Yes that’s correct, in most cases it improves it. Google ranks HTTPS sites higher than non-protected sites.
This one is obvious, use HTTPS everywhere, question sites which don’t have it, do they really care about security? Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser, so it has been around for over 20 years, during that time it has been tested and improved. It is free and simple to implement and has well and truly passed the tipping point of adoption according to the most recent Google statistics 91% of all pages loaded through Chrome were using HTTPS. So ask yourself again, why would you not do this!