HTTP vs HTTPS, Do You Really Need HTTPS?

20
HTTP vs. HTTPS, Do You Really Need HTTPS?

Transcript of HTTP vs HTTPS, Do You Really Need HTTPS?

Page 1: HTTP vs HTTPS, Do You Really Need HTTPS?

HTTP vs. HTTPS, Do You Really Need HTTPS?

Page 2: HTTP vs HTTPS, Do You Really Need HTTPS?

A closer look at why HTTPS is the ideal way to serve your website

• HTTP is the now 15-year-old protocol on which the world wide web was built. HTTP stands for “hypertext transfer protocol” and offers a method of data communication for the Internet.

• The problem with HTTP connections is that they are unsecured. This means that any data transferred with the HTTP protocol is out in the open-it means that it can be intercepted and even manipulated by third parties.

Page 3: HTTP vs HTTPS, Do You Really Need HTTPS?

• To combat this, SSL or Secure Sockets Layer was created. SSL is a protocol for encrypting communication so that it can no longer be seen or affected by third parties.

• As SSL evolved it was replaced by TLS, or Transport Layer Security. Both accomplish the same goal, TLS is just a more secure way of encrypting that information.

• The rise of SSL/TLS gave way to HTTPS, also called HTTP over TLS. This is a secure protocol for communication over the Internet.

• HTTPS is by far superior to HTTP, yet many around the web have yet to adopt the protocol.

• In this article we will look at some of the reasons you should start using HTTPS and also address some myths and misconceptions about HTTPS.

Page 4: HTTP vs HTTPS, Do You Really Need HTTPS?

Myth: HTTPS is Slower

• One of the biggest reasons that website have failed to adopt the HTTPS protocol is that there is a belief among many around the web that HTTPS is slower.

• Speed is everything on the Internet, having a delay in load times can be seen as a major problem by many web hosts and site operators.

• Fortunately, this is a myth. HTTPS is actually much faster than HTTP.

• But don’t take our word for it, there are numerous websites you can go to that test this theory and prove our point.

• Our favorite is HTTPvsHTTPS.com. Upon running the test three times on our 85 mbps connection the site loaded 82% faster using the HTTPS protocol than it did via the HTTP protocol.

Page 5: HTTP vs HTTPS, Do You Really Need HTTPS?

• This is just one example, and results may vary based on connection speed and a range of other factors, but the idea that HTTP is somehow a faster protocol is absolute myth.

Page 6: HTTP vs HTTPS, Do You Really Need HTTPS?

HTTPS Improves Google Search Rankings

• Serving your website over HTTPS offers more than just a secure connection for you and your site’s visitors.

• It also can increase your Google search rankings. Google, which is typically pretty tight-lipped about its search algorithm, announced back in 2014 that it would start using HTTPS as a ranking signal.

• Google is one of the biggest names in the web industry, a titan if you will, and this is a clear nod from it that Secure Socket Layer and serving your website over HTTPS is of increasing importance.

• Especially with the advent of HTTP/2, the successor to HTTP, which requires an encrypted connection in order to work.

Page 7: HTTP vs HTTPS, Do You Really Need HTTPS?

• But back to the SEO benefits that HTTPS and SSL/TLS can provide, every boost you can give your business when it comes to your search rankings is integral to your success. No, having an encrypted connection won’t replace the need for regular dynamic content and running a good site.

• But it could be the difference between page one and page two. And that has a major impact on both your bottom line and your business’ reputation.

Page 8: HTTP vs HTTPS, Do You Really Need HTTPS?

Encryption Protects Your Website from Attacks

• There are a couple kinds of attacks that can occur over HTTP that are simply not possible using the HTTPS protocol.

• One of them is the MITM (Man in the Middle) attack. During the MITM two parties that think they are directly communicating are having that communication intercepted and either stolen or altered.

• As you can imagine, this can be disastrous, especially if your website and its visitors are exchanging personal information or financial information.

• However, with an encrypted connection this kind of attack is easily prevented.

Page 9: HTTP vs HTTPS, Do You Really Need HTTPS?

• The other kind of attack, or perhaps more appropriately, interference, is content injection. Have you ever noticed that when you access the Internet on an airplane, that airline’s ads appear all over the web pages you visit? That’s an example of content injection.

• During content injection, websites served over HTTP can have content injected by anyone in the chain of custody. This means ads or other content can make their way on to your website without your consent. Or in other words, the integrity of your website is being affected by a third party.

• Content injection can also be malicious. Whether it be a malicious piece of code or some other sort of content that’s being injected, a third party can easily affect your website over the HTTP protocol.

Page 10: HTTP vs HTTPS, Do You Really Need HTTPS?

Enabling HTTPS with SSL

• In order to enable HTTPS, you must first purchase an SSL/TLS certificate. But before we get to that, a bit of background. SSL is actually outmoded; it’s just become the colloquial term for TLS at this point.

• So you’re not really purchasing an SSL certificate anymore, you’re purchasing a TLS certificate – it’s just that most CA’s and re-sellers still refer to it as SSL.

• Now back to enabling HTTPS. The first step is to purchase an SSL/TLS certificate. Then it’s just a matter of installing the certificate properly and configuring your server to enable it.

• Some servers will refer to it as “enabling SSL,” others refer to it as “enabling HTTPS.” Either way, you need to configure your server so that your entire website – every single page, not just login and checkout screens – is served on HTTPS.

• This is the only way to see the full benefit of SSL/TLS, and also the only way to get an SEO boost from it.

Page 11: HTTP vs HTTPS, Do You Really Need HTTPS?

• After that communication to and from your website is secure and can make use of the HTTP/2 protocol as that becomes more widely adopted.

• But it all starts with selecting the right SSL/TLS certificate for your needs.

Page 12: HTTP vs HTTPS, Do You Really Need HTTPS?

Mobile Security with HTTPS

• HTTPS also protects traffic on mobile devices. This is extremely important as more and more people are using their phones to surf the Internet and make e-commerce purchases.

• The good news is that the vast majority of SSL/TLS certificates are mobile friendly, meaning that once you purchase one, install it and configure your server correctly, you’re good to go on mobile devices.

Page 13: HTTP vs HTTPS, Do You Really Need HTTPS?

• But what about apps? Well, both Apple and Google, two of the leaders in the mobile phone industry, are pushing mobile apps towards encryption by default.

• Apple has App Transport Security on its iOS, while Google has the usesCleartextTraffic manifest attribute on Android.

• Apple’s ATS is pushing towards encryption a little harder as its default setting is to have encryption on, while on the Android platform it’s not.

• But both are making a clear indication that HTTPS is becoming the standard.

Page 14: HTTP vs HTTPS, Do You Really Need HTTPS?

Types of SSL Security

• So by now it’s become obvious that encryption is a must, the future of the Internet is largely contingent upon it. But what type of SSL/TLS certificate is right for you?

• There are three basic types of SSL/TLS certificate• Domain Validation• Organization Validation• Extended Validation.

• All three offer the same level of encryption. But there are some fairly sizable differences beyond just that.

Page 15: HTTP vs HTTPS, Do You Really Need HTTPS?

Domain Validation SSL

• Domain Validation certificates are perfect for small non-e-commerce websites like blogs and personal sites.

• They simply require you to prove ownership over the domain and you can encrypt.

• In fact, some companies have even begun to offer no-frills, encryption only DV certificates for free.

Page 16: HTTP vs HTTPS, Do You Really Need HTTPS?

Organization Validation SSL

• Above that are Organization Validation SSL/TLS certificates.

• These offer a degree of business authentication, meaning that the Certificate Authority that’s issuing it will vet your company to ensure that it is indeed legitimate.

• The downside to OV certs is that the visual indicators are nearly identical to EV certs and often people miss the vital details that come with having your business authenticated.

• These certificates are good for larger enterprise businesses that already have outstanding reputations.

Page 17: HTTP vs HTTPS, Do You Really Need HTTPS?

Extended Validation SSL

• The top-of-the-line SSL/TLS certificates are Extended Validation.

• These require the most vetting but also unlock the most obvious visual indicators a green address bar with your organization’s name in it.

• These certificates offer an ideal level of business authentication, come with the best trust seals – another visual indicator of SSL encryption – and are often packaged with other high-end security products to make them a better value.

• They’re also proven to increase conversions and ultimately will pay for themselves.

Page 18: HTTP vs HTTPS, Do You Really Need HTTPS?

Conclusion

• The Internet is on the precipice of a huge shift from HTTP to HTTP/2. With it, will come new requirements for websites to display properly. Soon, websites being served over HTTP will receive browser warnings about being unsecured. This will dissuade potential traffic from visiting and will have adverse effects on your website.

• The only way to avoid this and stay ahead of the changes is to encrypt and start serving your site over the HTTPS protocol. This may sound like a lot, but really it’s as simple as purchasing or acquiring an SSL/TLS certificate, installing it correctly and configuring your server to use HTTPS.

• The choice is yours – and it should be an obvious one.

Page 19: HTTP vs HTTPS, Do You Really Need HTTPS?

Important Resources

• Real time SSL certificate checker tool

• How crucial a trust seal to influence e-Commerce business ROI

• Cyber Attacks and SSL Security

Page 20: HTTP vs HTTPS, Do You Really Need HTTPS?

For More Information on HTTPS

Blog: cheapsslsecurity.com/blog

Facebook: CheapSSLSecurities

Twitter: SSLSecurity

Google Plus: +Cheapsslsecurity