No business would willingly leave its door unlocked or its customers’ credit cards lying about. And yet, this happens all the time online. Digital systems are now the primary environment in which many organizations do business. Securing that environment is critical.
Fortunately, securing your website doesn't have to be an arduous task with security audits and legacy infrastructure overhauls. By installing the right lock, you can keep out unwanted intruders, while also improving your user experience.
In this article we cover HTTPS — the SSL-secured version of HTTP. If you're not sure what any of this means, keep reading. We’re going to cover what these technologies are, how they work, and why organizations should be implementing them.
If you're already familiar with some aspects of HTTPS, use the links below to skip ahead:
What is SSL?
First, let's clarify what we're talking about when we say SSL.
SSL, or Secure Socket Layer, is an encryption technology. It's sometimes called Transport Layer Security, or TLS. However, they're fundamentally the same thing.
SSL serves two functions.
First, SSL makes sure you're talking to the right server. For example, if you click on a link, you call a server. SSL makes sure you go to the server you expect.
Second, SSL encrypts the information being transported between a browser and a server. For example, when you are checking your email, your email isn't stored on the computer you're using. It's stored on a server.
Your computer has various methods of encryption to keep it secure. And the servers where your email is stored are secured with their own encryption systems.
SSL makes sure the data gets from the server to your computer without being snooped or read.
That's a rough idea of what SSL does. But how does it work?
How does SSL work?
Technically, SSL is an asymmetric-key encryption technology. That means it uses security "keys" to turn normal files into gibberish, then a matching "key" to turn it back into normal text.
You can think of this like a cipher. Imagine you were writing a letter that you didn't want anyone other than the intended recipient to read. You might move every letter forward by 1 in the alphabet, so your As become Bs and your Bs becomes Cs.
Therefore, the word "hello" would be written as "ifmmp".
You would then share the code with the person you were trying to communicate with — to decipher the message, they need to move back each letter by one in the alphabet, so the Bs turn back into As.
This is the theory behind how SSL works. Information leaving the server and your computer is encrypted. Both you and the server know the rule or key to decipher the information, but no one else. If someone takes the information while it's in transit, it's just gibberish. And if that information gets rerouted, it's going to be useless without the key.
Next, we need to understand public and private keys.
Public and private keys
Public keys are how your computer and the server share the code to decipher later messages. It’s the encrypted way you tell your friend to move the letters by 1.
They work like this (huge thanks to Panayotis Vryonis for this brilliant explanation).
Imagine you have the lock above. As you can see, it’s a special lock. It has three stages — unlocked (B) and locked (A and C).
Now, imagine it also has two keys. One of these can only turn clockwise (A, B, C). The other can only turn counterclockwise (C, B, A).
One of these keys is a private key. There is only one copy you keep. The other is a public key. Everyone and their dog has a copy.
Now, imagine someone wanted to send you a secret letter. They have a public key. They turn the lock counterclockwise to unlock the box (C to B) and put their letter into it. Then, they close the lid and turn the key to to A. Now, only your private key can only the box. So you come along, and turn your key clockwise from A to B. This opens the box, and you can read the letter.
That’s essentially how public and private keys work.
So how do your browser and the server both know the secret key?
It works like this. When you call a server to pull up, for example, your email, it triggers the following process:
- Your computer calls the server and asks to see its SSL certificate.
- The server responds, sending it back with a public key. Your browser asks a third party verification service. They open the box, check that the SSL certificate is legit, and send back the green light to your computer.
- Your computer locks the conformation into the public key box along with a copy of a private key. This private key is unique to this session. Then, your computer locks the box into position A with the public key the server sent you, and sends the whole thing back to the server.
- The server then uses its private key to open the public box (opening A to B). Now, you and the server both have the same unique session private key — in other words, you both know the code to decipher each other's messages.
- The server sends over your emails in a normal box with just one type of key — your private key that you and the server both have.
- You open the box with the key and voila, emails, securely delivered.
That’s how SSL works. But what about HTTP and HTTPS?
What is HTTP and HTTPS?
Next, we need to understand what HTTP and HTTPS are and the differences between them.
First, HTTP stands for Hypertext Transfer Protocol. In a nutshell, protocols are a series of rules that every device connected to the internet follows so that all the billions of computers in the world can talk to each other. There are a handful of protocols out there, but HTTP is the one that most web users are familiar with.
For example, a 404 code is an HTTP status code.
HTTPS is HTTP (required for virtually all websites) with a secure layer over the top. What this means is that when your browser is sending requests to a server to get your email, load a YouTube video, or make an ecommerce payment, it’s sending those requests via the HTTP format. HTTPS ensures all data being transferred is encrypted.
Why bother changing from HTTP to HTTPS?
Now we get to the good stuff. Why bother changing from HTTP to HTTPS?
First, it makes your site and your customers more secure. This alone makes it worthwhile. Even on pages where you’re not collecting credit card information, providing a secure experience is critical. Why? Because companies collect various pieces of information about their browsers before they ask for a credit card number.
You and your customers don’t want that data stolen or watched.
Second, it’s inexpensive. SSL certificates used to cost an arm and a leg but now, many nonprofits like Let’s Encrypt offer an entry-level SSL free of charge. And this isn’t a tech solution that's been hacked together — Let’s Encrypt is run by Internet Security Research Group (ISRG) and is part of The Linux Foundation. These are folks behind:
- Node.js, a major programming language
- Kubernetes, a containerization tool used to power eBay, Yahoo!, and gov.uk
- Linux, which Android is built on
So you can offer your customer more security at a low cost.
Third, there is no detriment to your user experience. A common misconception is that the process we outlined above, where the public key is used to verify the security of the website, is slow.
And to be fair, public keys are slow. Which is why SSL connections now only use the public key to send the private one. This has no discernable impact on your users or your load time.
Fourth, it will actually improve your search rankings and help you build customer trust.
Google boosts secure over non-secure websites and now flags non-secure websites when you visit them.
To quote the Google security blog, they did this because “Studies show that users do not perceive the lack of a 'secure' icon as a warning.”
What’s more, Google Progressive Web Apps (PWAs) and other new technologies only work with HTTPS. We crossed the 50% threshold earlier this year for HTTPS vs HTTP, so it looks Google is committed to slowly outlawing HTTP.
Finally, it’s not that hard.
Changing to HTTPS is a relatively straightforward task of getting your SSL certificate and then redirecting HTTP traffic to HTTPS.
Here’s the bullet point summary with everything you need to know:
- HTTP and HTTPS are internet protocols — they’re a series of rules that allow computers to communicate with one another. It’s a little like two computers speaking the same language.
- The extra ‘S’ in HTTPS stands for secure. It’s when the HTTP protocol has had a layer of SSL security laid on top.
- SSL security is a way for servers and browsers to communicate privately and make it difficult for anyone to eavesdrop on data when it’s in transit between the two. It also helps ensure browsers are talking to the servers they think they’re talking to. It does this by encrypting the data with public and private keys, or codes, needed to decipher the information.
- HTTPS is relatively inexpensive to set up.
- There are number of benefits: Google will rank your site better, your customers will trust you more, and you're less likely to be a victim of cyber crime.
And that’s it. If you have any questions about HTTP/HTTPS protocols or other security concerns, get in touch with us.