Make the switch from HTTP to HTTPS
With technologies such as the Let’s Encrypt project, website owners on shared servers are able to provide a secure website connection through HTTPS — and this secure connection isn’t possible through an HTTP connection. This process is implemented by a Transport Layer Security (TLS) protocol on an HTTPS connection.
Let’s break down this tech talk.
What’s a TLS (Transport Layer Security) protocol?
TLS (also known as an SSL connection or Secure Socket Layer) is a type of internet protocol that provides encryption technology that will secure the connection between the browser of your users (your website visitors, clients, and customers) and your web server (the web server where your website is hosted).
By using the TLS protocol the connection for visitors on your website becomes HTTPS instead of HTTP. The added “S” (literally meaning “Secure”) indicates to you and other users of your website that you have a secure connection and any exchange of information will be encrypted.
What is HTTP and how is it different from HTTPS?
HTTP (HyperText Transfer Protocol) is the underlying base communication protocol that browsers and servers must implement in order to communicate with each other. This protocol includes requests (ex: visiting a website) and responses (ex: returning web pages), sessions (ex: time/interactions on a website), caching (ex: storing static web pages for quick access to a request), authentication (ex: logging into a website, etc.), and other interactions.
Work on the HTTP protocol, as well as on the Hypertext Markup Language (HTML) that functions on the HTTP system, was started in 1989 by Sir Tim Berners-Lee and his team. HTML displays web pages in organized layouts rather than simply displaying pages of text with images and forms jumbled in between.
And because of the way HTTP works, this protocol transfers information between the browser and the server in clear text, allowing the network through which this information passes to read it. Anyone with access to the network (technicians, web bots, and hackers) can read the information that’s transferred, and this is a security concern. This information includes the entire code and content of your website, and anyone submitting or uploading information through forms and other interactions.
So, “HTTP Secure” (HTTPS) was introduced, allowing the browser and the server to first establish an encrypted communication channel, and allowing a TLS protocol to pass through this channel, effectively protecting web bots and others from eavesdropping.
What does it mean exactly to have a secure connection?
When you have a secure connection all data transmitted between your users’ browser and the web server remains encrypted. So no matter what information you gather on your website, it cannot be read on the network connection. And what does this information include? It includes the entire code of your website, comments to posts, the content of email forms completed, possible street addresses, zip codes, and other personal data; and while an unsecure website shouldn’t collect financial information in this environment, if it did, that information could be read as well.
When your website isn’t secure web bots or trackers, malicious and otherwise, can use “packet analyzers” to eavesdrop on unencrypted data to see what information is being exchanged. Hackers can inject malware, such as adware, spyware, and viruses.
You’ve probably noticed when you’re on the web either an HTTP or HTTPS in the browser address window of whatever site you’re visiting, and now your know whether the connection is secure or not. Although please note, some browsers have removed the HTTP or HTTPS indication and instead show a closed padlock icon to indicate that website is HTTPS. So if you don’t see either HTTPS or a closed padlock icon in the browser address window then you’re on a website using HTTP and it is unsecure.
Should you have a website or use a website still using HTTP?
Owning a website still on the HTTP protocol (or using a website with HTTP) doesn’t mean that your users shouldn’t be there necessarily, or that they will pick up malicious malware, and if so you should be protected with your malware protection plugin.
Just know that any information your users provide on your website is, again, in readable text to web bots (web crawlers, trackers, hackers, and the like), such as names, addresses, content of comments or email forms your users complete, etc., and may be more susceptible to malware.
Google Chrome is now issuing a warning message when users attempt to complete forms on unsecure websites, and indeed, the date as arrived that Google Chrome presents a message of “Not Secure” in the address field of any website on HTTP. The day is coming that all browsers will follow suit.
Users are simply becoming more aware of security online and having an HTTPS connection is becoming the norm, it is becoming the minimum you should offer your visitors. So aside from security, HTTPS also improves trust.
You certainly don’t want your users to provide any financial information on an unsecure site (and indeed in most all cases, e-commerce sites must use secure connections or HTTPS). So ensure that you don’t collect this data on an HTTP connection as a website owner.
In addition, protect yourself when purchasing online by making sure you are on a secure HTTPS connection and that the web address in the browser address field is the correct web address, exactly, from the first segment of the web address to the last segment (the .com or other TLD – top level domain). And too, be aware that hackers are savvy to this notion of HTTPS and people believing they are secure on the web. Hackers have already begun using HTTPS connections themselves so that the phishing links they send to you will go to an HTTPS address with that green closed padlock icon. So yes, while your data is encrypted, it may not be going to a legitimate website address! Again, before submitting sensitive information online, make sure the web address is not only HTTPS, but also the correct web address of the business with whom you want to interact.
While HTTPS will not protect against all attacks, it is important to note that the security community is fully aware of the attacks that can still slip by HTTPS, and is fully capable of developing solutions. The advantage is that once you implement HTTPS, your website will be able to utilize the security improvements of HTTPS implemented by the security community.
Basically, it is time to switch to HTTPS to help make the web in general more secure, as well as your website, and to remove any alert warnings the browser may send to your users trying to contact you or interact with your website.
How do technologies like Let’s Encrypt work?
Websites on a shared server all have the same IP address; but, generally, to obtain an SSL certificate, a website owner needed their own unique IP address. For this reason a website owner had to host their site on a dedicated server with a unique IP address and then obtain an SSL certificate and utilize an HTTPS connection. Both the dedicated server space and the certificate renewed annually.
Note: there were and are exceptions to this rule of one certificate per IP address, but the certificates that worked on shared servers, if that was possible through your web host in the first place, were costly as well.
Also note: it is still generally called an SSL certificate, but that designation has been upgraded to TSL as we covered earlier. And there are many different types of certificates, the most common being the domain-validated certificate, which is the certificate we are concerned about in this article. Other levels of certification may require the verification and legality of the organization itself. At this time we will not cover all the various certificates.
Then came along a new technology, Server Name Indication or SNI.
SNI is an extension to the TLS protocol and allows a web server to present multiple domain-validated certificates, thereby allowing multiple websites to use HTTPS that are on a shared server.
Let’s Encrypt works through this SNI technology.
Let’s Encrypt will look at the domain name being requested on a shared server and issue one or more sets of challenges to the server to make sure the server is indeed in control of and manages the website. Once Let’s Encrypt determines the connection is valid it automatically issues a domain-validated certificate to establish a secure connection.
Through technologies like Let’s Encrypt you do not need to buy costly dedicated server space or certificates to obtain a secure encrypted website connection for your users. Theses types of free, automated, and open certificates last for 90 days, and are automatically renewed. And if needed either CCB Creative or your IT division can insure these certificates have been successfully renewed.
Let’s Encrypt is an open certificate authority (CA) run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). It is free, and the encryption process is automated.
Again, there are several types of certificates a website can obtain for an HTTPS connection, but at this time the domain-validated certificates, which are the mostly widely used certificates, are the only ones issued by Let’s Encrypt.
And more complex certificates are still required for organizations handling highly sensitive information such as financial data and specific ID information which include health records, and the like. These organizations must meet additional standards to receive dedicated certificates.