Any non-public personal information (credit card numbers, social security numbers, etc) should always be served via HTTPS. However, there is an increasing trend towards serving all content via HTTPS. In addition to ecommerce and financial sites, we’re seeing the familiar “lock” icon on news sites, blogs, search engines, and the websites of most mainstream brands.
What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) is a set of rules for securing communication on the World Wide Web. It prevents eavesdroppers from seeing information that visitors send or receive over the Internet. HTTPS secures its connections by using SSL/TLS protocols that authenticate web servers, and that encrypt messages sent between browsers and web servers.
What is TLS?
TLS (Transport Layer Security) is a cryptographic protocol that provides secure communication over the Internet. HTTPS uses TLS to secure communication for website visitors. TLS provides the following security benefits:
- Identity authentication: The browser determines whether a web server is the right server, and not an imposter.
- Privacy: Information between the browser and web server is kept private by using encryption.
- Data integrity: Messages between the browser and the web server cannot be altered by others (e.g., during a man-in-the-middle attack).
What is SSL?
SSL (Secure Sockets Layer) is the predecessor of TLS. After SSL 3.0, the next upgrade was named TLS 1.0 (instead of SSL 4.0) because the version upgrade was not interoperable with SSL 3.0. Many people refer to TLS as SSL or as SSL/TLS, even though all versions of SSL are now deprecated.
How do I know my website is secure?
Using a browser, website visitors can determine whether a site uses an SSL/TLS certificate by checking:
- The lock icon next to the web address
- The text https:// before the hostname in the web address (the “s” in https stands for secure)
Why should I care?
Even if your website isn’t processing payments, there are good reasons to consider HTTPS, a few of which are listed here:
Even non-technical audiences associate the little green padlock in the browser’s address bar with trust and reliability.
Maybe your website only hosts text and images. But if users are logging into your website via Wi-Fi with a password that they also use for online banking, then you are potentially facilitating a serious security breach by broadcasting those credentials publicly.
Many websites are still served via HTTP, but there is an undeniable trend towards HTTPS. This will only increase as users become increasingly educated about web security. Be on the right side of history.
Although the much faster HTTP/2 protocol (see below) does not require the use of encryption, some implementations have stated that they will only support HTTP/2 when it is used over an encrypted connection. In fact, no browser currently supports HTTP/2 unencrypted. In short, if you want HTTP/2, you’ll need SSL/TLS.
Search engine optimization (SEO)
Google officially announced that HTTPS is used as a ranking signal. In other words, Google is rewarding HTTPS websites by boosting their rankings in search results.
Also, starting in 2017, Google will flag sites collecting data (like passwords or credit card info) that aren’t SSL certified. This is Google’s first step in red-flagging non-secure sites in order to protect web safety. In addition to SSL affecting page-rankings, this big move directly impacts your SEO, site integrity, and conversion rates.
What is HTTP/2?
Look at the address bar in your browser. See those “HTTP” letters at the front? That stands for Hypertext Transfer Protocol, the mechanism a browser uses to request information from a server and display web pages on your screen.
A new version of the HTTP protocol was recently published by the Internet Engineering Task Force (IETF). This means that the old version, HTTP/1.1, in use since 1999, will eventually be replaced by a new one, dubbed HTTP/2. This update improves the way browsers and servers communicate, allowing for faster transfer of information while reducing the amount of raw horsepower needed. HTTP/2 is supported by the most current releases of Edge, Safari, Firefox, Opera and Chrome.
Put simply, HTTP/2 loads web pages 20%–30% faster than HTTP/1.1. HTTP/2 improves speed mainly by creating one constant connection between the browser and the server, as opposed to a connection every time a piece of information is needed. This significantly reduces the amount of data being transferred.
Plus, it transfers data in binary, a computer’s native language, rather than in text. This means your computer doesn’t have to waste time translating information into a format it understands.
Other features of HTTP/2 include:
- Multiplexing: Sends and receives multiple messages at the same time.
- Prioritization: More important data is transferred first.
- Compression: Squeezes information into smaller chunks.
- Server push: The web server anticipates the next request and sends that data ahead of time.