What is HTTPS?
HTTPS is a security-enhanced version of Hypertext Transfer Protocol (HTTP), the application protocol through which all data communication on the web happens. HTTP helps web users to retrieve web pages. HTTPS, or HTTP Secure, does the same, but securely, so that unauthorized users cannot access information they are not supposed to have.
Definitions: what do the terms mean?
- HTTP: HyperText Transfer Protocol
- HTTPS: HyperText Transfer Protocol Secure
What's the difference between HTTPS, HTTP, and SSL?
Both HTTP and HTTPS work to help web users transfer and receive information over the Internet. HTTPS with its secure information transfer, however, is particularly important for sites where sensitive information is sent, such as ecommerce sites where users submit payment information like billing addresses, phone numbers and credit card data. HTTPS works with the protocol known as Transport Layer Security (TLS), or previously Secure Sockets Layer (SSL), to encrypt sensitive data, prevent the alteration or corruption of data during transfer, and authenticate certain users to communicate with the website.
Essentially, HTTPS provides security by generating short-term session keys, or encryption codes, for the data transfers between a user and the website server. These security keys must be certified by a certificate authority such as Comodo or Symantec.
The original use for HTTPS was for ecommerce transactions, email, and other sensitive data transfers. Today it has become the standard for all websites, endorsed by Google itself and now a requirement for many advanced features like progressive web applications.
Should I be using HTTPS?
Any site that deals with secure information should definitely be using HTTPS. Even sites that do not deal specifically with sensitive data, however, can still benefit from HTTPS.
Google itself has been one of the biggest advocates in Search of the universal applicability of HTTPS. Speaking at BrightEdge's Share16, Thao Tran, Global Product Partnerships at Google, stated that HTTPS, "and making sure your site is secure is an imperative... The future of the web is a secure one, so make sure people in your organization understand HTTPS, and it should be on the roadmap."
The endorsement from Google and the consesus from SEO authorities that you should migrate your site to HTTPS now, if you haven't already, isn't just another SEO flavor-of-the-month novelty. The security risks associated with HTTP are real and have potentially severe consequences, especially if you are in ecommerce, finance, deliver some kind of SaaS solution, or have any other business model that involves handling sensitive customer data over the internet. Most notably, HTTP has the potential for an internet service provider -- or another outsider actor -- to actually tamper with pages that your site visitors navigate to, including changing content or removing elements from the page. In the case of ISPs this is sometimes used to insert advertisements or behavioral tracking cookies for advertisements, but can be put to far more nefarious uses in the hands of other parties.
What are the security risks of HTTP?
A 1999 memo from the World Wide Web Consortium, an international web community run by Jeffrey Jaffe and Tim Berners-Lee, inventor of the World Wide Web, documented a number of different security considerations and potential attack vectors associated with HTTP/1.1:
- Leakage of personal information: Ideally sites should provide an interface that allows users to control the level of disclosure on the personal information they enter on the site, but this isn't always the case and leaves end users dependent on the design whims of the webmaster
- Abuse of server log information: Web servers log the navigational behavior of site visitors. This information could potentially be used to glean private information about end users
- Unsecure transfer of sensitive information: HTTP has no ability to regulate the actual content of data being transferred over it
- Encoding of sensitive information in URIs: The source of a link could potentially be private information or inadvertently disclosure a private source of information
- Privacy issues associated with accept request-headers: Another class of data that has the potential to be used to triangulate against other data sources to identify end users. This loss of privacy can be secure on server side, but again places the end user's information at mercy of the webmaster
- Attacks based on file and path names: In an insecure system a bad actor can take the URL of a piece of content they have access to, e.g. "site.com/resource/profile/jon-profile.docx", and navigate up the taxonomy to get access to the /profile/ directory when they're technically not supposed to have access
- DNS spoofing: HTTP relies heavily on Domain Name Service, which associates domain names, e.g. brightedge.com, with underlying underlying IP addresses. Bad actors can deliberately misassociate an IP address-DNS pairing to "spoof" a DNS, thereby diverting users from the site they meant to navigate to to a completely different one
- Location headers and spoofing: Similar to the DNS spoofing issue, a server hosting several organizations who aren't associated with each other must check the values of Location and Content-Location headers to ensure that those organizations aren't attempting to invaldiate resources they don't own
- Authentication credentials and idle web clients: HTTP/1.1 doesn't have a method for clients to discard cached authentication credentials
- HTTP proxies and caching ("man-in-the-middle" attacks)
- Denial of Service attacks on proxies (DDOS)
Read our take on why HTTPS is essential for any brand that wants a real presence online.
HTTPS as a new ranking factor
Google announced in 2014 that they were going to be considering HTTPS a light ranking factor in an effort to encourage security on the web (check out the post on HTTPS vs HTTP and SEO). Even outside of Google’s recommendations, sites that make the switch to HTTPS often find that customers regard their site as more authentic. The site is also more protected from damages that can occur from third parties. More recently, Google warned Chrome users that the web browser will begin redflagging sites that are still on HTTP: “Beginning in October 2017, Chrome will show the ‘Not secure’ warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”
This message now appears in URL bar of Chrome browsers:
It is important to note that the SEO benefits from switching to HTTPS do seem minimal currently, the risks involved in not migrating are huge. Not only are site visitors deprived of a large amount of security -- poor security is about as bad as UX can get -- but Google has stated that Chrome now displays "Not Secure" next to a site's URL in the browser window when users try to fill out a form.
How to switch from HTTP to HTTPS?
Switch from HTTP to HTTPS in 7 steps:
- You will need to first determine if you need a single, multi-domain or wildcard certificate
- Next, you will need to use a 2048-bit key certificates so that you can get a Certificate Signing Request on your webserver
- You will have to make sure you maintain a current SSL certificate
- For the resources that are on the same secure domain, use relative URLs
- Use server-side 301 HTTP redirects -- mod_rewrite is common -- for redirects to the HTTPS pages
- Make sure your robots.txt allows the web crawlers access to your HTTPS pages
- Verify that your website returns the same HTTP status code
You can also get our detailed guide to HTTPS site migrations, which lists out migration tasks for both SEOs and digital marketers as well as web developers.
HTTPS vs HTTP is a question that has plagued many site owners as they try to remain compliant with Google and provide a secure space for their visitors. Those interested in making the switch should review the above steps adopted from Google’s suggestions and see how it might impact them.
- HTTPS vs HTTP and SEO: how does a switch to HTTPS affect your SEO efforts
- Avoid common SEO pitfalls switching to HTTPS
- Moving to HTTPS: A webinar on HTTPS migrations with BrightEdge thought leaders