HTTPS is the secure version of “Hyper Text Transfer Protocol” which is an application protocol for communication between systems & devices. In early 2017, Mozilla noted that the average volume of encrypted Internet traffic outnumbered the average volume of unencrypted traffic. This was—and is—a great step towards a more secure web. But why does it matter?
When you visit a website via http
, the communication is not encrypted which implies that ISPs and/or hackers can intercept and monitor your browsing activity. This is due to the fact that the request made to the server returns the response in plain-text and therefore any middle parties can read and therefore potentially breach the data. HTTPS solves this issue by encrypting the response data using Transport Layer Security(TLS)
` and formerly the Secure Sockets Layer. TLS provides the client and the server with a secure means of data transfer. The two negotiate the appropriate decryption algorithm through what is referred to as the TLS Handshake. The condition is that the server should be TLS-enabled.
Initially, HTTPS was only used for webpages that handled form submissions or for payment gateways but it is increasingly becoming a standard for the web. This is due to the fact that privacy becomes almost an impossibility when using ‘HTTP’. This is why most browsers are now encouraging users to visit only HTTPS versions of websites and warn users when connections are using HTTP. You will know that a website has HTTPS enabled when the website address begins with ‘https’ and is preceded by a lock icon.
Google is also taking measures to promote the use of HTTPS. The first is that websites that don’t use HTTPS rank lower in search results. The second is that when using Google Chrome, websites that use HTTP are flagged as unsafe and that’s not something you’d want your users to see.
HTTPS therefore should and must be the norm. However, it is not entirely foolproof. It is especially vulnerable to scammers and phishers. By replicating the signs of an HTTPS connection(‘https’ in the address bar and the green lock icon), scammers can mislead users to think they are using a legitimate site. It is therefore necessary to check the web address to make sure you’re not on a sub-domain of a malicious website.
In a future post, I explain how to set up HTTPS for your website.