Cameron FrancisAugust 21,2015

HTTP vs. HTTPS: What You Need to Know

Share on Facebook0Tweet about this on TwitterShare on Google+0Pin on Pinterest0Share on LinkedIn0Share on StumbleUpon0

http vs https

HTTP vs. HTTPS has become a big debate. Most people already understand HTTP but aren’t quite familiar with HTTPS. This article looks at the two in detail with specific emphasis on the benefits and drawbacks of HTTPS as compared to HTTP.

What is HTTP?

Hypertext Transfer Protocol (HTTP) is used to transfer data over the web. It defines commands and services used for transmitting web page data.

What is HTTPS?

Hypertext Transfer Protocol Secure (HTTPS) is simply the secure version of HTTP. Essentially, all communications between a user and an HTTPS web page are encrypted.

What are the Advantages of HTTPS over HTTP?

There are several benefits of HTTPS over HTTP. Of course, these benefits don’t mean that you should jump on the bandwagon right away. As you will discover later on, there are also several areas where HTTP outperforms HTTPS.

That said, here are the four main benefits of HTTPS:

1. Avoid ISP and Government Tracking

The government likes to monitor certain activities on the Internet. But it’s understandable because most of the time, they do so to protect us.

However, ISPs have also developed a habit of tracking people for no good reason. If you don’t want the government, your ISP, or anyone else to track your browsing activities, HTTPS can help. HTTPS encrypts data as it is transferred ensuring that eavesdroppers can’t snoop on your activities.

2. Avoid Malicious Software and Spoofing Services

This is another great benefit of HTTPS. You realise that HTTPS fundamentally means a more secure web. Websites are checked to ensure that they comply with certain criteria and only those that are proven to be genuine are granted certificates. This would be certainly beneficial in the current world where scam sites are commonplace.

3. Minimise the Risk that Comes with Unsecure DNS Structure

The Domain Name System (DNS) is pervasive. We use it millions of times every day without even knowing it exists because we believe it is as reliable as you can find. Yet, just like all technology, the DNS has its own flaws.

There are many types of threats posed by the DNS. An excellent example is what tech guys call “typosquatting.” This is the practice of registering a domain name that is confusingly similar to an existing popular brand. Recent research shows that this practice can present a profound risk to the confidentiality of corporate secrets and must be treated as a security problem. In fact, there are quite a lot of organised criminals that use typosquatting to steal valued information.

Definitely, this is a type of risk that can be minimised using HTTPS.

4. HTTPS Brings a Higher Security Policy for Browsers

Realistically, if everyone started using HTTPS today, the web would become a much safer place just because the security standards would be raised instantly. The web, as it currently is, cannot be said to be safe. Today, if an attacker can compromise your account with a chosen domain registrar, they gain control of your domain name. They can thereafter point the domain name to a server of their choice, including email servers, web servers, name servers etc. or, they can choose to transfer your domain name to an “offshore” register making recovery of the domain name a very complex process.

These are things that have happened in the past. For instance, several years ago, Facebook used to serve their login page over HTTP. Then, one time, a government in the middle-east injected JavaScript into the page and stole millions of user passwords right from the login form. Interestingly, the passwords had been sent to Facebook over HTTPS. But then, the login page was running on HTTP, which left it very exposed. If everyone would just see the importance of using HTTPS, such cyber crimes would be prevented immediately.

So, HTTPS is the more secure option, but why isn’t the web using it?

In theory, HTTPS, which uses SSL to ensure security over Internet, could be seen as a big winner. Yet, in practice, HTTPS is a big mess. This doesn’t mean that HTTPS and SSL are worthless. After all, a compromised HTTPS connection can only be as unsecure as a HTTP connection.

However, HTTPS has several issues that must first be addressed if it is to be adopted on a larger scale.

  • The Sheer Number of Certificate Authorities

Your browser has a certain number of certificate authorities and a browser can only trust certificates issued by these authorities. For instance, if you visited HTTPS://companyx.com, the web server at companyx.com would issue an SSL certificate that your browser has to check to ensure that the site’s SSL certificate was issued for company.com by a trusted certificate authority. If the certificate were coming from an UNTRUSTED certificate authority, your browser would then issue some sort of warning.

The problem is that with so many certificate authorities, a problem with one authority can quickly spread and affect other people. For instance, you may obtain an SSL certificate for your domain from provider A but at the same time, someone else can trick provider B into providing them with a certificate for your domain too!

  • Some Certificate Authorities Aren’t Trustworthy

Another major problem with certificate authorities is that some of them have proven to be not trustworthy. Some fail to do any due diligence when issuing certificates, which can leave you badly exposed. For instance, how do you explain an incident where a certificate authority provides a certificate for an address such as “local host” when local host has inherently been used to represent the local computer?

In 2011, it was discovered that several legitimate certificate authorities issued SSL certificates to more than 2,000 “local host” addresses. If certificate authorities are making such simple mistakes, you’re left to wonder what other mistakes they are capable of making.

  • The Certificate Authorities Could be Compromised

Currently, there are thousands of certificate authorities all around the world. These authorities are allowed to offer a certificate to any website. This leaves a glaring loophole for governments to exploit. For instance, if a government wants to impersonate a certain group or person, they may simply walk up to a certificate company and compel it to issue an SSL for that site.

Such a scenario was witnessed some time back in 2013 when Google discovered that some rogue certificates of Google.com had been issued by ANSSI, a French certificate authority. ANSSI would have allowed anyone to impersonate Google’s website, which would have led to unforeseen cyber attacks.

  • Man-in-the-Middle Attack Issues

The way HTTPS works, it may seem like one can just log into their bank account over Wi-Fi assuming that the connection is safe. DO NOT TRY IT. Although HTTPS connections are secure and even help you verify that you’re indeed connected to your bank, man-in-the-middle attacks are still possible.

Some off-the-shelf solutions just can’t be trusted because the developers of these solutions can insert malicious hotspots on the solutions, which may make it easy to tap critical information. For example, a Wi-Fi hotspot might connect to the bank on your behalf – sitting in the middle and doing everything for you. It can also redirect you to a HTTP page and connect to the bank via HTTPS on your behalf.

Internationalised domain name homograph attack is a complex kind of attack that deceives computer users. In these attacks, a “homograph-similar HTTPS address” can be used to hoodwink users and redirect them to scam sites. It uses special Unicode characters to replace the letters in addresses such that the “b” in “bank” could mean a completely different thing.

Do HTTPS Websites Rank Better than HTTP Sites?

Google hardly reveals exactly how it ranks websites. So, when optimising your site for the search engine, you should just listen to what Google says and try to do as they advise. Currently, they are encouraging mobile-friendly design. To stay on the safe side, this is what you should be working hard to accomplish.

A while back, the company also announced that it would start rewarding HTTPS sites! This came as a big surprise because when Google says they are rewarding you then it means you’ll be getting a better ranking which is something we would all want.

With that in mind, here are a few SEO benefits of HTTPS

1. More Referrer Data

Currently, when traffic passes from a secure (HTTPS) site to a non-secure (HTTP) site, all the referral data get stripped off. If you check your analytic report, you’ll find the traffic market as “Direct.” This is a huge problem because you may not be able to tell where the “Direct” traffic is actually coming from.

On the other hand, when traffic passes from an HTTP site to an HTTPS site, the secure referral information is preserved!

2. HTTPS as a Ranking Boost

As already mentioned, Google has promised to favour HTTPS sites. So, for two identical websites, if everything else were kept constant, an HTTPS site would rank higher than an HTTP site.

However, just as with other metrics, HTTPS alone cannot impact a site’s ranking significantly. It may play a part, yes, but not enough to cause a massive impact.

3. Security and Privacy

HTTPS improves security in many ways. For instance, an HTTPS connection assures the user that he is connected to the right website. Also, because HTTPS prevents third parties from tampering with websites, it helps eliminate man-in-the-middle attacks. Moreover, HTTPS encrypts all communications, protecting things like browsing history and credit card information in the process.

Put together, these security features, even on their own, can be a big attraction to consumers. If two sites were offering the same items at the same price, then a consumer might choose a secure (HTTPS) site over a non-secure (HTTP) site just for the peace of mind.

Why You Shouldn’t Make the Leap, Just Yet

A few years back, HTTPS was rare and expensive which explains why very few people used it. However, the tables have turned and HTTPS can now be easily obtained. You can pick up your SSL certificate for only a few dollars and even grab a wildcard SSL certificate for a small fee.

However, you don’t need to hurry in making the switch. The reason is simple – if you use Google as your primary search engine, you should be aware that any major change can usually cause a serious impact, short term or long term. It could be as small an impact as a drop in one or two places for one or two days to a more lasting impact such as a drop in several places that may take months to recover. So, take your time; don’t rush.

What You Could Do Instead

Instead of worrying of whether to go for HTTP or HTTPS, tapping a reputable web agency can help you in optimising your website security to get rid of the hassles brought about by hackers right from the very start. Having a web agency do the work for you means that you’re not only protecting your website or business from intruders, but you’re also securing your reputation, as these hackers could use your site for illegal purposes.

A web agency’s work is not just to offer tips on how to prevent your website from being hacked, as their main purpose is to make sure that your website

  • Is updated with the latest CMS version and plugins – With a new CMS version, an available update in security is also being offered. Hackers’ methods get more and more advanced to be able to keep up or get ahead of the security updates offered by websites. The web agency of your choice should be aware of this threat and their goal is to maintain security so as not to compromise anything.
  • Has a Web Application Firewall – Basically, it blocks common attacks by monitoring and controlling what goes in and out of a web application and everything that has access to it. It can be customised based on your application and requirements.
  • Uses SSL Protocol – Secure Sockets Layer or SSL establishes an encrypted link to protect not only the server but the end user as well. This is highly important, as it protects the transmission of highly classified information such as credit card details, log in credentials and social security numbers.

Those and more; the web agency of your choice has multiple strategies to help you in your goal. Getting a web agency can save you from having to worry about your website’s security from time to time. Having a highly-secure website is not an overnight process – it needs continuous effort, thorough analysis and a well-structured plan in order to prevent hackers from preying on your website.

Not only that, aside from keeping your website’s protection at its optimum level, you are sure to get a good ranking on the top search engines. A good web agency should be able to pull all the strings needed to make you and your valued website successful.

Conclusion

In a nutshell, HTTPS is superb but it also has its drawbacks. The big takeaway is that Google favours it though you also need to appreciate the fact that it takes more than just HTTPS to get better rankings on the search engine. Instead of merely relying on whether to use HTTP or HTTPS, another option that you have is to bank on the capabilities of a reputable web agency in getting your websites secure while maintaining a good ranking in Google through tried and tested techniques and applications. All you need to do is find out which web agency could serve your intentions best.

Share on Facebook0Tweet about this on TwitterShare on Google+0Pin on Pinterest0Share on LinkedIn0Share on StumbleUpon0
Author: Cameron Francis Cameron Francis is the Director of eTraffic Group. He has been engaged in all aspects of online marketing for the past 8 years. He is actively involved in SEO, Paid Search, Social Media Optimisation, and Web Design.
  • One of the common drawbacks of implementing https on websites is the cost that goes along with it. It may be too much for small businesses for buying security certificate and hiring someone to set it up. For ecommerce websites, https is necessary – not only for the reasons stated on the article but it makes your site more trustworthy.

• Social Networks •

• Our Locations •

Click To View Our Contact Details

Level 1, 530 Little Collins Street, Melbourne VIC 3000, Australia | 1300 887 151

Level 2, 50 York Street, Sydney 2000 | 1300 788 679

Level 1, The Realm, 18 National Circuit, Barton Canberra ACT 2600 Australia | 1300 765 708

Level 1, 16 McDougall Street, Milton 4064 | 1300 765 709

220 Varsity Parade, Varsity Lakes QLD Australia 4227 | 1300 887 804

Level 1, Paspalis Centrepoint, 48-50 Smith Street, Darwin NT 0800 Australia | 1300 889 815

Level 18, Central Park. 152-158 St Georges Terrace Perth, WA 6000 Australia | 1300 550 753

Level 3, 97 Pirie Street, Adelaide 5000 | 1300 669 895

Level 6 Reserve Bank Building, 111 Macquarie Street, Hobart TAS 7000, Australia | 1300 885 870

We seek to create long-term relationships
Tell us about your business goals and we will contact you