HTTP vs. HTTPS has become a big debate. Most people already understand HTTP but aren’t quite familiar with HTTPS. This article looks at the two in detail with specific emphasis on the benefits and drawbacks of HTTPS as compared to HTTP.
Hypertext Transfer Protocol (HTTP) is used to transfer data over the web. It defines commands and services used for transmitting web page data.
Hypertext Transfer Protocol Secure (HTTPS) is simply the secure version of HTTP. Essentially, all communications between a user and an HTTPS web page are encrypted.
There are several benefits of HTTPS over HTTP. Of course, these benefits don’t mean that you should jump on the bandwagon right away. As you will discover later on, there are also several areas where HTTP outperforms HTTPS.
That said, here are the four main benefits of HTTPS:
The government likes to monitor certain activities on the Internet. But it’s understandable because most of the time, they do so to protect us.
However, ISPs have also developed a habit of tracking people for no good reason. If you don’t want the government, your ISP, or anyone else to track your browsing activities, HTTPS can help. HTTPS encrypts data as it is transferred ensuring that eavesdroppers can’t snoop on your activities.
This is another great benefit of HTTPS. You realise that HTTPS fundamentally means a more secure web. Websites are checked to ensure that they comply with certain criteria and only those that are proven to be genuine are granted certificates. This would be certainly beneficial in the current world where scam sites are commonplace.
The Domain Name System (DNS) is pervasive. We use it millions of times every day without even knowing it exists because we believe it is as reliable as you can find. Yet, just like all technology, the DNS has its own flaws.
There are many types of threats posed by the DNS. An excellent example is what tech guys call “typosquatting.” This is the practice of registering a domain name that is confusingly similar to an existing popular brand. Recent research shows that this practice can present a profound risk to the confidentiality of corporate secrets and must be treated as a security problem. In fact, there are quite a lot of organised criminals that use typosquatting to steal valued information.
Definitely, this is a type of risk that can be minimised using HTTPS.
Realistically, if everyone started using HTTPS today, the web would become a much safer place just because the security standards would be raised instantly. The web, as it currently is, cannot be said to be safe. Today, if an attacker can compromise your account with a chosen domain registrar, they gain control of your domain name. They can thereafter point the domain name to a server of their choice, including email servers, web servers, name servers etc. or, they can choose to transfer your domain name to an “offshore” register making recovery of the domain name a very complex process.
These are things that have happened in the past. For instance, several years ago, Facebook used to serve their login page over HTTP. Then, one time, a government in the middle-east injected JavaScript into the page and stole millions of user passwords right from the login form. Interestingly, the passwords had been sent to Facebook over HTTPS. But then, the login page was running on HTTP, which left it very exposed. If everyone would just see the importance of using HTTPS, such cyber crimes would be prevented immediately.
In theory, HTTPS, which uses SSL to ensure security over Internet, could be seen as a big winner. Yet, in practice, HTTPS is a big mess. This doesn’t mean that HTTPS and SSL are worthless. After all, a compromised HTTPS connection can only be as unsecure as a HTTP connection.
However, HTTPS has several issues that must first be addressed if it is to be adopted on a larger scale.
Your browser has a certain number of certificate authorities and a browser can only trust certificates issued by these authorities. For instance, if you visited HTTPS://companyx.com, the web server at companyx.com would issue an SSL certificate that your browser has to check to ensure that the site’s SSL certificate was issued for company.com by a trusted certificate authority. If the certificate were coming from an UNTRUSTED certificate authority, your browser would then issue some sort of warning.
The problem is that with so many certificate authorities, a problem with one authority can quickly spread and affect other people. For instance, you may obtain an SSL certificate for your domain from provider A but at the same time, someone else can trick provider B into providing them with a certificate for your domain too!
Another major problem with certificate authorities is that some of them have proven to be not trustworthy. Some fail to do any due diligence when issuing certificates, which can leave you badly exposed. For instance, how do you explain an incident where a certificate authority provides a certificate for an address such as “local host” when local host has inherently been used to represent the local computer?
In 2011, it was discovered that several legitimate certificate authorities issued SSL certificates to more than 2,000 “local host” addresses. If certificate authorities are making such simple mistakes, you’re left to wonder what other mistakes they are capable of making.
Currently, there are thousands of certificate authorities all around the world. These authorities are allowed to offer a certificate to any website. This leaves a glaring loophole for governments to exploit. For instance, if a government wants to impersonate a certain group or person, they may simply walk up to a certificate company and compel it to issue an SSL for that site.
Such a scenario was witnessed some time back in 2013 when Google discovered that some rogue certificates of Google.com had been issued by ANSSI, a French certificate authority. ANSSI would have allowed anyone to impersonate Google’s website, which would have led to unforeseen cyber attacks.
The way HTTPS works, it may seem like one can just log into their bank account over Wi-Fi assuming that the connection is safe. DO NOT TRY IT. Although HTTPS connections are secure and even help you verify that you’re indeed connected to your bank, man-in-the-middle attacks are still possible.
Some off-the-shelf solutions just can’t be trusted because the developers of these solutions can insert malicious hotspots on the solutions, which may make it easy to tap critical information. For example, a Wi-Fi hotspot might connect to the bank on your behalf – sitting in the middle and doing everything for you. It can also redirect you to a HTTP page and connect to the bank via HTTPS on your behalf.
Internationalised domain name homograph attack is a complex kind of attack that deceives computer users. In these attacks, a “homograph-similar HTTPS address” can be used to hoodwink users and redirect them to scam sites. It uses special Unicode characters to replace the letters in addresses such that the “b” in “bank” could mean a completely different thing.
Google hardly reveals exactly how it ranks websites. So, when optimising your site for the search engine, you should just listen to what Google says and try to do as they advise. Currently, they are encouraging mobile-friendly design. To stay on the safe side, this is what you should be working hard to accomplish.
A while back, the company also announced that it would start rewarding HTTPS sites! This came as a big surprise because when Google says they are rewarding you then it means you’ll be getting a better ranking which is something we would all want.
With that in mind, here are a few SEO benefits of HTTPS
Currently, when traffic passes from a secure (HTTPS) site to a non-secure (HTTP) site, all the referral data get stripped off. If you check your analytic report, you’ll find the traffic market as “Direct.” This is a huge problem because you may not be able to tell where the “Direct” traffic is actually coming from.
On the other hand, when traffic passes from an HTTP site to an HTTPS site, the secure referral information is preserved!
As already mentioned, Google has promised to favour HTTPS sites. So, for two identical websites, if everything else were kept constant, an HTTPS site would rank higher than an HTTP site.
However, just as with other metrics, HTTPS alone cannot impact a site’s ranking significantly. It may play a part, yes, but not enough to cause a massive impact.
HTTPS improves security in many ways. For instance, an HTTPS connection assures the user that he is connected to the right website. Also, because HTTPS prevents third parties from tampering with websites, it helps eliminate man-in-the-middle attacks. Moreover, HTTPS encrypts all communications, protecting things like browsing history and credit card information in the process.
Put together, these security features, even on their own, can be a big attraction to consumers. If two sites were offering the same items at the same price, then a consumer might choose a secure (HTTPS) site over a non-secure (HTTP) site just for the peace of mind.
A few years back, HTTPS was rare and expensive which explains why very few people used it. However, the tables have turned and HTTPS can now be easily obtained. You can pick up your SSL certificate for only a few dollars and even grab a wildcard SSL certificate for a small fee.
However, you don’t need to hurry in making the switch. The reason is simple – if you use Google as your primary search engine, you should be aware that any major change can usually cause a serious impact, short term or long term. It could be as small an impact as a drop in one or two places for one or two days to a more lasting impact such as a drop in several places that may take months to recover. So, take your time; don’t rush.
Instead of worrying of whether to go for HTTP or HTTPS, tapping a reputable web agency can help you in optimising your website security to get rid of the hassles brought about by hackers right from the very start. Having a web agency do the work for you means that you’re not only protecting your website or business from intruders, but you’re also securing your reputation, as these hackers could use your site for illegal purposes.
A web agency’s work is not just to offer tips on how to prevent your website from being hacked, as their main purpose is to make sure that your website
Those and more; the web agency of your choice has multiple strategies to help you in your goal. Getting a web agency can save you from having to worry about your website’s security from time to time. Having a highly-secure website is not an overnight process – it needs continuous effort, thorough analysis and a well-structured plan in order to prevent hackers from preying on your website.
Not only that, aside from keeping your website’s protection at its optimum level, you are sure to get a good ranking on the top search engines. A good web agency should be able to pull all the strings needed to make you and your valued website successful.
In a nutshell, HTTPS is superb but it also has its drawbacks. The big takeaway is that Google favours it though you also need to appreciate the fact that it takes more than just HTTPS to get better rankings on the search engine. Instead of merely relying on whether to use HTTP or HTTPS, another option that you have is to bank on the capabilities of a reputable web agency in getting your websites secure while maintaining a good ranking in Google through tried and tested techniques and applications. All you need to do is find out which web agency could serve your intentions best.