HTTPS and SSL

What is https and how does it work?

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of  data between your computer and a website. For example, when you enter data into a form on a site in order to subscribe to updates or to purchase a product, HTTPS protects the personal information between you and the site.

HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’.

Web browsers such as IE, Safari, Firefox and Chrome also display a padlock icon in the address bar to visually indicate that a HTTPS connection is in effect.

Data sent using HTTPS typically use one of two secure protocols to encrypt communications – SSL (Secure Sockets Layer) or TLS (Transport Layer Security).

HTTPS provides three key layers of protection:

1. Encryption—encrypting the exchanged data to keep it secure from eavesdroppers. That means that while you are browsing a website the data isn’t being transmitted in plain-text format – nobody can “listen” to your conversations, track your activities across multiple pages, or steal your information.

2. Data integrity—data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.

3. Authentication—proves that your are communicating with the intended website. It protects against ‘man-in-the-middle’ attacks and means you can trust the site you are visiting.

What is an SSL and SSL Certificates?

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details.

When you request a HTTPS connection to a webpage, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the ‘SSL handshake’. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website. A secure connection is indicated by the S at the end of HTTPS and the padlock symbol.

The major benefits of a HTTPS certificate are

  • Customer information, like credit card numbers, is encrypted and cannot be intercepted
  • Visitors can verify you are a registered business and that you own the domain
  • Customers are more likely to trust and complete purchases from sites that use HTTPS

SSL providers

  • the most popular providers (expensive and used by big companies eg. Amazon or Paypal): VeriSign or GeoTrust
  • other quality providers: AlphaSSL, RapidSSL, GoDaddy, ComodoSSL, GlobalSign, Symantec, DigiCert, Trustwave…
  • your ISP can most likely provide an SSL

Latest news about the importance of SSL certification

Over the past year (2014/15) or so, Google has begun a campaign to increase the security on the Web. The company promised to declare HTTP sites appearing in Chrome as non-secure in a multi-step process over the next few years. It has also started encouraging the use of HTTPS through its search engine.

Mozilla also announced recently that it is going to start a process for deprecating non-secure HTTP features in Firefox while building new features that can work only with secure HTTPS connections.

In 2014 Google announced it will give sites using encryption a higher rank in its search algorithms. Particularly, it singled out HTTPS, which it characterizes as “industry-leading security”.

Source: Google Search Console, “Secure your site with HTTPS”; Instant SSL by Comodo, “What is HTTPS”.