Web Development

What is SSL and HTTPS?

In order to view a website your computer has to send a request through the internet where a web server receives that request via a series of other servers and computers, processes that request to get the correct website and send that back to your computer so it can be displayed to you.

This process will keep happening each time you visit a new page or a new site. The request is data and HTTP is the method used to send that data across the internet to the server. This method of transmitting data is unencrypted which means that when that request travels the internet all of the systems that it travels through can intercept that request and read the data it contains.

The public nature of these requests could become a problem if you are sending private data such as the contents of a contact form or card details associated with an online purchase.

HTTPs – Encrypting web traffic

This is where HTTPs comes in. Using this method of transmitting data across the internet will encrypt the data before it is sent across the internet.

This means that only your computer and the server the data was intended for can read the data that is being transmitted. The data still travels through various systems along the way and can be intercepted but the data means nothing without being decrypted by the intended recipient.

In order to setup a secure connection you need a few things first. To encrypt data you need some way of scrambling it, and some way of unscrambling it. To make sure that only the server and yourself can encrypt and decrypt data the first thing they do is securely agree a private “key”. No system in between can know this and the key is different for every visitor so the data is secure.

So what is SSL?

SSL is a term used to describe a certificate that identifies a server securely. The idea is that to get a certificate, various checks are done to confirm the xyz.com is actually stored on the server that has been issued with the certificate. This provides a way for you to verify that the server you’re communicating with to visit xyz.com is real and not a fake or “man in the middle” server setup to look like the real website.

SSL stands for Secure Socket Layer and is actually no longer used for modern certificates. Instead TLS or Transport Layer Security is now used but the term SSL has stuck and has become synonymous with website security certificates.

The benefits of a secure internet

A secure internet is actually better for everyone. Many copanies – notably Google have actually pushed for securing all websites and even encourage this by providing marginally better rankings for using HTTPS with your website.

If all websites were secure it would be much harder for hackers to take advantage of insecure website connections, the fact that some websites can be secured by an SSL certificate but still transmit some data insecurely and various other potential threats.

Security online

Without HTTPS and SSL we would be at high risk if we did anything secure online. Banking online would be impossibly dangerous, shopping online wouldn’t be safe and loggin into membership website would be at risk of login details being intercepted by nefarious parties.

By securing these types of websites, data is secured which allows us to perform higher risk activities online with a higher level of safety.

Better online experiences

The rise of secure browsing has led to lots of incredible breakthroughs for all users of the internet. It has led to the rise of services like LetsEncrypt! – a service that issues free SSL certificates automatically without the need to pay other 3rd parties fees that have traditionally been quite high.

It has led to technologies such as location-based sharing through your browser so that the server you are on can provide local services automatically. Push notifications through a web browser are possible which means that services like Facebook and Gmail can send you new message notifications directly in your web browser.

It has even been a major part in allowing web apps to become more common and secure. Data can be stored on your local computer in a way that can allow websites to act more like local apps than a traditional website.

Overall, without HTTPS and SSL, the internet would be far less safe from prying eyes and many of the services we use without thinking would simply not be safe enough to use.

The importance of securing your web applications

We know that securing some types of data is important. Let’s look at some specific examples of why this is important and why you should consider securing your site at all times.

General browsing

In the modern world, computer systems are able to analyse incredible amounts of data. Browsing insecurely allows 3rd parties to track what you are doing online. Over time, enough data can lead to patterns that can be used to track your general browsing habits and be used to target users in for malicious reasons.

Generally users are going to feel safer knowing that only the intended recipient could know what they were doing. Nobody likes the thought of someone listening in on our phone calls. It is exactly the same as browsing the web. By securing your site, you are actually being a responsible site owner that helps provide more confidence to your visitors.

Forms/personal data (GDPR)

It’s one thing to have security when generally browsing websites but when you start transmitting private or sensitive data across the internet, seucrity becomes vital.

When a contact form, card details for an online purchase or logins are transmitted then you must provide a way to secure this information in transit. This is such an important principle that Google and other browsers will even flag pages with a form that can be filled in as “Not Secure” if the page isn’t sent via HTTPS.

Importantly, this has a major impact in relation to data protection laws and GDPR. You are responsible for protecting your users data, not just when it is stored somewhere but when it is transmitted from there system to your own and back, and even between servers such as when your site communicates card information to your payment gateway provider.

Dangers of mixed content

When you secure a website, everything isn’t necessarily communicated via HTTPS automatically. It is possible for your page to be sent via HTTPS but a stray image or very often a widget embedded from an insecure 3rd party to be sent insecurely via HTTP. This is called mixed content.

The danger of this is that a malicious 3rd party can take advantage of this breach in security. Luckily, most web browsers will inform you that a site isn’t secure when there is mixed content. This is often communicated in various ways such as a green padlock in the address bar for a fully secure site and grey text to inform the user of mixed content.

It is important that if you have applied an SSL certificate and are using HTTPS for your site that you resolve mixed content issues to be fully secure. If you are having mixed content errors and don’t know how to resolve them yourself, speak to a web developer for advice.

E-commerce

Without a doubt, every e-commerce site should be secured by HTTP and SSL. These types of sites send and receive login details, browsing habits, tracking information for web analytics, personal data and sensitive credit card information between visitors and other servers.

If you don’t secure your e-commerce website you risk your clients data and your reputation while also limiting the use of incredibly helpful functionality that is only available on secure websites.

Summary

Securing the internet is a major subject but we’ve discussed what the different techniques for securing your website are, how they work and what the benefits are. We’ve also discussed what could happen if you don’t secure your website.

If you would like any more information about securing your website or require any help applying any of these or other techniques for improving site security then please do contact us.