Web security: Why your site should be using HTTPS
HTTPS is the secure version of HTTP. The S stands for ‘Secure’. It not only means that the data sent between your website and browser is encrypted, it means a safe future for the web for everyone.
What is HTTPS?
Imagine sitting in a café with your bank statement on the table, and trying to have a conversation on the phone with your bank manager. With lots of prying eyes and ears around, it’s possible some of your private information may be seen or heard by other people. Wouldn’t you rather sit in a private room to make that call? HTTPS acts like that secure room to protect your personal information.
HTTPS (Hyper Text Transfer Protocol Secure) utilises TLS (previously SSL, and in fact often still referred to as SSL) certificates to establish a uniquely secure connection between a user’s browser and a website, safeguarding all data sent back and forth between the two from any attackers. It protects the identity of users, the integrity of your site so data cannot be modified, and ensures confidentiality meaning hackers cannot read your data.
HTTPS is displayed before the URL in your address bar alongside a little padlock. When an Extended Validation (EV SSL) Certificate is installed on a website, the address bar will turn green. This is a higher class of SSL, used by many high profile websites requiring an additional level of security, such as banks.
What are the benefits of HTTPS?
Data sent over standard HTTP connections is in ‘plain text’ rather than being encrypted. This means it can be read by hackers if they can break the connection between the browser and your website. If the data contains credit card details or passwords, hackers can use this information to commit fraud and steal money.
By using an HTTPS connection:
– Sensitive customer information including credit card details, usernames, private messages, medical documents etc, is encrypted and cannot be intercepted
– Customers are more likely to trust and complete purchases from sites that use HTTPS
My website doesn’t handle security sensitive content, why do I need HTTPS?
Even if your website doesn’t handle transactions or login details, it can still be subjected to misuse by intruders, both malicious attackers and legitimate companies such as ISPs or WI-FI providers who may inject ads onto your site. These can trick users into downloading and installing malware on their computers, or simply upset the user experience of your site, for which you as the site owner, will be held responsible.
Features and capabilities
HTTPS is now a requirement for many powerful features such as geolocation and push notifications, with further capabilities being withdrawn by various browsers as time goes on. In addition, the next version of HTTP – HTTP/2, is now supported by many browsers including Chrome & Firefox, but only over HTTPS. So if you want to use HTTP/2 (which offers performance optimisation), you have to use HTTPS.
Google is leading the way in its drive to secure the web, with its own browser Chrome often being the first to restrict the functionality available to non-secure HTTP sites. From January 2017, Chrome will go one step further and start marking all HTTP pages that collect passwords and credit card information as non-secure. Ultimately Chrome plans to label all HTTP pages as non-secure.
Source : https://interactive.red/blog/2016/11/web-security-why-your-site-should-be-using-https/