March 29th 2018

WTF IS HTTPS?

by Rich Milner

Bit of boring subject this isn’t it? You probably already know what HTTPS is and what an SSL certificate is. But there's a chance you don't know exactly what they do and why you need them. In all honesty, I’ve always known that websites needed an SSL certificate before we launched them, but for a long time I didn’t know why or that they have a number of options available. So I thought I’d give you a fluff-free guide to what they do, why they do it and what options you have for getting your website upgraded to HTTPS. And I’m going to do all this without boring the pants off you.

WTF does HTTP stands for?

HYPER TEXT TRANSFER PROTOCOL.

Easy. Next question:

WTF does HTTPS stand for?

SECURE HYPER TEXT TRANSFER PROTOCOL.

WTF is Hyper Text Transfer Protocol?

Well basically it’s the internet. HTTP is the primary technology protocol that allows the web to work. It enables browsing and linking. It’s the back bone of the internet. This technology is used to communicate between servers and web users, allowing you to bounce around your favourite websites, constantly scroll through your Facebook feed and find that audiobook on overcoming your fear of public speaking. Without HTTP the web would not work.

We’ve established that HTTP is pretty much what the internet is. But why do we need to be surfing on HTTPS? Well it's the secure bit that ensures the communications between your web browser and the website you’re browsing are encrypted. The ‘Secure’ in HTTPS comes from the use of a Secure Socket Layer (SSL) as a sublayer under the regular HTTP application layering. This ensures that user page requests are encrypted as well as the pages that are being returned by the user. This removes the possibility of some cyber-thieving-bastard in Russia accessing the details of your transaction and taking your credit card details.

Surfing websites that have HTTPS is a great way of making sure you’re on secure websites, but the effectiveness can be limited by poor integration. Additionally, although HTTPS secures data by encrypting it between the browser and the server, once it’s decrypted at it's destination, it is only as secure as the person or organisation you’re sending your information to.

According to digital security expert Gene Spafford, that level of security can be compared to "using an armored truck to transport rolls of pennies between someone on a park bench and someone doing business from a cardboard box.”

For this reason there are multiple layers of SSL that can be used to make browsing the internet secure:

The encryption levels for these certificates are the same, but the vetting and verification process needed to obtain them is more strict with each.

Domain verification

This is the lowest level and is a standard for all websites. It informs users that you as an organisation own the URL that they’re browsing on. The validation that goes into setting up this level of certificate is quite minimal. Though you could simply ask me via email if I own the domain and I simply reply saying ‘Yes, I do indeed.'Hence this is not actually a very good layer of security.

Organization validated certificate

This certificate checks the right of the applicant to use a specific domain name, plus it vets the organisation. Additional information is then displayed for the user, giving clearer visibility of who is behind the domain.

Extended validation

This is a relatively new level of security that goes a couple of steps further to ensure the user knows they’re on a secure website. It ensures the following:

  • Organisation is legally registered and active
  • Address and phone number of the organisation are verified
  • The organisation has exclusive right to use the domain specified in the EV Certificate
  • Person ordering the certificate has been authorised by the organisation
  • Organisation is not on any government blacklists

It also displays a green box around the organisation's name to inform the user that the domain is secure.

We now recommend that all our client move onto an Extended Validation certificate as standard, to ensure visitors can trust they’re on a platform that's been vetted by the Certificate Authority and a trusted company will be handling any sensitive data.

Google Chrome update

As of October 2017, Google hupped the ante on security. Websites that continue to stick with purely HTTP protocol will be marked by Chrome as insecure websites and users will have to go through warning messages to view the intended. This update goes for all websites, so it’s not just those handling credit cards or passwords.

Chrome will continue to add additional barriers to websites that do not use a secure protocol. Warnings will soon be added to form fields on sites that aren’t seen as secured. It goes without saying, this is a HUGE barrier to on-site conversion, yet a staggering amount of brands and online-centric businesses are still ignoring this.

Conclusion

If you own a website, ask your agency to install a Extended Validation SSL certificate on your server. Your on-site conversion will most definitely be taking a kicking - even if your site merely uses a top-line lead-gen form.

When you’re browsing the internet, don't trust any sites that don’t show a green padlock in the URL field. It really is as simple as that.