To HTTP or to HTTPS
No need to debate this age-old question any longer, the evidence out there definitely says you should use HTTPS on all your websites, even if they don’t handle sensitive communications. Not only is HTTPS becoming a requirement for many of the new web browsers and progressive web apps, it provides security and data integrity for both your websites and your users’ personal information.
The Long Journey
When a user visits your website, they use a browser that then sends a request to your web server. The browser software is probably safe on their side, and you (hopefully) have secured your web server. So all things look good, right? But just like in the old west, the danger the Pony Express faced were the open fields between. That’s right, there are open fields that your website data goes across to get to the visitor’s browser, and that is where HTTPS comes into help save the day and prevent outlaws from stealing your data. These outlaws come in many variations, like illegal hackers, and even legal companies that inject ads into pages on their journey to the browser.
All the data that travels to your visitor is a resource that can be effected, not just the HTML of your site, but also images, scripts, cookies, etc. And the journey is long with many stops, the ISPs, WiFi hotspots, even down to the user’s machine that might have already been infected.
HTTPS for Journey Protection
First, it might be helpful to have a basic understanding of what HTTPS (HTTP over SSL or HTTP Secure) is and does. HTTPS uses the Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering, like an underground tunnel. HTTPS encrypts and decrypts user requests as well as the information that are returned by the server. Basically, when your user requests information, it’s encrypted on the server end, then sent via the secure socket layer to the user browser where it is then decrypted so it can be read or processed. Using HTTPS protects against eavesdropping and man-in-the-middle attacks as your information makes the journey to the end user.
HTTPS will only Grow in Use
Before data was as abundant, it was assumed that you only needed to use HTTPS when you were using e-commerce or sensitive communications. But, as technology has progressed, many user requests that aren’t protected with HTTPS can potentially reveal information about the users, such as their health condition through reading unprotected health information sites, behaviors, and even their personal identification information. To encourage more sites, even information sites, to use HTTPS, Google has now started prioritizing HTTPS URLs over regular HTTP ones, even if they don’t have links pointed to them.
User permissions are going to be an essential part of new types of applications and APIs on the web. Requiring explicit permission from the user before executing is where HTTPS comes in to play. Even older APIs are being updated to require permission to execute, such as social media APIs and GeoLocation APIs.
Converting to HTTPS
Better to convert your websites now rather than later. There are various ways to convert your site to use HTTPS, depending on the platform that you are using for your website. For instance, if you are using a content management system to run your website, such as Joomla!, WordPress, or Drupal, you will be able to simply change this settings in the configurations. If you want to secure your entire server, there are methods to such as mod_rewrite in httpd.conf on Apache or the default.asp file on IIS. You can also control individual sections on servers with .htaccess files on Apache or web.config files on IIS.
Please be aware that you will need to first install a Security Certificate (SSL) on your server, otherwise the browser will give your visitors a warning message that the site is running in secure protocol, but hasn’t been verified through a third party with a certificate. There are many options out there for SSLs.