Almost every website is using HTTPS now. If it's not, Google flags it with a nasty looking "not secure" symbol in the left corner. There are a bunch of reasons why most websites are using the HTTPS protocol and that's what we're going to talk about.
Difference between HTTP and HTTPS
Let's start with the difference between HTTP and HTTPS. HTTP is the hypertext transfer protocol and HTTPS is the hypertext transfer protocol secure. With regular HTTP requests, it's relatively easy to intercept internet traffic. That's how people on public Wi-Fi networks can see your information.
HTTPS fixes that. Instead of sending the raw request, the data gets encrypted. That's where the SSL certificates come in. The certificate has the public key for the server the website is on. That public key is shared with the users and that's how the secure connection is made.
Even if someone intercepts the traffic they won't be able to get anything useful out of it without knowing that private key. HTTPS actually slightly slows down a website because the user and the server have to exchange those keys using the certificates before any real data is transferred. And just for those of you that might care, HTTP uses port 80 while HTTPS uses 443.
Why security is important
It seems like a minor difference for there to be so much fuss over it but all that fuss is worth it. Keeping data secure online is a growing issue. People keep finding new ways to hack things and they'll keep doing that. At least when you use the HTTPS protocol you make it extraordinarily difficult for them to figure out what your data holds.
HTTPS encryption shows them jumbled letters, numbers, and characters that mean nothing without knowing the decryption key. Technically somebody could still figure out a way to read that data but they would have to work harder than it's probably worth. HTTPS is a quick and pretty easy way to make sure the data on your website gets transferred securely.
This way your users credit cards, email addresses, usernames, and passwords are safer. It also helps with SEO (search engine optimization) if that's a big concern for you. Plus it gives people confidence when they use your website because they know their information is safe. Think about it like this, would you still feel as comfortable ordering from Amazon if there was a message in the corner saying "not secure" with a red x on it? (maybe you would but you know what I mean)
How you can upgrade to HTTPS
Updating your website to use HTTPS isn't hard if you know a little about the server you're using. You could go to a website like https://certbot.eff.org and get the code you need for the command line. Or you can make the file changes yourself.
If you're using a hosting package and it has something like cPanel it should be super easy to update to the HTTPS protocol. Most of them have some kind of automatic functionality that will make the updates for you. Learn about your server if you need to do this update and you'll be able to find the specifics from there.
HTTPS is powerful considering how much data it protects every day. It doesn't hurt to know a few network things as a web developer. That extra knowledge really helps when you have a problem you haven't seen before. At the bare minimum it does give you another place to look for bugs.
As a warning, always back-up your website before you do this kind of update. Sometimes weird things happen and they could corrupt all of your files or a few key ones. Just spend the time making a back-up first.
Hey! You should follow me on Twitter because reasons: https://twitter.com/FlippedCoding
Top comments (8)
One downside that people keep on overlooking: HTTPS everywhere makes for a bad experience for caching proxy servers, which are absolutely necessary for folks with limited Internet access in various parts of the world. Obviously you do want to provide HTTPS everywhere you can, but unless the site is handling user logins or private data, at least provide the option of still accessing via HTTP.
Obviously HTTPS should be the preferred transport, but not everything needs it to be mandatory.
One thing worth noting, if you use a service like CloudFlare, they will provide you an SSL certificate.
I use Let's Encrypt in a lot of places, but my personal site uses the CloudFlare certificate. It's very straight forward and only requires some DNS changes.
That sounds logical, but it's not what happens in real world conditions - try httpvshttps.com/ for a demonstration. There's a good write-up of this on Troy Hunt's blog.
LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?
DevTo
[+] dev.to/dineshrathee12/letsencrypt-...
GitHub
[+] github.com/dineshrathee12/Let-s-En...
LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...
I believe Netlify also provides a free https whish is incredibly handy.
Excellent article Milecia. For additional reading check out my articles as well. I did a couple awhile back comparing the speed between HTTP and HTTPS + HTTP/2.
Hello!
Thank you for the information. I talked about your article in a LinkedIn post here:
linkedin.com/feed/update/urn:li:ac...
Thanks for sharing Islam!