Jun 21 2017

HTTP vs. HTTPS: Why It’s Time to Convert — and How to Do It

The debate between HTTP vs HTTPS continues! Here’s what you need to know.

In the internet era, technology can move pretty fast. It wasn’t that long ago that everyone was raving about 4G mobile networks, and now 5G is all the rage (even though it hasn’t arrived). However, one change that has taken a long time to wash over the internet is the shift from HTTP to HTTPS — but this may be the year that HTTP finally dies off.

A decade ago, there was a great debate about the differences between HTTP and HTTPS and why they even mattered. Today, businesses have realized the benefits of adopting HTTPS for their websites and transactions.

HTTPS is a more secure technology and has become the standard way of sending web traffic, Digital Trends notes. Indeed, Troy Hunt, a web security specialist who often blogs about the cybersecurity vulnerabilities of popular software products and platforms, writes that “HTTPS adoption has now reached the moment of critical mass where it’s gathering enough momentum that it will very shortly become ‘the norm’ rather than the exception it so frequently was in the past.”

Digital Trends adds: “Last October, Mozilla recorded that more than half of its page loads were encrypted with HTTPS while many major sites, such as Twitter and Facebook, are using HTTPS by default. Another security researcher, Scott Helme, found that of the top million sites listed on Alexa, 18.4 percent are redirecting users’ browsers from HTTP to HTTPS. Granted, 18.4 percent may not seem like a huge segment but that’s more than double the percentage from August 2015.”

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

HTTP vs. HTTPS: What’s the Difference

Let’s take a moment to break down what you need to know about HTTP vs. HTTPS.

The Hypertext Transfer Protocol serves as an application layer protocol, which means it focuses on how information is a presented to a user but is not designed around how that data gets transferred. Since it is stateless and does not remember anything from previous web sessions, HTTP sends less data, which makes it speedier. However, it is also unsecured because the data being transferred is not encrypted.

In contrast, Hypertext Transfer Protocol Secure is like HTTP, but the data is transferred in conjunction with another protocol, Secure Sockets Layer, now known as Transport Layer Security.While HTTP and HTTPS are focused on how info is presented, SSL/TLS is not concerned with what data looks like, but rather on encrypting the data — it produces a secure connection between web servers and web browsers.

As BizTech notes, “People often use the terms HTTPS and SSL interchangeably, but this isn’t accurate. HTTPS is secure because it uses SSL to move data.”

Entrepreneur adds: “Without HTTPS, any data passed is insecure. This is especially important for sites where sensitive data is passed across the connection, such as ecommerce sites that accept online card payments, or login areas that require users to enter their credentials.”

HTTP vs. HTTPS: What’s Better for Search Algorithms?

As with much of the modern web, Google has had a large impact. The company in 2014 called for “HTTPS everywhere” on the web, and that year started to take into account whether websites were run on HTTPS as part of its search algorithms.

The security team behind Google’s Chrome browser said in September 2016 that the browser would “start marking websites that use insecure HTTP connections to transmit passwords and credit card data as insecure, beginning in January 2017,” TechCrunch notes. “The warning will appear in the address bar of the browser and will call users’ attention to the fact that their personal information could be snooped or stolen.” As of May 2017, Chrome had 17.73 percent of the global web browser market share, according to NetMarketShare.

Per a new rule rolled out in July 2018, with the release of Chrome 68, Google will begin marking all non-HTTPS sites “not secure” to all visitors, the company announced in a February blog post.

In the post, Google encouraged all developers to make the move to HTTPS, noting that “Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.”

Microsoft has also made secure browsing a centerpiece of its Edge browser for Windows 10.

These changes shouldn’t be difficult for developers because, according to data tracked by Google, secure web browsing through HTTPS is becoming the norm. Desktop users load more than half of the pages they view over HTTPS and spend two-thirds of their time on HTTPS pages. HTTPS is less prevalent on mobile devices, but we see an upward trend there, too.

HTTP vs. HTTPS: What’s Better for Web Performance?

Why has HTTPS usage increased? One reason is that businesses and users are not seeing HTTPS affect page load times significantly. IDG News Service notes that “thanks to improvements to both server and client software over the years, the impact of TLS (Transport Layer Security) encryption is negligible at best,” and that thanks to HTTP/2, a major revision of the HTTP protocol, browsers that use HTTPS are actually faster.

Plus, it’s less costly. Many small businesses and nonprofits shied away from using HTTPS because of the cost of getting and renewing the digital certificates needed to deploy websites on the protocol, IDG notes. However, the nonprofit Let’s Encrypt offers a free, automated process for providing domain validation certificates to websites — though it has its drawbacks.

How to Convert from HTTP to HTTPS

It’s also getting easier to securely move to HTTPS. IDG reports that “there are websites like Qualys SSL Labs that provide free documentation on TLS best practices, as well as testing tools to discover misconfigurations and weaknesses in existing deployments. Meanwhile, other websites provide resources on TLS performance optimizations.”

Businesses are moving to HTTPS because it makes their websites and transactions more secure, not just because Google will ding them if they do not. HTTPS protects users from malware, “maninthemiddle” attacks and even advertising that might get injected into unencrypted web traffic, IDG adds.

HTTPS also increases users’ trust in a business, and in a world where so much commerce is done online and users check companies’ websites to validate and compare them, HTTPS in a browser bar is a seal of approval.

There are limits to its benefits. Entrepreneur notes that “HTTPS is not like a web application firewall. It’s not going to prevent your website from getting hacked. It’s not going to stop phishing emails getting sent, either.”

However, for businesses that use content management systems or websites with logins that then host any kind of sensitive data, the site notes, “setting up a secure HTTPS login is the absolute minimum precaution you should take.”

Marc Bruxelle/ThinkStock

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.