In the internet era, technology can move pretty fast. It wasn’t that long ago that everyone was raving about 4G mobile networks, and now 5G is all the rage (even though it hasn’t arrived). However, one change that has taken a long time to wash over the internet is the shift from HTTP to HTTPS — but this may be the year that HTTP finally dies off.
A decade ago, there was a great debate about the differences between HTTP and HTTPS and why they even mattered. Today, businesses have realized the benefits of adopting HTTPS for their websites and transactions.
HTTPS is a more secure technology and has become the standard way of sending web traffic, Digital Trends noted in February. Indeed, Troy Hunt, a web security specialist who often blogs about the cybersecurity vulnerabilities of popular software products and platforms (and who runs one of BizTech’s Must-Read Small Business IT blogs), wrote in January that “HTTPS adoption has now reached the moment of critical mass where it’s gathering enough momentum that it will very shortly become ‘the norm’ rather than the exception it so frequently was in the past.”
Digital Trends adds: “Last October, Mozilla recorded that more than half of its page loads were encrypted with HTTPS while many major sites, such as Twitter and Facebook, are using HTTPS by default. Another security researcher, Scott Helme, found that of the top million sites listed on Alexa, 18.4 percent are redirecting users’ browsers from HTTP to HTTPS. Granted, 18.4 percent may not seem like a huge segment but that’s more than double the percentage from August 2015.”
Let’s take a moment to review the key differences between HTTP and HTTPs.
The Hypertext Transfer Protocol serves as an application layer protocol, which means it focuses on how information is a presented to a user but is not designed around how that data gets transferred. Since it is stateless and does not remember anything from previous web sessions, HTTP sends less data, which makes it speedier. However, it is also unsecured because the data being transferred is not encrypted.
In contrast, Hypertext Transfer Protocol Secure is like HTTP, but the data is transferred in conjunction with another protocol, Secure Sockets Layer (SSL), now known as Transport Layer Security.
While HTTP and HTTPS are focused on how info is presented, SSL/TLS is not concerned with what data looks like but rather on encrypting the data — it produces a secure connection between web servers and web browsers.
As BizTech has noted, “People often use the terms HTTPS and SSL interchangeably, but this isn’t accurate. HTTPS is secure because it uses SSL to move data.”
Entrepreneur adds: “Without HTTPS, any data passed is insecure. This is especially important for sites where sensitive data is passed across the connection, such as ecommerce sites that accept online card payments, or login areas that require users to enter their credentials.”
How has does HTTPS work, and how has it evolved over the years? As with much of the modern web, Google has had a large impact. The company in 2014 called for “HTTPS everywhere” on the web and that year started to take into account whether websites were run on HTTPS as part of its search ranking algorithms.
The security team behind Google’s Chrome browser said in September 2016 that the browser would “start marking websites that use insecure HTTP connections to transmit passwords and credit card data as insecure, beginning in January 2017,” TechCrunch notes. “The warning will appear in the address bar of the browser and will call users’ attention to the fact that their personal information could be snooped or stolen.” As of May 2017, Chrome had 17.73 percent of the global web browser market share, according to NetMarketShare.
According to data tracked by Google, “secure web browsing through HTTPS is becoming the norm. Desktop users load more than half of the pages they view over HTTPS and spend two-thirds of their time on HTTPS pages. HTTPS is less prevalent on mobile devices, but we see an upward trend there, too.”
Why has HTTPS usage increased? One reason is that businesses and users are not seeing HTTPS affect page load times significantly. IDG News Service notes that “thanks to improvements to both server and client software over the years, the impact of TLS (Transport Layer Security) encryption is negligible at best,” and that thanks to HTTP/2, a major revision of the HTTP protocol, browsers that use HTTPS are actually faster.
Plus, it’s less costly. Many small businesses and nonprofits shied away from using HTTPS because of the cost of getting and renewing the digital certificates needed to deploy websites on the protocol, IDG notes. However, the nonprofit Let’s Encrypt, launched in 2016, offers a free, automated process for providing domain validation certificates to websites (though it has its drawbacks).
It’s also getting easier to securely move to HTTPS. IDG reports that “there are websites like Qualys SSL Labs that provide free documentation on TLS best practices, as well as testing tools to discover misconfigurations and weaknesses in existing deployments. Meanwhile, other websites provide resources on TLS performance optimizations.”
Businesses are moving to HTTPS because it makes their websites and transactions more secure, not just because Google will ding them if they do not. HTTPS protects users from malware, man-in-the-middle attacks, and even advertising that might get injected into unencrypted web traffic, IDG adds.
HTTPS also increases users’ trust in a business, and in a world in which so much commerce is done online and users check companies’ websites to validate and compare them, HTTPS in a browser bar is a seal of approval.
There are limits to its benefits. Entrepreneur notes that “HTTPS is not like a web application firewall. It’s not going to prevent your website from getting hacked. It’s not going to stop phishing emails getting sent, either.”
However, for businesses that use content management systems or websites with logins that then host any kind of sensitive data, the site notes, “setting up a secure HTTPS login is the absolute minimum precaution you should take.”