The dangers of non-secure HTTP

James Simm
Head of Engineering

Length

7 min read

Date

18 September 2017

HTTP – Hypertext Transfer Protocol – allows communication between systems. Most commonly, it is used for transferring data from a web server to a browser, to allow us to view web pages.

You’ve seen the Secure HTTPS before; a padlock icon in the address bar, or maybe an encrypted website connection – it’s displayed as a number of things. Originally it was reserved primarily for passwords and other sensitive data. The question now is: Why move to HTTPS? What’s the big deal?

Why HTTPS?

The problem is that HTTP data is not encrypted, so can be intercepted by third parties to gather data passed between the two systems. This can be addressed by using a secure version called HTTPS, where the S stands for Secure. It involves the use of an SSL (Secure Sockets Layer) certificate, which creates a secure encrypted connection between the web server and the web browser.

A tidbit of useful information for those who don’t understand the difference between HTTP and HTTPS. The S indicates that a layer of security (encryption) has been added to the page. Browsers often add a small padlock icon near the address bar to highlight this.

Without HTTPS, any data passed is insecure. This is especially important for sites where sensitive data is passed across the connection, such as eCommerce sites that accept online card payments, or login areas that require users to enter their credentials. There are currently three different kinds of HTTPS certificates.

Ok – What kind of HTTPS certificate should I get for my site?

Good question. It’s a significant question to answer before purchasing the HTTPS certificate for your website. The certificate has three different types:

Domain validation

For Domain Validation (DV), the Certificate Authority will check on the applicant to use a specific domain name. No company identity information is required. The details are not to be displayed, other than encryption information within the Secure Site Seal. However, while you’re thinking that your information is safe, you may not know who is truly handling the information at the other end.

Organisation validation

For an Organisation Validation (OV) certificate, the Certificate Authority performs a much more essential validation process. This involves checking the applicant’s business credentials and making sure that the company’s physical address matches the application, e.g. they would be checking a company registration to ensure it’s correct.

Any website protected by an OV SSL Certificate displays a small padlock and HTTPS prefix in the visitor’s browser bar. Actually, it’s not as eye-catching as the Extended Validation Certificate green bar.

Extended validation

Extended Validation (EV) is one of the highest standards of SSL Certificate available. It uses the same powerful encryption as other SSLs, but this one requires the vetting of the applicant’s business. Only those businesses that pass the process will receive an EV SSL Certificate. Anyone who sees the green address bar while on your site would immediately recognise it’s safe to use the site for browsing for products or sharing sensitive data e.g. Amazon.

Any businesses that sell products or accept payment information online should use an Extended Validation SSL Certificate.

What’s the difference between DV, OV and EV certificates?

Domain Validation (DV) Certificates are the easiest of all the certificates to obtain. There won’t be a manual check such as identity. However, there will be an automated verification that the applicant actually owns the domain. This makes DV SSL ideal for businesses needing a low-cost SSL quickly without the effort of submitting company documents. Also, it’s a perfect example to use for your personal website or blog – and is also good for your SEO!
Organisation Validation (OV) Certificates take security up a level and require human verification of the organisation’s identity.
Extended Validation (EV) Certificates would apply like OV, though there would be a verification of the business’ identity, legal status and address, not just domain verification. The process of the application may take a while to complete, but it does give users more confidence when purchasing something online.

Top reasons for moving to HTTPS?

There are many reasons, but I’ve identified three which are critical and arguably necessary.

HTTPS is actually good for the search engine

Google claims that websites who use HTTPS will have a small ranking benefit because of these security aspects. It is clear that HTTPS offers security, so it is definitely the choice to put you in Google’s good graces. Switching to HTTPS is therefore likely to increase and improve your organic search results.

A good user experience

Once users see an indication of HTTPS, it makes your site feel more secure; they will feel more protected while browsing. With so many hacking incidents making headlines these days, users want to know that your brand is making an effort to protect them and their private information being stolen or compromised.

‘Not secure’: the horror moment!

As you may have heard, in September 2016 Google announced that Chrome 56 will start displaying ‘not secure’ from January 2017 in the browser bar for any HTTP page asking users for login or credit card information. Also, in Firefox’s January 2017 blog post ‘Communicating the Dangers of Non-Secure HTTP’, Firefox encouraged web developers to move forward with websites to come with the HTTPS.

Imagine you were about to buy something online and saw that the site isn’t secure enough to protect your credit card details. Like most people, I’d likely navigate to somewhere else with a secure site under HTTPS. I encountered an interesting fact: only 3% of online shoppers have had said that they would input their credit card details on a non-secure site! Crazy isn’t it?!

Google has already started working on sites by emailing webmasters with a notification via Google Search Console that the site will need to be upgraded to HTTPS. If that’s ignored, the affected pages will be marked with a non-secure warning. Failure to comply will undoubtedly mean your site traffic volumes will suffer, as will the overall user experience and SEO quality. Below clearly with a warning message – this is an example.

As a final note…

Without doubt, HTTPS certainly has a place, and for those of you out there with websites dealing with personal information, such as eCommerce sites or blogs with membership areas, for example, HTTPS is a clear requirement.

I hope this blog post gives you a good overview to think about moving to HTTPS. Stay secure and safe, and ensure that your website is further optimised with SEO.

If you have questions or are looking to secure your website, get in touch with us today.