Getting Secure with HTTPS

Google is trying to make the internet more secure by encouraging website owners to deploy security certificates in order to secure communication between your browser and their website. With the upcoming version of Chrome browser marking any websites with no or misconfigured security as not secure.

SSL, TLS & HTTPS

If you’re old enough, you’ll remember having to type in the HTTP:// before website addresses, if you’re not old enough to remember that, you may still be aware of the HTTP bit you see in the address bar before a website address.

HTTP stands for Hypertext Transfer Protocol, it was introduced to the World Wide Web back in 1991 as a protocol for sending messages to and from clients and servers. Your computer (or tablet or phone) is the client, the server is the computer holding the website. Typically it is now used when you type in a web address, your browser sends a message to the server holding the web page asking for a copy to be downloaded, the server responds by sending the page you were after.

However, HTTP on it’s own does not encrypt the information being sent, so in 1995 SSL came onto the scene as a means of securing the connection, to identify websites that used the secure means of transfer, S for Secure was added to the end of HTTP, that’s why you now see HTTPS://

SSL (Secure Sockets Layer) went through 3 versions as various vulnerabilities were found in the way it worked, and then in 1999 was replaced by TLS (Transport Socket Layer) which itself has now matured into version 1.2 (with 1.3 on the way)

But you don’t need to worry about the technicalities, all of this happens in the background. Your browser (Chrome, Firefox, Edge etc) and the server where the website is sitting take care of the security and encryption trying to make sure when you view a website over HTTPS, you and you alone are able to see what’s going on.

Certificates

In order to work, HTTPS requires the server/website to have a certificate that identifies the website being protected and contains the encryption keys used to secure part of the transfer of information. You can read more about how the information is encrypted on the links below.

Padlocks

When you visit a website that has a valid security certificate, you’ll see some identification of it in your web browser, typically a portion of the bar will turn green or a green padlock icon will be shown. It might even show the name of the website in the green area next to the padlock icon.

A yellow exclamation mark or a red stop icon and bar can indicate either no certificate, or an invalid certificate. You should be very weary of websites that don’t have correct security information set as it means the information you send to it may not be secure.

Securing your website

If you have a website or blog, you’ll want to make sure your site is not penalised by the browsers and search engines.

With the majority of internet browsing done via Google Chrome and Google Search being the de-facto search engine, Google have a massive influence on how websites are found and displayed.

Google are beginning to identify and warn users of invalid or non-existent security on websites. This includes reducing their SEO ranking (how high up the search results they appear) and adding icons and notifications to the address bar, including having the words ‘Not Secure’ added to websites that are not HTTPS valid.

Read more about Google’s Plans here

Free v Paid Certificates

So it’s in your interest to get a valid certificate in place on your website.

It’s very unlikely that your website server is not able to serve HTTPS (TLS) connections, and if it doesn’t, then it’s really time to move to a more modern setup.

Your decision should now be paid or free certificate?

Free

It’s not quite the no-brainer that sounds like. If you’ve just got a blog, you’re not doing any commerce through your website or processing any particularly sensitive personal information, then free is the obvious way to go, and there are quite a few options around.

Start off with your website host provider, they might be able to offer free certificates on your website, if they don’t, look at companies like Lets Encrypt, Comodo and SSL For Free as they provide free web certificates for small non-commerce websites and blogs.

Paid For

If you are using commerce on your website or are collecting sensitive information, or you want to build a stronger level of encryption or have a need for certain types of certificate, or maybe you just want your company name in the green part of the address bar, you’ll need a subscription certificate.

These start at around £120 per year, but there are offers and deals including resales that can bring that down, and again, there are many options on where you buy yours from, Globalsign, Comodo and SSLStore are good places to start.

No Certificate

Ultimately this is not going to be a choice. a website without a certificate is going to be penalised more and more until it becomes totally unattractive to any audience. And with the availability of free certificates, really there is no reason not to have one.

Share
Leave a Comment