HTTP VS HTTPS – 17 SSL CERTIFICATE PLUSES
HTTP VS HTTPS – 17 SSL CERTIFICATE PLUSES
Today I will talk about HTTP vs HTTPS – 17 SSL Certificate Pluses.
When the computer web browser was first invented, it was soon recognized that security additions were needed for online banking, eCommerce, paying your taxes, and so much more.
In 1994 HTTPS, HTTP over TLS (Transport Layer Security), began to be adopted by an ever-increasing security-sensitive web.
Why is the topic of HTTPS important to every website owner?
In late 2018 of the top 1M visited websites in the USA, only 55.1% were using HTTPS. That means 450,000 of the top 1,000,000 websites don’t care enough about their visitors to protect their data with encryption.
Check this link to the BuiltWith site for the latest numbers.
What is HTTP to HTTPS Migration and SSL Certificates?
HTTP: Hypertext Transfer Protocol – Http Vs Https
The acronym HTTP stands for “Hypertext Transfer Protocol.” It defines how computers communicate over a computer network. Data is transmitted between any two systems using “plain text.” The phrase “plain text” means that the text is human readable when transmitted between two computers. So anyone with a wifi connection and some simple software can intercept and read (steal) your information.
HTTPS: Hypertext Transfer Protocol Secure – Http Vs Https
The acronym stands for “Hypertext Transfer Protocol Secure.” HTTPS is an extension of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network. Data is transmitted between any two systems using “encrypted text.” The phrase “encrypted text” means that the text is all jumbled up into a non-human readable form when being transmitted.
Having an HTTPS connection means that anyone with a simple wifi connection and some simple software can intercept your transmission. But they will not be able to read (steal) your information. All they see is a bunch of jumbled-up characters that in no way resembles human-readable language.
In technical terms, HTTPS uses TCP port 443 by default, whereas HTTP uses port 80. So, HTTP and HTTPS are two separate communication paths.
In layperson terms, HTTPS is all about Web Security in your web browser. HTTPS encrypts the transmission of data between your browser and another website.
A site that displays HTTPS does NOT result in any way guarantee that the other website you are sharing data with is not a hacker or website that could steal your data.
HTTPS makes it very difficult for anyone else to see your data while sending it to the other website. Websites using HTTPS should stop most data theft by what is called “man in the middle” attacks. HTTPS is an essential part of your website security.
Visually, HTTPS is that little “Lock” that is present (or missing if the only HTTP) immediately in front of the URL in the web browser search window. The “lock” indicates that the website has an SSL Certificate associated with it. SSL stands for “Secure Socket Layer.”
SSL Certificate: Secure Socket Layer Certificate – Http Vs Https
The acronym SSL Certificate stands for “Secure Socket Layer” Certificate (Link). Having an SSL Certificate signifies that your site supports the HTTPS protocol. Several certified companies issue the certificate. The certificate authority we use for many of our clients is Let’s Encrypt.
The acronym SSL is the outdated name for TLS (Transport Layer Security). TLS was created by a standards body in 1999 to solve many of the issues with SSL. However, the name SSL “stuck” and is still the common name used today.
SSL certificates are issued to websites by a trusted third party referred to as a ‘Certificate Authority’ (CA). The SSL Certificates are available in Three Validation Levels and Four Certificate Types:
- Certificate Validation Levels
- Extended Validation Certificates
- Organization Validated Certificates
- Domain Validated Certificates
- Types of Certificates
- Single Domain Certificates
- Wildcard SSL Certificate
- Multi-Domain SSL Certificate (MDC)
- Unified Communications Certificate (UCC)
Let’s quickly review each level and each type and their use.
Certificate Validation Levels – Http Vs Https
Extended Validation Certificates (EV)
EV certificates provide the highest levels of security, trust, and customer conversion for online businesses. One is issued an EV certificate only after the issuing CA has conducted rigorous background checks on the company according to the guidelines laid out by the Certificate Authority/Browser (CA/B) Forum. Because of this, EV certificates contain a unique differentiator designed to communicate the trustworthiness of the website to its visitors.
A visitor will see the address bar turn green and/or a green padlock in major browsers. Supported browsers include Internet Explorer, Firefox, and Chrome on a website that uses an EV certificate.
EV certificates exist for all major online retailers and banks. Businesses use EV certificates to build customer trust in their site immediately.
If you think your site has an SSL Certificate and should be showing a green padlock, try the free tool WhyNoPadLock.com. WhyNoPadlock will help you see if it can identify the issue.
Let’s Encrypt has no plans to issue EV SSL Certificates.
Organization Validated Certificates (OV)
OV Certificates include complete business and company validation from a certificate authority using their established and accepted manual vetting processes. OV certificates conform to the X.509 RFC standards meaning the OV certificate contains the complete company name and address details.
An OV SSL Certificates provides higher levels of assurance to end-users than Domain Validated (DV) Certificates.
OV SSL Certificates are not valid to the CA/B forum standards. They do not possess the ability to turn the browser address bar green.
Let’s Encrypt has no plans to issue OV SSL Certificates.
Domain Validated Certificates (DV)
DV certificates provide the same high levels of data encryption as the other validation levels. Still, they do not assure the identity of the business behind the website that an EV or OV SSL Certificate.
DV certs are issued after domain control has been established using an automated, online process.
Because DV SSL Certificates are not validated to the CA/B forum standards, they do not possess the ability to turn the browser address bar green.
DV certs are a popular choice amongst small-medium-sized sites because of their faster issuance times and lower price points.
Let’s Encrypt certificates that we use for our clients are standard Domain Validation (DV) Certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.
Certificate Types – Http Vs Https
Single Domain Certificates
A single domain certificate allows a customer to secure one Fully Qualified Domain Name (FQDN) on a single certificate. For example, a certificate purchased for www.IdeaToGrowth.com will enable customers to secure any pages on www.IdeaToGrowth.com/.
Single domain certificates are available in DV, OV, and EV certificate validation levels. The single domain certificate is ideal for small to medium-sized businesses managing a limited number of websites. However, companies that operate multiple websites will benefit from the added flexibility offered by wildcard or multi-domain certificates.
Let’s Encrypt offers Single Domain SSL Certificates. Certificates are valid for 90 days. You can read about why this is their policy here.
Wildcard SSL Certificate
A Wildcard certificate allows businesses to secure a single domain and unlimited subdomains of that domain. For example, a wildcard certificate for ‘*.IdeaToGrowth.com’ could also be used to secure ‘payments.IdeaToGrowth.com,’ ‘login.IdeaToGrowth.com.
The wildcard certificate will automatically secure any sub-domains that a business adds going forward. A wildcard SSL certificate also helps simplify management processes by reducing the number of certificates needing to be tracked. Wildcard certificates provide a flexible, cost-effective option to purchase and manage multiple single certificates for growing online businesses.
Let’s Encrypt offers Wildcard SSL Certificates. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for technical details.
Multi-Domain SSL Certificate (MDC):
Multi-Domain certificates allow website owners to secure multiple, distinct domains on a single certificate. For example, a single MDC can be used to secure domain-name-1.com, domain-name-2.com, domain-name-1.org, and so on. An MDC SSL Certificate allows one to secure up to 100 different domains (or wildcard domains) on a single certificate.
This simplifies SSL management as administrators need only track a single certificate with a single expiry date for all domains instead of keeping track of multiple single domain certificates. In addition, MDC has a cost-saving over the price of single-domain certificates.
Let’s Encrypt Certificates supports Multiple Domain Names (MDC).
Unified Communications Certificate (UCC)
Unified Communications Certificates are designed explicitly for Microsoft® Exchange and Office Communications server environments. UCC’s use the Subject Alternative Name (SAN) field to allow customers to include up to 100 domains on a single certificate. This eliminates the necessity for different IP addresses per website that would be otherwise be required. UCC’s also support the Microsoft Exchange Autodiscover service. This is a powerful feature that reduces client administration. As with MDC’s, a single UCC significantly reduces SSL management while realizing cost savings over individual SSL site purchases.
Let’s Encrypt offers UCC / SAN SSL Certificates.
HTTP vs HTTPS – How Do I Know if My Website is HTTPS (has an SSL Certificate)?
If an SSL Certificate has secured your website or a website that you visit, the browser URL will look similar to this image below:
ssl-secure
SSL-secure
Each browser displays SSL Certification slightly differently, and the visualizations are changing (2018 / 2019). Consult your browser for their standards. An excellent site to check for how your browser displays SSL Certification (HTTPS Compliance) is a well-known site like Amazon or Google.com.
At the time of this writing, the lock image was GRAY colored and appeared in front of the text: https://www.amazon.com on the Chrome browser.
Now the lock image was GRAY colored and appeared in front of the text: www.amazon.com on the Safari browser.
At the time of this writing, the lock image was GREEN colored and appeared in front of the text: https://www.amazon.com on the Firefox browser.
So, there are some visual differences you should be aware of.
Now contrast the above with a website that is not safe because it DOES NOT have an SSL Certificate, as shown below:
ssl-not-secure
SSL-not-secure
If you saw the words “Not Secure” when you went to a website, how long would you hang around? Just long enough to click the back arrow on your browser for most people.
Why Should I do an HTTP to HTTPS Migration?
Protect Your Brand – Http Vs Https
Your company brand is everything to the growth and survival of your company. Think back to when Target was hacked for the first time back in 2013. Their brand was in the mainstream media initially every day and still is used as an example of poor website security. They settled with customers for $18M in 2017, which started another negative news cycle.
The actual dollar cost to Target was likely in the hundreds of millions of dollars due to lost customers and sales. Although this attack was not believed to be an SSL Certificate related attack, this example shows the downside of not having a secure website.
Do you want to be a smaller version of the Target poor website security story?
Protect Your Users’ Privacy – HTTP vs HTTPS
Users expect no demand for privacy when they visit a website. Website users are slowly educating themselves on the warning flags to look for when they see a website.
While a user can not see if you have all of the many other things that you need to do to have a secure website, users can easily see if you have an HTTPS SSL Certified website by looking for the little lock next to your URL.
More and more web visitors become aware of the importance of seeing “the little lock” in front of any domain’s URL. The presence or absence will be what forms their first level of confidence in your website.
Sites that lack “the little lock” in front of their domain URL will likely quickly die. In mid-2018, as many as 78% of all websites worldwide were using SSL Certificates and displaying HTTPS Compliance.
Do you want to be part of the dying 22% of websites that are not HTTPS compliant?
Google Demanding Sites be HTTPS – Http Vs Https
Throughout 2016 and 2017, rumors have floated over Google’s formal position on forcing the move to HTTPS encryption.
In 2017, Google began formally warning website owners that non-HTTPS sites would receive consumer visual messaging that identified such a site as non-secure. Sites that remain on the non-secure HTTP protocol will be visually marked with a warning in the URL bar of the surfer’s browser.
The “NOT SECURE” visual mark image was built into release 68 of Chrome, which appeared in July 2018. Other browser manufacturers are implementing similar visual non-compliance signatures in front of the non-compliant URL name.
They put the word “WARNING,” “INSECURE,” or “NOT SECURE” in front of your domain URL. Other browsers are expected to follow their lead in 2018 and 2019.
Website owners who have a warning image in front of their domain URL have seen their traffic drop over 90% in a browser.
The Chrome browser has over 60% Market Share worldwide.
I would call that sort of action by Google and other browser manufacturers to be a demand to change to HTTPS.
SSL is required for PCI Compliance – Http Vs Https
Do you have an eCommerce website? In other words, do you sell stuff via your website? To accept credit card information on your website, you must pass specific audits. The audits show that you comply with the Payment Card Industry (PCI) standards.
The very first requirement states, “PCI requires adequate encryption of credit cardholder information while being transmitted.” The only way to meet this requirement is properly using an SSL Certificate to encrypt your data.
HTTPS Speeds Page Open Speed – Http Vs Https
In the early days of HTTPS and SSL Certificates, browsers and the various domain authorities were not well optimized. As a result, you will find many posts about HTTPS and SSL Certificates causing web pages to load slower. By 2015 this was no longer the case. Many tests have shown that HTTPS SSL Certified sites now open faster than HTTP sites.
Good for SEO (Search Engine Rankings) – Http Vs Https
I talked earlier about how Google is marking HTTP sites with a warning moniker. You can bet that whacks a site’s SEO rankings! Google uses HTTPS as a key ranking signal.
Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three essential layers of protection:
Encryption: Encrypting the exchanged data to keep it secure from man-in-the-middle attacks
Data Integrity: Data cannot be modified or corrupted during transfer without being detected by the protocol
Authentication: Proves that the users communicate with the website they intended to communicate
Google states that websites that use HTTPS will have a small ranking benefit because of these security points.
HTTPS sites will carry less weight in ranking signals than other signals, such as high‐quality content.
SSL is required for AMP – Http Vs Https
AMP stands for Accelerated Mobile Pages. AMP is the technology that makes mobile pages load almost instantaneously. When you google on your mobile device to an AMP-enabled web page, the results have a lightning bolt icon next to the URL.
Slow opening websites already cripple most phones due to poor cellular internet connections. AMP technology is how Google intends to make sites that enable AMP to open as fast as possible.
Protection Against Hackers – Http Vs Https
Using an SSL Certificate to be HTTPS Compliant is a critical first step in securing your website against hackers.
Since HTTPS encrypts the communication between your browser and another website, the man-in-the-middle attacks of stealing a user’s data are essentially eliminated.
Here is a typical example of a man-in-the-middle attack. A hacker who sits in your local coffee shop and steals your username and passwords. This typically can only happen when you use your browser to go to an HTTP site.
Google is Indexing Mobile Access – Http Vs Https
In 2017 Google started indexing mobile. This means that Google “algorithms will primarily use the mobile version of a site’s content to rank pages from that site.”
For a mobile site to be indexable, Google requires several best practices. One of which is to “Start by migrating your website to HTTPS.”
HTTP 2 – Http Vs Https
HTTP/2 is a revision of the HTTP protocol. It attempts to resolve the shortcomings of HTTP/1.1.
HTTP/2 benefits include:
Server Push: The web server can send resources in advance anticipation of the client request, avoiding delays.
Multiplexing and Concurrency: Multiple requests can be sent back-to-back on the same TCP connection. Responses can be received out of order.
Header Compression: HTTP header size is drastically reduced, speeding page open times.
Stream Dependencies: The client can set resource priorities for the server.
The company KeyCDN has a Free HTTP/2 Testing Tool you can use to check whether your server supports HTTP/2.
Service Worker & Powerful Features – Http Vs Https
A service worker is a software script (code) that your browser runs in the background. It is separate from a web page, opening the door to features that don’t need a web page or user interaction.
Today, they already include features like push notifications and background sync are two such service worker examples.
Because a service worker can run code independently, service workers can only run on HTTPS protocol sites.
Protect Your Revenue (From Proxies) – Http Vs Https
Proxy hacking (proxy hijacking) is an attack technique designed to replace an authentic Web page with a web page provided by a hacker. An attacker uses proxy hacking to redirect users requesting the targeted web page to a malicious or fraudulent website. It is easy to turn a site that is not HTTPS Compliant and protected with an SSL Certificate to a hacker site.
Most site owners find out their site is under a proxy attack when they start getting a flood of emails. These emails ask why they’ve been charged a higher amount for a product they bought from what they thought was your website! They are demanding their money back. Yet you have no idea what they are talking about because you may not even sell the product they are asking about or any product at all!
Suddenly your site reputation is destroyed. Plus, you may find yourself paying lawyers to defend you against something you didn’t even do.
Better Analytics: HTTPS Referrers – Http Vs Https
By the end of 2016, Federal agencies were required to make all federal websites accessible through a secure, HTTPS-only connection. Many don’t know that the switch to HTTPS improves your ability to track which sites direct web traffic to your website!
The reason for this improved tracking is straightforward. When a visitor travels from an HTTPS site to an HTTP site via a button or link, the referrer tag information is removed. Google Analytics reports the traffic as “direct,” so you do not know how the visitor arrived. But, a trip from an HTTPS site to another HTTPS site DOES BRING the referral data, so you know which URL provided the traffic. DigitalGov also has a great article on how URL Shorteners do the same thing.
iOS 9+ API and Android 5+ API – App Compatibility – Http Vs Https
At the Apple Developer Conference in 2015, Apple announced that starting with iOS 9, they will require all connections to use SSL (HTTPS) connections. In the documentation, they state:
“App Transport Security (ATS) enforces best practices in the secure connections between an app and its backend. ATS prevents accidental disclosure, provides confident default behavior, and is easy to adopt. It is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forwarding secrecy. If you try to make a connection that doesn’t follow this requirement, an error is thrown. If your app needs to request an insecure domain, you have to specify this domain in your app’s Info. plist file.”
Google put a similar requirement on the Android Mobile Operating System starting back in 2015 with Android M.
Bottom line – If your site is still running as a non-HTTPS site, you are late to the party.
Mixed Content Warning – Http Vs Https
An HTTPS page is not allowed to load an (insecure) HTTP resource. A web page that attempts to do so will fail with a “Mixed Content Warning” message. When older websites begin to switch to HTTPS, they often find that many of the third-party components do not support HTTPS.
This forces the website owner into a somewhat challenging decision. They need to either stay on HTTP or remove the third-party software in question.
While some websites have historically opted to stay on HTTP, this is no longer a viable business decision. Does your third-party software provider does not support HTTPS? It is time to either find a competing solution or remove the software.
Future Proofing – Http Vs Https
The future of the web lies with every increasing performance and security. HTTPS, HTTP/2, and future protocols will keep building on the protection that has started with HTTPS and SSL Certificates.
New web features such as progressive web apps, taking pictures, geolocation, recording audio all require permission from the user. HTTPS is a critical component to the permission workflows for these features and new ones yet to be imagined.
If you are one of the many website owners that have not upgraded your website to HTTPS with an SSL Certificate, please do so now. You may be only a lawsuit away from having your business wiped out financially because you wanted to save a few dollars today.
HTTPS SSL Certificates are Inexpensive – But Not Easy to Install Yourself – Http Vs Https
SSL certificates vary in price depending on the level of security required. But services like Let’s Encrypt provide free essential SSL certificates.Installing an SSL certificate is part of the process you need to make your site HTTPS.
Sadly, installing an SSL certificate isn’t particularly easy. We strongly recommend you ask a competent web developer to do the installation for you. The reason for this recommendation is that there are many steps required are most are pretty technical. Check out this article featuring a 29-step HTTP to HTTPS Process. If you have some experience, you will quickly recognize that this is a relatively high-level description of many of the steps. This means that many details are missing, that without those details, a layperson is likely to fail to implement the process.
You can also check out Google’s support documentation about HTTPS. Google’s documentation is even higher level and lacking most details.
Our IdeaToGrowth.com clients have access to a discounted HTTPS upgrade service. Contact us for details.
We cannot offer this service to sites that are not on our hosting service as the SSL Certificate installation process can be significantly more difficult on other hosting platforms. However, perhaps our hosting service is exemplary for you — check out the details and sign up here.
Conclusion – HTTP vs HTTPS Migration
I hope you now understand the fundamental reasons to migrate your website from HTTP to HTTPS today! I also hope you better understand the significant downside risks of NOT migrating. While we have a very competitive service for handling this migration, no matter who you choose to do it – do it now. Further delay only puts your business at risk.
100% FREE GOOGLE PAGE RANK ANALYSIS
I want to prove my value to “Helping You Grow Your Business Stronger!” by offering a 100% free Google SEO pagerank analysis. Could you share your homepage URL (domain name) and the email to which I should send your 100% free report? Within a day or two, I’ll point out the top items on your business website that cost you customers.
QUESTIONS?
If you’re ready for an F2F Zoom chat or want to ask a quick question by email, click the appropriate link below.
Regards,
Kenneth Ervin Young, CEO
Idea To Growth LLC
Digital Marketing and Website Agency