While browsing the internet, you may have seen the two types of URL prefix "HTTP" and "HTTPS". The common understanding is websites that start with "HTTPS" are more secure and protected, but what makes the additional "s" so special?
Although the difference between HTTP and HTTPS may not seem much, the security impact provided by the underlying mechanism is quite tremendous. The risk of being tricked against scam websites and online information theft can dramatically decrease by understanding the meaning behind "https".
In this article, we will look through the key security difference between website URLs that start with HTTP and HTTPS, learn how to check the associated server certificate over the browser.
What is HTTP
HTTP is a technology invented in the years 1989 to 1991 to communicate with the World Wide Web (www). HTTP stands for "HyperText Transfer Protocol", which indicate that browsing websites, including images and videos, are operated by sending and receiving text data over defined communication rule. Browsing a website is performed by server and users' browsers exchanging data using a communication protocol called HTTP.
The term communication protocol may sound difficult and confusing at first. Think of it as a program procedure that downloads tiny pieces of image and HTML data while building a framed view to display on your device.
There are tons of different devices that connect the internet, such as a desktop computer, tablet, smartphone. Furthermore, many operating systems runs on each device, including Windows, Mac, Linux, Android, and more.
If all these computers had to communicate with the internet in their technological way, things can get complicated and inefficient. Therefore, by defining a common communication protocol called HTTP, we can utilize the technology beyond the platform to minimize cost and effort for all technologies.
What is HTTPS
The additional "s", as you may guess, stands for "Secure". The security is applied to HTTP by utilizing encryption technology which encrypts and decrypts internet data on each end of the communication.
Another full form of HTTPS is "HTTP over SSL/TLS", which each abbreviation, SSL and TLS stand for Secure Socket Layer and Transport Layer Security. Both terms are commonly known as an encryption communication protocol to protect network data from getting extracted by third party users.
While TLS encryption has become mainstream, many people misunderstand that SSL is still used during HTTPS communication due to its high usage over the years.
Difference between HTTP and HTTPS
The core difference between HTTP and HTTPS simmers down to the encryption status. Servers that support HTTPS communication will send encrypted website data over the public network to make sure data does not get scanned, extracted, or modified during the exchange.
Most browsers will try to keep users aware of their browsing security status by displaying an indication next to the URL box. As an example, the Chrome browser will show a green lock icon for https pages while displaying the "Not secure" message for HTTP pages.
Google has been one of the lead organizations that enforce the usage of HTTPS to increase overall web security.
Why is HTTP not secure?
The HTTP connection is generally not secure. As the internet becoming more ubiquity for our daily lives, the risk of information fraud and network interception due to unencrypted communication has become commonplace.
Hacking procedures and tools are available online with quick online research causing cyber crimes such as phishing scams and man-in-the-middle (MITM) attacks performable without special skills.
Also, the popularity of wireless LANs has made it easier for attackers to conduct MITM attacks over the local network. Public Wi-Fi endpoints are also utilized to extract sensitive information from people who associate the connection.
Encryption connection using HTTPS is the solution to protect ourselves against online frauds and data exposures.
Importance of Server Certificate
For a web server to support HTTPS, it must first obtain a server certificate issued by a certified authority (CA) with high reliability. In short, the server certificate is an electronic certificate that contains the signature data of the issuer, website owner, and the encryption key used for securing the communication.
Unfortunately, not all HTTPS is equally secure. Some websites are considered less secure even though the HTTPS is applied to the URL.
The reliability of the HTTPS is reflected by the server certificate. Some server certificate can be expired, invalid, or unofficial. Most browsers are designed to catch these irregularities and inform the user as an error message.
If you experience a security error caused by an issue related to the certificate, keep in mind that the website may be unreliable or possibly scam oriented.
How to check the server certificate details?
Even if a website claims the security with HTTPS, there will be no protection in case the website itself is a fraud. This is because a server certificate can be issued to anyone with the right resource and tools.
Many incidents have been reported about fraud websites with fake certificates designed by hackers to steal private information and hijack communication to send malware.
Types of Server Certificate
There are three types of server certificate, Domain Validation, Organization Validation, and Extended Validation.
|Medium||The certificate authenticates ownership of the domain.|
|High||The certificate authenticates ownership of the domain and the organization's legal rights.|
|Extremely High||The certificate authenticates ownership of the domain, organization's legal rights, operation legitimacy, and confirm approval of signer.|
These certificate types can be used as a good guide for measuring the reliability of website security.
Steps to Check Server Certificate Details
We will walk through the steps to check the server certificate details. Let's see how we can access the certificate details using the safeintech.com website.
Click the lock icon next to the URL box.
A dialog will display showing the basic security information such as secure status, number of cookies, and validity of the certificate. Click the Certificate link.
Certificate general information will display. This is where the certificate issuer and expiration date can be checked. Click the Details tab at the top.
All certificate details can be viewed on this screen. The Subject row containing the website address indicates that the certificate is a Domain Validated type.
HTTPS Status Affects Search Ranking
HTTP has been around since the early 90s and due to the computation limitation, the lightness was critical when hosting a website. Back in then the encrypted communication using SSL caused a high burden to the server's CPU, therefore most websites preferred the light and simple HTTP communication to let user smoothly browse their pages.
In August 2014, Google announced that they will start incorporating HTTPS availability to the ranking signal. What this means is Google decided to give search engine optimization (SEO) benefits to websites with HTTPS by increasing the search result ranking.
The new HTTPS era using Let's Encrypt
Today, Google is expecting every website to support HTTPS to maximize security.
However, the technical effort and maintenance cost to manage a server that supports the HTTPS was still very high, especially for personal and small business websites.
This is where the Let's Encrypt comes in, a non-profit service that provides TLS certificate authority for free! By associating website domains with Let's Encrypt, site owners can instantly adopt HTTPS support with minimum effort.
There are over hundreds of hosting services that support Let's Encrypt to provide HTTPS security to the clients. It is also possible to adopt Let's Encrypt for personal projects through common programming platforms, such as React, Angular and Vue.
We have reviewed the difference between HTTP and HTTPS, benefits of HTTPS, and methods to check the details. HTTPS can bring strong protection to data communication over public networks by using encryption technology.
While some fraud sites may fake the HTTPS security, a modern browser can detect some invalidity of the certificate. Also, it is a good practice to learn how to see the details of the server certificate through your browser.
If you are thinking about adopting HTTPS for your website, make sure you implement for security, reliability, SEO improvement, and many other benefits.