Why implement https?

https

HTTPS stands for Hyper Text Transfer Protocol Secure, the secure version of http, the protocol for communicating data between your browser and the websites that you are connected to. https ensures that all such communications are encrypted.

Benefits of https

For several years now technical experts have highly recommended the use of https instead of http for exchange of information between web browser and web server. But while the change to https in the browser is painless, there are significant additional costs to implementing https on a server. Given these, why is https so strongly recommended?

Using https delivers two key benefits which underpin any others:

  • The visitor to a site will be confident that their browser is connected to the site they see in the address bar. This is because the owner of an https site must install a certificate which is purchased from a certificate authority and the browser, in starting its conversation with the web server, will check the validity of the certificate with the providing authority.
  • The privacy of the user’s data is protected. In particular, the traffic between server and browser will be encrypted strongly enough that it would be extremely difficult for anyone else to find out what information is being exchanged should they somehow read the messages between browser and web server.

Providing visitors to your site with confidence they are really on your site, not a carefully constructed fake and additionally providing built in protection for the privacy of their communications with your server enhances your reputation as a trustworthy site and good web citizen. Google recognises this and promotes https sites’ search results over plain http and is actively pushing website developers to move to the more secure protocol.

Your visitors, having established they are definitely communicating with your site, will also find it easy to reject any attempt to slip content into pages by other sites. If communication is over a network with an insecure link at any point, such as an open wifi connection, content from unwanted adverts which steal your revenue through to more malicious links to fake or infected sites can be injected into an http delivered page without the visitor noticing; with https the browser immediately knows this content is not part of the encrypted conversation with the certificated web site, so can warn the user of potential danger.

Costs

Depending on your current software setup you may need to upgrade your web server operating system, web server software and your hosting arrangements and you will also need to purchase and keep up to date certificates for each site you host. There will also be implementation costs for reconfiguring the servers not only to manage your site using https but also to catch users asking for http addresses and redirecting them to your new https addresses. Since information is encrypted by both server and client, both machines will have to do extra work to encrypt and decrypt data and more messages and more data will have to be sent across the network.

You will also be unavoidably incurring the ongoing cost of not taking advantage of the standard internet infrastructure which caches web pages: with http, all web browser clients see the same page content so we can save resources by caching copies of the page in useful locations to reduce bandwidth and server load, whereas an encrypted page as delivered over https is specific to a particular web browser client and possibly to a particular dialogue with the server.

More reasons to implement https

As browsers develop they are adding features to warn users and protect them from unsafe content. This is leading to plain http becoming deprecated as unsafe and https being the normal standard. Adopting https will avoid the browser reporting your website as insecure and avoid at some point in the future having the browser refuse to display your content.

Version 2 of http has been agreed since 2015 and will gradually replace the current commonly used standard for http which is 1.1. As this change progresses the new http/2 features will only be available with encryption as for https. Again, the http default unencrypted protocol is obsolescent and migrating now will ensure you can use the latest features of http/2 as they come along. Many other technologies, both software for developing web or mobile applications and platforms such as Apple’s iOS and Google’s Android are moving to everything being encrypted by default, so https will become required for full use of these technologies.

As the owner of a business website, if you stick with http, as more sites go to https you will lose the referrer information for those https pages which link into your site, because https will not send the referrer information to an insecure server. This erodes the value of your web site analytics.

With the EU General Data Protection Regulation (GDPR) applying from 25 May 2018, data controllers who process personal data of EU citizens will have to show that they have taken appropriate technical and organisational measures to protect data subjects’ personal data. Encryption is a technical measure directly promoted by the GDPR: personal data should be encrypted both while static on a storage device and while in transit.

Steps to implementation

As suggested above, the exact steps to migrating your website to https will vary greatly depending on your current setup, so you will need to investigate to establish the appropriate changes necessary to be able to support https. The following is a general description of how a web server serving https is set up which might assist you to ask the right questions when investigating whether your current platform might be already suitable.

The first thing to establish is whether your site has its own IP address. The simplest https configurations are with sites which have their own IP address and their own certificate. It is possible to set up https on a site which shares an IP address with one or more completely different sites, but some older servers only accepted a single certificate which would have to be used for all the sites sharing the same IP address which means the certificate is not unique to a single site, removing the benefit of being sure you are on a particular site. However there do now exist solutions to have multiple certificates, one for each site, on a single IP address. You will need to check that the version of web server you have has this capability if that is the route you wish to take.

Secondly, you will need to purchase an SSL certificate from a Certificate Authority (CA). For further information and a list of some CAs see https://en.wikipedia.org/wiki/Certificate_authority. Costs of a certificate will vary with the type and level of service you require from the CA.

Finally, having downloaded the certificate files from the CA, you will need to install the certificate on your server. The detailed steps will depend on your particular web server software and will generally be straightforward using standard server administration tools. In any case, the general order of events is to activate the link between the CA and your site by sending a Certificate Signing Request to the CA which then returns an activated certificate ready for installation. After installation of the returned activated certificate on the server you must then bind the installed certificate to your chosen website which will then be ready to serve https.

There will remain the necessity to check all your web pages to change all links to pages on your site to https addresses. You will also need to provide some redirection rules on your server so users who try to use your old http addresses are seamlessly forwarded to the https versions. In practice you will need to prepare the changes to your website content so you have a version ready to go as soon as https is activated.

Robert Casalis de Pury is Information and Records Manager at the Jersey Judicial Greffe and Managing Director of UniRom Systems Limited. Email rcasalis@unirom.co.uk.