Ever since there have been websites, there has been HyperText Transfer Protocol or HTTP. However, in 1994, HTTPS was introduced, which included additional security for websites and website users. Ever since then, there has been talk about the importance of switching from HTTP to HTTPS. While at first, this question was critical for specific business areas (for example, payment services), today it applies to an increasing number of websites. This is due to the tightening of network security requirements, which we will discuss in detail today. Also in this article, we show you how to make the transition from HTTP to HTTPS, including all of the procedural nuances.
What is HTTP and HTTPS?
HTTP is a protocol for transferring data on the Internet between a web resource and a server. With its help, user requests (via a browser) are transmitted to the server, and the server generates responses, which it returns to the browser. This is a basic set of rules for data transfer.
HTTPS (Hypertext Transfer Protocol Secure) is essentially the same protocol with an important addition. HTTPS has an extension, named SSL (Secure Sockets Layer). This certificate ensures the safety of data transmission in the network.
How Does HTTP and HTTPS Work?
HTTP provides unencrypted data exchange, which can lead to information being intercepted by a third party. So, for example, billing information entered on an HTTP website can be intercepted by attackers during its transfer to the server.
What does HTTPS stand for? This protocol allows you to transfer information in an encrypted form to prevent data from being read.
The Main Difference Between HTTP and HTTPS
The main difference between the protocols is that with HTTPS, there is an SSL certificate.
An SSL certificate is a data protection technology that works through encryption keys. It is placed between the browser and the server. Why are sites with HTTPS safe? Information that is transmitted from a user (pages, logins, passwords, card numbers) is encrypted and cannot be read by outsiders. Each new visit to the HTTPS website forms a secure connection between the browser and the server.
What is the importance of HTTPS?
The most important factors for using HTTPS:
- HTTPS connection protects the user’s personal data, increasing his security on the network. This protection has a positive impact on customer loyalty and fosters trust.
- In May 2018, the EU General Data Protection Regulation came into force. It regulates the collection and processing of user data within the European Union. One of the basic principles of the regulation is the confidentiality and integrity of user data sent to a website. This means that a website that provides services to EU citizens must comply with enhanced security measures. In particular, websites have to use a secure data connection.
- Since 2014, the HTTPS protocol has become one of the factors in Google ranking. Today, an overwhelming percentage of websites in the Google TOP-5 for most requests use an HTTPS certificate.
- Starting in July 2018, the Chrome browser marks websites without an SSL as not secure (in the address bar).
. This measure prevents users from providing personal information to such websites. Read more about how to check if a site’s connection is secure.
- Some technical features are not available for HTTP websites. For example, web push technology is only supported for websites with an SSL certificate.
Therefore, efforts to move from an unprotected connection to a protected one will prevent theft of personal data, improve SEO indicators, protect against legal violations, give advantages in the presentations of products, and expand technical capabilities.
The Advantages and Disadvantages of HTTPS
- Improving website security. The advanced protocol doesn’t protect against all hazards and hacker attacks but provides basic protection against data theft due to encrypted transmissions.
- Better chances of a successful promotion in search engines. Google prefers websites with a secure connection, and this trend is more pronounced every year. There are no reasons to lose competitiveness.
- Protection of data from mobile devices. This factor is especially relevant today due to the rapid increase in the use of mobile devices for internet access.
- Consumers are more confident with a website that has a high level of security. According to surveys (the research by GlobalSign), more than 80% of buyers will not make purchases on unprotected websites.
- Access to new technologies. We already spoke about push notifications. Geolocation and Progressive Web Apps (PWA) technology are only accessible by HTTPS websites.
- A secure connection requires the purchase of an SSL certificate. Today, there are different levels of certificates, which are chosen by an organization, depending on their needs and status.
- Servers need additional time to process the encrypted information, so it may have a slight effect on website performance.
New websites are typically built using the HTTPS protocol. However, there are a lot of websites that use the HTTP protocol. Switching from HTTP to HTTPS can be a time-consuming project, but many companies have discovered that the end result made the switch worthwhile.
How to switch to HTTPS?
Before switching to HTTPS, there are some preparatory procedures that need to be performed. Transition implies a change of the website address (URL). Accordingly, it’s necessary to change internal link addresses on the website from absolute (for example, http://site.com/articles) to relative (//site.com/articles). If the content of your website (internal links, pictures) can be opened and displayed correctly, you can purchase an SSL certificate.
How to choose an SSL certificate
The choice of a certificate depends on two things:
- what data you collect (only names and email, or billing information)
- what services you provide (a blog with a subscription form, an online store, or a bank).
An SSL certificate is a file that contains a cryptographic key for encrypting data when it is transmitted between a web server and a web browser. This key is bound to an organization that buys the certificate.
Types of certificates
There are five types of SSL certificates:
- DV, or Domain Validated
- OV, or Organization Validated
- EV, Extended Validated
DV is the simplest certificate. No documents are needed to activate it; only domain ownership is checked. It is suitable for websites that do not have a payment function. This certificate is sufficient if users might enter only their name and email address on the website.
The OV SSL certificate is typically used by e-commerce websites. To get an OV SSL certificate, a company or an individual has to provide valid verification documents. Their identity, website ownership, physical address, and telephone number will be checked by the Certificate Authority. Afterward, a certificate and a Seal Of Trust will be assigned. When added to the website, users feel more secure.
Popular brands, financial organizations often use an EV SSL. These certificates signify the highest level of trust and require additional verification steps for companies. Beginning with Chrome V77 and Firefox V70, these browsers stopped including the green line in the address bar for websites with EV certificates. But any visitor can check the verified name of the organization and the type of certificate by clicking on the lock icon before the URL.
If a website has many subdomains, it is better to get a Wildcard certificate. It protects all of the first level subdomains (blog.domain.com or mail.domain.com). If you have multiple domains to protect, you can purchase a Multi-Domain SSL certificate. It is typically more cost-effective than purchasing a certificate for each domain.
You can see the plans of the SSL.com company, that sells all types of certificates:
Who provides SSL? What is the difference between companies?
Certificate Authorities (CA) issue certificates after they verify an organization.
The main differences between certificate authorities are:
- the price of the SSL
- which browsers support the CA
- trustworthiness of CA
- CA customer service quality
If a browser doesn’t support the CA used by a website, they will receive a warning when entering the website. The three most popular authorities are IdenTrust, DigiCert, and Sectigo.
Are there free certificates?
Free certificates exist, but they have their drawbacks.
- Some browsers don’t recognize these certificates and give an error message to the website visitor.
- Free certificates need to be renewed more often than paid ones, and may even require you to pay for renewal.
- Some free SSL certificates can not be used for commercial purposes.
You can try a free certificate by popular, non-profit Let’s Encrypt. Their DV certificates are automatically generated, and initially issued for 90 days.
How to install a certificate on the website?
First, you need to buy a certificate. The terms of the issue vary depending on the type of certificate. For example, when getting a DV certificate, you need to:
- perform a CSR (Certificate Signing Request) – a message, or a public key that you need to send to a CA to apply for a certificate.
- pass a domain name ownership check.
For OV and EV certificates, you need to go through a company check: send documents that verify your ownership of the website and business to the CA.
After verification, you need to go through the installation procedure. The procedure depends on your host server.
To install the certificate you need:
- the private key (RSA). The key is generated after you send a CSR request
- the certificate file and corresponding root certificates
It is worth asking your host support if they have any special features for installing certificates. Various hosting companies offer SSL certificate installation for an extra fee. You can skip some steps above, and they will do them for you.
How to make your website work properly after switching to HTTPS?
Certificate installation on a new website is simpler than on an existing one, because it doesn’t affect traffic. If the website is actively promoted in search engines, you can lose traffic if you don’t prepare for the transition.
In order to prepare to switch to the new protocol, you should first update website settings:
- redirect HTTP to HTTPS URLs
- re-add the website to the Google Search Console
- set a Geographic Target
Protecting user data is the responsibility of website owners. Migrating from HTTP to HTTPS provides many advantages, both in terms of security, and in business promotion. With HTTPS protocol, your website will be competitive in Google ranking and allow you to make use of the newest technologies (web push notifications, PWA).