Tuesday, August 29, 2017

Why you should think seriously to implement HTTPS on your website or blog

Is your website open to internet crimes and snooping?

All web surfers know that the first expression in any web address or URL is http:// or https://. Even if the browser at times does not show this, it is there, hidden from our view.

HTTP means HyperText Transfer Protocol. Webopedia gives its simple definition: HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.

HTTPS or SSL certification secures your website/ blog, improves SEO.
The information (messages, instructions, content) travels through internet from the user's browser to the website server and back as determined by the rules of HTTP. Hackers, which sometimes include Government agencies, can easily read the information traveling on the net with the help of special software. That makes the information vulnerable to various types of crimes and snooping by intelligence agencies and Governments. The recent exposes of how the US agencies were collecting information worldwide is a discomforting example of data leakage that can happen when servers are connected and sharing information.

Does your blog or website need https instead of http?

One of the easiest ways to assure the visitor that your website is not compromised is to implement HTTPS. What it means is that the information traveling from your website has the protection of at least one security layer. When you have HTTPS implemented, the data traveling from your website is encrypted and the visitor also is assured that what he is seeing on the browser is not a phishing website.

Having HTTPS on your website leads to higher visitor's/ user's confidence. In case of websites without this security layer, modern web browsers warn users against doing a money transaction and they also warn when the security certificate of a website is not trustworthy.

In addition, a security certified website it likely to be a trust-worthy website in other respects. Therefore, it helps in SEO rankings and Google and other search engines bring them high up in search results.In fact, the way Google is promoting HTTPS, it appears that HTTP will not be seen at all in 4-5 years.

Google has put this warning on its Search Console website,  Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

You definitely need https security for your blog or website if you are into online payments for products or services.

Are all web addresses with HTTPS prefix equally safe?

Not really. Just having an HTTPS certificate does not ensure that the site is perfectly safe against any fraud or online crime or data leakage. But it does show that the site is genuine in certain respects and it ensures that the data is encrypted when exchanged on the web.

At the minimum level, websites get DV certificate for security layer, technically called Secure Sockets Layer or SSL. DV stands for Domain Verification. That means, the site's domain is verified and the website that you see on the browser is not a replica of the genuine site. You do not know whether the website is owned by a good or bad organization, so it will not protect if the website's real owner himself is a fraud.

OV or Organisation Validation is a higher level of SSL certificate which is given after thoroughly checking the organisation's reputation behind the website.

EV or Extended Validation is the top level SSL certificate, which is given after further checks on the company.

Even with a high level of security assured under OV and EV certificates, there can be a bad certificate issued by a Certification Agency. There have also been cases when a malware has been able to penetrate the SSL security layer. But these are exceptions.

How do I implement HTTPS on my website/ bog?

For giving the HTTPS security to your website, you need to get the SSL certificate. Most Certification Agencies give it at a price, and some have started giving the DV level of certificate free too. It also comes bundled with expensive types of web hosting packages.

For HTTPS, you have to apply for the certificate and after some formalities and checks, the Certification Agency gives you the desired certificate. It involves installing the certificate on the web server where the website is hosted. When a visitor's browser connects to your site's server, the certificate code triggers the SSL protocol and shares information with the browser through encrypted  messages. Same happens when another server tries to connect to your website's server.

By the way, free blogs on Wordpress and Blogger are now behind HTTPS security by default.

PS: This website itself is still not under SSL! Not by design but it is currently hosted in Google server as a free hosted site and Google does not provide HTTPS cover for such blogs/ websites yet. Since we do not deal with sensitive data and have not started any monetary transaction involving sensitive data transfer, we are OK with that. In near future, we intend to migrate and have an SSL certificate.