Always HTTPS

Always HTTPS is the idea that we should make all websites HTTPS, we should encrypt all data. All sites? What if it is just my blog about my cat? or just my business site with no login? does it matter? Always HTTPS says yes, it always matters.


Understanding the value of HTTPS

In order to understand Always HTTPS we need to first understand HTTPS. HTTPS stands for Hyper Text Transfer Protocol Secure, like normal HTTP but secure. What makes it secure? TheHTTPS browser example simplified version is that traffic sent over HTTPS correctly is encrypted in transit from your browser to the website server. This means that someone has to both intercept your data and decrypt in order see your data. And it is encrypted in a way that the best computers would take years to hack. Most people see the green icon in their browser like the image to the right to know if it is secure. Usually we only worry about this as a consumer if it is our bank or an eCommerce site or something similar. but Always HTTPS asks us to do more.

Note: Just because a website has a green lock doesn’t mean it is encrypted correctly.. You can see if a site SSL/TLS certificate is set up correctly by testing it on Qualys for free – . Just be sure to check the Do not publish results unless you know it is an A (and it should be an A or A+).


HTTPS For Internet Users

If it isn’t encrypted, assume anyone could be reading or changing the websites you visit. To understand this first we need a level understanding of how things work. When you click on something on your favorite website a packet or most likely numerous packets of information are sent from your browser to your router to your ISP (ie Comcast, AOL, Century Link etc,) and then to the server in question and additional packets are sent back again. Along this path there are multiple stops that your information passes through both ways.

someone else on the same network can packet sniff or actually watch, stop or change the information you are sending or receiving!

Lets start with a simple example if you are on unsecured wireless, someone else on the same network can packet sniff or actually watch, stop or change the information you are sending or receiving! If you type in a password on an unsecured site, someone could grab that packet and copy your password and email. As they watch your traffic they could see the unencrypted sites that you visit and start to make some assumptions about you that could potentially give them enough information to hack something you do care about (especially if you use the same password on another site – this is one reason to never use the same password on anything you care if it gets hacked!).


HTTPS for Businesses

So lets imagine that a business has a site where their clients can just make simple contact submissions (name, email, comments). With that info and a list of other sites you have visited aren’t you now a lot more susceptible to social engineering or target email spam? or just taking the email and trying to hack your email account or a sites

Now the Man in the middle or the person watching your packets doesn’t have to be on your wireless network they could be at any point between your browser and the website server. Along with seeing your information, they can change it!

In this scenario lets say your company site asks for your name, address, email via unsecure http. When you click submit it takes you to a secure checkout such as paypal. If I am a man in the middle I could subtly change the content of your site for that user so it looks the same but when they click paypal it is really taking the user to 9870u9879876976 longlongurlthatnoonewillread wholooksatthesereally?pawned=true

Read that URL again, this really happens but it is gibberish (also happens on links on ads, social media, and emails).

This new site is the hackers site, that he scraped paypal to look the same. It looks just the same just a different URL. Now your customer puts in their credit card. An easier hack would be just to change the form on your site to ask for credit credit and change it to submit to the hackers site. Unfortunately many users today would still do it even though it isn’t https.

These situations above are theoretical and many times you are fine… but it does happen and you never know… and why not?


Here are the three main reasons why people are against Always HTTPS:

1.) It’s too expensive.

You can get a good ssl cert for $60/year. That is relatively cheap. There is now also Let’s Encrypt as a free option depending on your hosting environment. The price is now so cheap or free that this isn’t really a good reason for any business. Talk to your hosting provider or developer for your options.

2.) It makes my website slower.

Each packet sent over HTTPS needs to be encrypted and decrypted. There is an extra ‘handshake’ that happens to make sure that both sides are who they say they are. In the past this was a noticeable speed difference. In 2016 it is negligible when set up correctly. Doing speed tests in Chrome between the same site with HTTPS and without we were seeing less than a tenth of a second difference. And if a server and browser support the new HTTP standard HTTP/2 then it is actually faster!

If you are that worried about performance that are dozens of more impactful things you could do that are neglected on most sites. Also with HTTP/2 coming out you you might end up faster via HTTPS than without. Load speed isn’t a good reason any more.

3.) I’m lazy or I don’t know how

Now this might be valid. It does take a few minutes to set up and sometimes we don’t have the time or want to figure it out, but for any business the pros out weight the cons. Find some one to take care of it for you.


3 reasons to go Always HTTPS

Always HTTPS makes the internet a better place for your users and for you! Along with the security reason above here are a few other benefits of having your own green lock on your site.

1.) Security of course

I had to say it again, it helps keep data private for you and your clients and is relatively painless!

2.) SEO (Search Engine Optimization)

Help show up higher in search results. HTTPS is a ranking signal for Google. If all other things were equal between you and your competitors website and your was HTTPS and their site wasn’t you would be above them in search results. Cool benefit, right? Google does this to help promote Always HTTPS and make the internet better for everyone.Online Business Deal

3.) Trust

Trust, trust, trust, I can’t say it enough. Trust is the currency that moves your business. Users trust a site more if it is HTTPS.  If I trust you I will buy from you, contact you, and refer you. If I don’t trust you getting a sale can be nail grinder. Your website needs to reinforce or build trust. Its too easy of a way to build trust to not do it!