The Case For Https

Filed in Uncategorized by on September 21, 2015

 
Let’s cut to the chase!

What the heck is Https and why should you even care?

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’.

It means all communications between your browser and the website are encrypted.

(Click below if you’re a tech junkie and want more info about it.)

https://www.instantssl.com/ssl-certificate-products/https.html

Google has been recommending that websites shift towards https.

Why?

Because a website that uses https provides a safer environment for the end user.

 

Why You Need Https

 
Https provides encryption that is meant to protect a website from prying eyes and major sites that use a login and password should offer this security. You’ve probably used Https on your Internet Banking or Facebook without even realising.

 

The Need For A Secure Connection

 
When we surf the Internet, most of assume that only our browser and the server (the place where the website is hosted) are able to identify us.

Unfortunately it’s not that simple. Our connection to the Internet, particularly if we’re in a public place, can be intercepted without us even knowing.

When it comes to malware, you might think that you’re clever enough to avoid clicking on emails that ask you to enter a password – think fake bank account alerts, a fake Facebook or Paypal suspensions etc.

These types of attacks are referred to as phishing attacks (phishing is a play on the word ‘fishing’) and are the most common types of attacks because they’re geographic and network independent.

 

What Are Sniffing Attacks?

 
A sniffing attack is where somebody watches the traffic that goes to and from your web browser.

In theory, as long as you have an Internet connection, they could actually identify all of the movements that take place on a computer, but for now we’ll focus on website traffic.

Sniffing attacks work by intercepting the connection to the Internet. A piece of software in installed onto the network and it views all of the traffic that flows into and out of that network.

Think of it like when you’re at work. Corporate firms employ I.T. companies to monitor the websites which their employees browse.

Filters ensure that nothing inappropriate is accessed.

In a place that has public wifi, for example cafes, libraries, airports – it is relatively simple to find a browser’s end point and use the network’s signal to monitor the traffic.

Encryption works by concealing the traffic from everyone except those who know the secret key to decrypting the traffic.

This doesn’t stop the sniffer from working but it does render the information that it receives as useless because all the traffic now only appears as random bytes of data – as opposed to html, links, cookies and passwords.

 

Why Don’t We Use Wireless Encryption?

 
We do!

The first scheme was referred to as WEP. If you have a broadband router at home then you’ll likely be aware of WEP.

However, the encryption provided by WEP was poor and easy to reverse engineer. Wireless security on home routers has since been replaced by a more secure protocol: WPA2.

This is why https was introduced to protect your data.

 

How Our Devices Communicate

 
When we access a website, the website speaks to the browser. The website authenticates the browser once we enter our login and password by dropping a cookie into the browser.

These cookies identify you the next time you visit the site and display the information that you need to see as somebody who is ‘logged in’ to the site.

If someone has access to the handful of bits that a cookie uses to identify you, they could easily impersonate you. You might not access your banking details in a public place but chances are that you’ve used the Internet connection to sync your email right?

Sniffing attacks target email because it’s universally used to reset passwords. If someone can get access to your email account, they can perform a quick search from your older emails and get access any website that you use: e.g. gaming, banking and corporate sites.

 

Disadvantages Of Https

 
Using HTTPS for a web request will always be slower than using HTTP. In particular, it will have significantly greater latency, because of the number of extra “handshake” packets that are necessary before the first byte of payload data is encoded and sent to the server.

This latency is particularly noticable on the first request to an HTTPS domain; after that first request, browsers will reuse the connection and cache the SSL session to allow quick resumption of the communication.

While your server process is busy cranking away at generating an encryption key (and this part needs to be hard, and slow, for the encryption to be worth a hill of beans), it’s not rendering pages or talking to databases.

What this means in practice is that your web servers will be spending more of their time in relatively boring user-space CPU cycles, and less of their time doing useful computation or coordinating I/O. And so your web server gets sluggish sooner.

 

How Https Will Affect Your SEO

 
Here’s the important bit:

Using https instead of http from the outset will provide a small ranking boost but:

– Migrating from http to https will result in 301 redirects and multiple use of these can trigger a Google penalty resulting in loss of rankings. Authority (page rank, domain authority) is lost during a 301 redirect.

 

If you do migrate to https then do not keep both http and https.

 
It’s very easy to do this if you’re not sure what you’re doing. If you do end up with both then you’ll get hit with a Panda duplicate content penalty which will result in a far bigger drop in rankings then the potentially small boost that you’ll get from migrating to https.

Finally, you only have to look at your own niche and related niche markets.

How many sites that support https are currently ranking on the front page of the search results? Hardly any and for me, that’s the true litmus test.