HTTPS—Modern Website Essential to Keep Your Business Safe
This May we attended a fantastic event in Cracow—Cybersec League—the first Polish cybersecurity hackathon. Once again it reminded us that the overall security of a web application should always be examined on many different levels. In the world of IT security, the race between the bad and the good guys is always on. When you’re putting your product out on the Internet, suddenly the whole world has access to it. That’s why application security is something to take into consideration already during the early stages of development.
Thanks to the Internet, we can now use a lot of services from the comfort of our own home. Every day on the Web we send tons of sensitive data: our passwords, credit card information, medical data, social security numbers… You wouldn’t want it ending up in the hands of an untrusted individual. Cyberattacks can cost companies from thousands to millions of dollars.
I’m sure you’ve heard many times to always look for that green padlock near the address bar. The HTTPS connection icon. But do you really know what HTTPS is and why are we using it?
HTTPS is a secure version of HTTP (Hypertext Transfer Protocol)—the protocol used by the user’s browser and your application’s web server to communicate. The “s” at the end stands for “secure” because all data sent over HTTPS is encrypted.
In the case of HTTPS, you can think of encryption as your website’s web server and the user’s browser speaking in a foreign language, which can only be understood by them. Modern ciphers rely strongly on a concept of keys—pieces of data that can encrypt and decrypt messages.
Why Do We Need It?
As HTTPS stands for Hypertext Transfer Protocol Secure, the biggest reason why we need it is, of course, security. If someone somehow gets their hands on the communication channel between the web server and your browser and it’s not encrypted, they can easily read all the passwords, credit card numbers, and any other piece of sensitive personal information. HTTPS prevents someone from capturing and modifying the raw data sent between your web server and the user.
The second reason is the fact that modern browsers display warnings about unencrypted websites. If the first thing a user sees after typing in your website’s address is a huge alert “Attackers might be trying to steal your information from My-Website,” it makes your product look untrustworthy and unprofessional.
All modern browsers now mark pages without HTTPS as “not secure.” Taking into consideration the direction in which the modern Web is heading, a more suitable question would be “Why on Earth not use encryption?”
Next comes SEO—websites that use encrypted communication receive a better score on Google PageRank. This means they’ll show up higher in Google’s search results. Visibility is invaluable to any business, so it’s definitely not worth missing out on.
When a website that is using HTTPS tries to serve content from a site that is unencrypted, modern browsers will flag it as ‘mixed content’. This means that when your website lacks encryption, its content might be blocked from being displayed when embedded on secure sites. Mixing HTTP with HTTPS negatively affects website security and user experience.
If you’re not on the safe side yet, there are some technical features you might be missing out on. Prime examples are Service Workers and HTTP 2—the newest version of the HTTP protocol.
Service Workers can help your website work offline and enable sending out push notifications to the user. They allow your web application to behave more like a native one. This feature can greatly extend your website’s capabilities, but as we all know, with great power comes great responsibility. If a malicious worker would be set up in your application, it could have devastating consequences. This is the main reason why using HTTPS with a Service Worker is mandatory.
HTTP 2 is an improved and redesigned version of the HTTP protocol. It makes the Web go much faster and contains a myriad of other cool features of which there are too much to put into in this article. Currently no browser supports unencrypted HTTP 2.
HTTPS may also protect your website from unwanted ads being displayed on your website.
Without it it’s possible for more intrusive ISPs to monitor the unencrypted data stream and inject their own content into pages. Displaying unwanted ads can severely damage user experience of your product.
How Does It Work?
In order to serve your content over HTTPS, you have to purchase an SSL certificate from a Certificate Authority (CA) and install it on your web server. The certificate is a small file installed that connects your organization’s identity—name and location—with your website’s information. This main purpose of this technology is identification: is this person really who they claim to be? In order to obtain a basic certificate, you’ll need to prove that you control the domain. For more extensive options, it’s needed to provide documents proving your company’s identity. Your browser and the operating system contain a list of trusted certificate authorities with which they can check the validity of visited websites certificates.
HTTPS communication consists of multiple steps. First the browser and the server have to agree on what type of encryption they’re going to use and decide on a common key.
Since it’s going to be a shared key encryption, the traffic can be encrypted and decrypted using the same key.
But how does the browser safely tell the server which key they’re going to use if someone might be eavesdropping on the line? The problem can be solved using smart public and private key encryption mechanisms—we’ll explain this using an analogy to a padlock and a key.
We have two keys: a public one, which is available to anyone, and a private one, top secret and hidden.
The public key will be the padlock in our example—it can only encrypt messages. The private key plays the role of the key. Only the recipient of the message knows it and only this person can open the padlock: decrypt the data.
During confidential communication, the recipient can safely show the padlock to everyone interested. The sender then locks the message in a box using the padlock and sends it via a public channel. The sent box is publicly visible, but its content can be revealed only to the owner of the private, secret key.
The SSL certificate that you have installed on your server contains a public key and is signed with a private key that verifies its authenticity. These keys will be used only for establishing a connection and safely transferring a different set of keys in the next stages of encryption. In the first steps of HTTPS communication, the server sends to your browser a certificate with the “padlock”—the public key. The private key remains securely stored on the web server.
The browser then verifies the certificate—checks if it has been issued by a trusted authority using its built-in list. If it finds a match, the connection can continue.
Now the browser has to come up with a shared key that will be used for further communication—the padlock mechanism comes into play. In order to safely transfer the new key, the browser uses certificate’s public key to encrypt the new shared key and then sends it to the web server.
After receiving the message, the web server can decrypt it using its hidden private key. As a result, we get the same secret key on both sides of the channel!
From now on, the traffic will be encrypted using this shared key.
Great success! Now all of the data sent between the user and the server is unreadable for anyone eavesdropping on the connection.
It’s Easy and Free to Implement
Today, the majority of the Web runs on HTTPS and it’s become essential. The good news is that if you would like to use encrypted communication in your website, you don’t have to pay for it.
Let’s Encrypt is an organization founded in 2016 by Electronic Frontier Foundation, The Mozilla Foundation, The Linux Foundation, The University of Michigan, Akamai, and Cisco Systems. Let’s Encrypt operates as a Certificate Authority and offers free SSL certificates. It’s mission is to make encrypted communication a default standard in the whole Web. You can create your own certificate manually or install a special app on your web server that will keep an eye on updates to all your certificates.
Encryption protects our data, privacy, and anonymity. For website owners who process customer information, these are crucial elements that build trust and loyalty. In times when data breaches occur on a daily basis, proper website encryption is of paramount importance.
Still, it’s only one of the elements necessary to keep a web application safe. Secure coding, multi-factor authentication, data-centric security, and many other approaches are used by developers to eliminate vulnerabilities. But the choice of security solutions boils down to the size and type of your business. We’ll be happy to discuss which solutions will be the most effective for you.
Polcode is an international full-cycle software house with over 1,300 completed projects. Propelled by passion and ambition, we’ve coded for over 800 businesses across the globe. Concerned about the safety of your website? Contact us. We’ll analyze, optimize, and secure your web application thoroughly. Polcode. Just as you need IT.