If you’ve spent any amount of time browsing the web, chances are that you’ve noticed that some URLs use the prefix of “http://” and others use “https://”. Though the presence or absence of the “s” may seem trivial, the security of information transferred to and from a URL is drastically different between the two prefixes. Before you transmit sensitive information online, you should always ensure that the site is “secure,” meaning that the URL begins with “https://”. Although securing a site is the duty of a webmaster, a recent study showed that only about 52 percent of websites worldwide use HTTPS, pushing some of the burden on you to protect yourself online.
“HTTP” is an acronym that stands for “Hypertext Transfer Protocol” and is what every website used in older eras. This protocol relies on the conventional “client-server” model. In other words, there must be a physical server that holds data, and clients request that data. Since its inception in the early 1990s, plenty of developers have inserted new features and capabilities into HTTP.
Without going into too much technical detail, there are a few important elements controlled by HTTP. For example, it can effectively tell your browser to cache, or “hold onto,” certain pieces of data if they’ll come in handy later. Though there are better authentication solutions out there now, HTTP can handle that, as well.
Finally, HTTP employs “cookies,” best described as little chunks of meaningful data. The most common example in textbooks and online is that most online “shopping carts” are maintained by a cookie that the website has planted in the client’s browser.
Although we could discuss nuances that differ between HTTP and HTTPS all day, the key difference is that “HTTPS,” an acronym standing for “Hypertext Transfer Protocol Secure,” relies on “Secure Socket Layer” (SSL) certificates. Users of sites running on HTTPS will notice a small lock icon on their browser’s URL bar, as long as it is configured correctly. Data to and from these sites is encrypted, serving as a baseline privacy measure that prevents other people on the same network from viewing the information. It also thwarts infamous “man in the middle” attacks. This is when a malicious server masquerades as a legitimate server and serves as a silent “middle man” during each data transaction. These attacks can modify data as it is being sent, potentially leading to disastrous security consequences.
Diving a bit deeper, SSL certificates operate on the “private key/public key,” or asymmetric cryptography model. A server must generate a long, pseudorandom sequence of characters that will serve as its signature. Next, a Certificate Authority (CA) will usually charge a small fee to take a Certificate Signing Request (CSR) containing the public key generated by the server. The CA then generates the SSL certificate, which is then installed on the server. As long as the data used in the CSR is correct, this should be an instant security bolster.
Keep in mind that there is a date for SSL certificate expiration. Websites often have to pay an annual fee to renew the certificate. If they fail to do so, the SSL certificate expires. That means that every time a visitor enters the website, their browser will give them a very strong warning message indicating that the certificate is no longer valid.
The SSL Process
Despite the complex mathematics and cryptography behind the scenes, SSL certificates operate in a very clear manner. As with anything built on HTTP, the browser or “client” must initiate a request. An example of this would be typing in a URL and hitting your [Enter] key. During this process, the browser looks at the server’s identity. After receiving the server’s public key and certificate, the browser scours Certificate Revocation Lists (CRLs) and ensures the SSL certificate is not expired. If everything checks out, an encrypted “session” between the client and the server begins to spark. The server uses its private key to decrypt data as it arrives and sends a formal acknowledgement to the client that the secured connection is ready to go. From there on out, all data between the client and server are encrypted.
As cybercriminals have become more masterful, webmasters have had no choice but to implement additional safety measures. Remember, using plain HTTP is quite similar to mailing a physical postcard. Anyone on the network can clearly see all data being sent and received. HTTPS was built when attackers began exploiting inherent weaknesses in standard HTTP. It may be tempting to forego the cost of an SSL certificate, but remember that you will be placing your and your visitors’ security at the mercy of cybercriminals.
Here’s another article you might find helpful: Even Public, Visible Data on Your Website Can Benefit Hackers
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?