HTTPS is the difference between transmitting sensitive information securely to your bank and allowing cybercriminals to steal that data so they can use it to commit crimes. But there are some misconceptions about what HTTPS means that we want to clear up…
Every day, you use websites to make purchases and pay bills online. But how do you know whether the website you’re using is safe and secure? If you’re like most users, you look for the little padlock icon in your web address bar and think you’re using a safe website. But what if that’s only part of the equation — what if that icon doesn’t tell you the whole story?
Cybercriminals love to exploit ignorance about what that little padlock security icon and HTTPS really mean. It reminds me of a scene from Monty Python and the Holy Grail, where some of King Arthur’s Knights of the Round Table follow an icon in the sky to what they believe is the secret location of the Holy Grail. Turns out, it wasn’t really the Grail, but the young women were using it to lure Grail-seekers to their castle.
In much the same way, the security icon in your browser may be lulling you or other users into a false sense of security. Those security indicators aren’t saying that the connection is safe; they’re conveying that a connection is secure. Yes, there is a difference. And understanding HTTPS will help you better understand what that difference is and why it matters. That’s why we’re here to answer questions like “what is HTTPS?” and “what does HTTPS stand for?”
Let’s hash it out.
What Does HTTPS Stand For? A Simple Definition and Explanation of What HTTPS Is
HTTPS stands for “hypertext transfer protocol secure.” Essentially, it’s a set of rules that enable two entities (e.g., users and websites.) to exchange sensitive data online securely. This protocol enables your client (i.e., your browser) and the server it’s connecting to, to forge a secure, encrypted connection using the secure transport layer security (TLS) protocol. This is why it’s also sometimes called HTTP over TLS or HTTPS secure.
HTTPS is the secure version of the traditional HTTP protocol. Without it, information would transmit in plaintext format, enabling cybercriminals to read, steal, and alter the data in transit. It’s all about using authenticated digital identity and encryption to establish secure connections.
Here’s a quick visual overview of the difference between HTTP and HTTPS website connections:
What Role Does Encryption Play in HTTPS?
HTTPS uses encryption to protect data (such as credit cards, passwords, etc.) from being read by unauthorized parties while it’s travelling across the internet.
Encryption is the cryptographic process of taking plaintext data and scrambling it into random characters to disguise the message using cryptographic algorithms and keys. As a website owner, you use TLS connections (formerly secure sockets layer, or SSL connections) to encrypt the communication channel between users’ web clients and your server.
When you use encryption, you’re preventing bad guys from gaining access to your sensitive data by scrambling it. The only way they’d be able to access the information you send is by having your decryption key. So long as you take the appropriate steps to carefully manage your keys and keep them secure using a key management solution, then you don’t have anything to worry about.
But encryption is only useful if you know who’s on the other side of the connection…
Authentication Helps Ensure You’re Connecting to the Right Entity
As a user, authentication is what helps ensure that you’re connecting to a legitimate website and not an imposter’s phishing site. Your browser will review the website’s SSL/TLS certificate information (i.e., website security certificate), which has been validated by a trusted third party known as a certificate authority (CA). If everything is as it should be, then your browser will continue with the process of establishing a secure connection with the server. If not, your client will terminate the connection and display an ugly “Your connection is not private” message (or another similar warning).
Remember how, at the beginning of the article, I’d mentioned that safe and secure aren’t synonymous terms? This is because you can have a secure (encrypted) connection, but if you don’t know who is sitting on the other end of the connection to receive your encrypted sensitive information, then it isn’t safe.
Why? Because you’re handing over your sensitive data to an unknown entity. Even if your data is sent via an encrypted connection, there could be a bad guy sitting on the other end with the secret key. Once they decrypt your sensitive data, they could sell it or use it for other nefarious purposes.
This is why encryption and authentication are both used in establishing HTTPS connections. All SSL/TLS certificates authenticate the website’s domain name, but only high-assurance certificates authenticate who (e.g., what organization) is running the website (more on that in a bit).
How HTTPS Works When You Connect to a Website
We’ve already written at length about how HTTPS works, so we’re not going to re-hash all of that here. However, here’s a quick and basic overview of how it works:
- When a user connects to a secure website, their web client (browser) tries to verify the website’s digital identity. The idea here is that the user’s client will reach out to the web server. The server will respond with its SSL/TLS certificate (along with other important info), which the client will check its veracity, and then the two parties can move forward with the connection process.
- The user’s client connects initially via an asymmetric connection. Asymmetric encryption means two cryptographic keys are involved — one that encrypts data (public key) and one that decrypts it (private key). This enables the browser and website’s server to hash out how they want to connect and exchange key-related information.
- Once both parties use that info to generate a symmetric (meaning the same/identical) key, they can connect using a symmetrically encrypted connection. Once this happens, anyone outside that secure connection who intercepts the data will just see gibberish if they don’t have the necessary secret key.
So, How Can You Tell If a Website Is Using HTTPS?
As a website user, it’s crucial that you use secure websites when sharing or transmitting any type of sensitive information (including your username and password by logging in). But how can you tell whether you’re using a secure website? There are a few telltale signs:
- You’ll see “https://” in your web address bar. When the URL for the website you’re visiting starts with https:// instead of http://, then it means you’re using a secure (encrypted) website.
- You’ll see a padlock icon in your web browser. That little security icon means the server the website is on has an SSL/TLS certificate involved. If you see verified company information in the browser as well, they’re using a high-assurance SSL/TLS certificate. This means that a publicly trusted certificate authority issued the certificate after verifying the organization or business is legitimate using official resources.
It’s always a good idea to check a website’s certificate (like above) to see if the organization running the website has been authenticated. This gives you another layer of protection to ensure you’re sending your info to the organization you intend to.
Where You’ll Find HTTPS In Use
HTTPS can be found virtually everywhere online. W3Techs reports that 81.3% of websites they surveyed use HTTPS as their default protocol as of Jan. 9, 2023. (This was the latest data available at the time this article was written.) High-traffic websites tend to use HTTPS, whereas low-traffic websites tend to use the insecure HTTP protocol. So, it only makes sense that the average web page visit is more likely to be an HTTPS URL than an HTTP one.
HTTPS is used for transmitting plaintext information securely across the internet in a way that helps to protect it from being read by unauthorized parties. Ideally, you’ll find HTTPS connections used for all websites that transmit, collect, process, or secure sensitive information. This should always be the case for:
- Banks, billing, and other financial websites
- Ecommerce sites
- Healthcare provider
- Other sensitive data transmissions
Why Is HTTPS Necessary?
The internet — an open, insecure network — is an inherently insecure place. When data transmits over the internet without encryption and other cryptographic security measures, it’s vulnerable to man-in-the-middle (MitM) attacks. This means that someone could intercept your data as it travels between your computer and the website it’s connected to and alter key pieces of information.
This means that when you log into your bank, if you don’t use a secure connection, someone could intercept your data in transit and steal or modify it to say something false. For example, you could set a $500 financial transfer to a friend, but a MitM attacker could change that amount to $2,500 and swap out the friend’s bank account info for yours without your knowledge.
By using a secure HTTPS connection, you’re using a combination of asymmetric and symmetric encryption to prevent bad guys from seeing your plaintext data in transit. But security isn’t the only reason to use HTTPS: it’s also considered a Google search ranking factor. If you want your website to rank well on the world’s leading search engine, then you’ll want to use HTTPS.
How to Enable HTTPS on Your Website
To enable HTTPS on your website, you’ll want to get an SSL/TLS certificate and install it on your website’s server. Of course, we offer great prices on certificates from trusted third-party certificate authorities (CA) like DigiCert and Sectigo.
You’ll need to complete a certificate signing request (CSR) and then wait for the CA to validate you. Depending on the certificate authority and the level of validation you choose, this could take a few minutes or a few days.
Once this process is complete and the CA issues the certificate, you’ll need to collect it along with your intermediate CA certificate and install both on your web server. Depending on your server or hosting platform, you may need to enable the certificate and set your website to use HTTPS. Be sure to check out our Knowledge Base for instructions on how to install an SSL/TLS certificate in different server environments.
Lastly, use our handy SSL Checker Tool to ensure that everything is properly configured.
Final Thoughts on HTTPS
We hope this article has provided some clarity and understanding about what HTTPS and why it’s so important in our digital world.
As a website owner, it’s easy to see why running your website on HTTP is no longer a viable option. Between the hit your website’s ranking will take and the security risks posed by not using encryption, every website owner would be wise to enable HTTPS.
As a website user, you’d be smart to only use websites that have HTTPS enabled and, ideally, a visual indicator of verified digital identity. Using insecure websites means that your data is at risk of compromise. If a company isn’t willing to do at least the bare minimum to keep your data secure, it’s probably not an organization you want to do business with.
Have something you want to add that we haven’t covered? Be sure to share your thoughts or questions in the comments.