HTTP vs HTTPS, certificates and website security

I’ve already talked about HTTPS (and HTTP/2) in a recent article, but I would like to emphasize the ways of working, advantages / disadvantages and how you can apply it to your website too in order to protect your your users and ensure data integrity.

What’s the difference between HTTP and HTTPS?

They’re both Hypertext transfer protocols running over TCP  but the latter does it over a Secure Socket Layer (SSL) or Transport Security Layer (TLS) that encrypts the connection between client and server and verifies the authenticity of the website, protecting the privacy and integrity of the exchanged data.  That’s it, there’s the difference.

Why you should do it

  • Security – It’s safer for you and for your users (we’ve talked about it here);
  • Trust – It doesn’t cost a fortune and the advantages in terms of security and perceived trust from your users are big, specially if you run an online store (or a bank);
  • There are ways to implement it for free using tools like Cloudflare and its Flexible SSL connection that ensures safety at least between its servers and the user.

So no disadvantages?

There are a few, but nothing serious:

  • It can add some latency to the request;
  • Caching can become tricky on high load systems (load-balancer);
  • It’s not free.

If it’s better, why isn’t every site using it?

There are a number of reasons that I see:

  • Some webmasters just don’t know about this;
  • It costs money to buy and renew a certificate;
  • Implement it (although is better) is not that easy;
  • Webmasters know but in simpler sites they don’t care.

It’s perfectly fine if you don’t want to implement HTTPS in your website, but be advised that Google is favoring websites using it, according to Gary Illyes quoted here.

Use a global DNS provider

I have an amazing experience with the well-known Cloudflare: it helps me manage the DNS records easily and also provides what they call a Flexible SSL so at least the connection between the user and Cloudflare it’s made under HTTPS. From that point on, between Cloudflare and your server it’s normal HTTP.

This method is enough to prevent Men-in-the-middle attacks, and because it’s free, it’s very useful and you should use it.