HTTP vs HTTPS, certificates and website security
I’ve already talked about HTTPS (and HTTP/2) in a recent article, but I would like to emphasize the ways of working, advantages / disadvantages and how you can apply it to your website too in order to protect your your users and ensure data integrity.
What’s the difference between HTTP and HTTPS?
They’re both Hypertext transfer protocols running over TCP but the latter does it over a Secure Socket Layer (SSL) or Transport Security Layer (TLS) that encrypts the connection between client and server and verifies the authenticity of the website, protecting the privacy and integrity of the exchanged data. That’s it, there’s the difference.
Why you should do it
- Security – It’s safer for you and for your users (we’ve talked about it here);
- Trust – It doesn’t cost a fortune and the advantages in terms of security and perceived trust from your users are big, specially if you run an online store (or a bank);
- There are ways to implement it for free using tools like Cloudflare and its Flexible SSL connection that ensures safety at least between its servers and the user.
So no disadvantages?
There are a few, but nothing serious:
- It can add some latency to the request;
- Caching can become tricky on high load systems (load-balancer);
- It’s not free.
HTTPS – Does it prevent men-in-the-middle and XSS?
Now that you’re already informed about the advantages of HTTPS and why you should do it, let’s drill down to the specifics of how a SSL encrypted connection can protect your website, your users and your server.
What is a men-in-the-middle attack?
A MITM attack is when the attacker sniffs, relays and likely changes the communication between two network entities who believe they’re communicating directly with each other. This attack is extremely common and can be used to steal cookies, passwords and other sensitive information.
How can I prevent it?
Using HTTPS can immediately make things a lot easier. The secure connection with authentication is based on a public/private key pair: When a certificate is installed, the browser used the public key to encrypt the information and send it to the server. On the other side, the server can decrypt it because it has the private key. The authentication is issued by a Certificate Authority (like Symantec).
Because of this, even if the attacker is in the middle sniffing your network and trying to get something, all he’s going to see are encrypted packets.