Google’s Chrome browser will soon flag every site that doesn’t use HTTPS encryption. Starting in July, with the launch of Chrome 68, Chrome will mark all HTTP sites as ‘not secure’ and make it prominent in its URL bar. Chrome currently marks HTTPS-encrypted sites with a green lock icon and “Secure” sign.
Google has been warning users regarding unencrypted sites for years, but this is the most forceful prod yet. Google search began down-ranking unencrypted sites in 2015, and in 2016 with Chrome 62, Google already started marking all HTTP sites that had data entry fields as insecure and even back in 2016, it already started showing the same warning for all sites that asked for passwords and credit cards. With this upcoming update, every HTTP site will be flagged as ‘not secure,’ whether it includes input fields or not.
The question pops up minds, what is this “HTTP” and “HTTPS”?
We all are well aware of the HTTP we type in front of a URL to surf the web. The familiar HTTP stands for Hypertext Transfer Protocol and it is used to view the requested content on the browser.
Ever noticed the “S” at the end of HTTP sometimes? What is it? HTTPS is simply your standard HTTP protocol slathered with a generous layer of delicious SSL/TLS encryption goodness.
What does HTTPS do?
HTTPS is basically a secure version of HTTP. If you’re browsing a site with HTTPS enabled, your experience should remain the same, but all the data you send will be encrypted. In most cases, HTTPS goes hand-in-hand with SSL certificates, which are used to verify a site’s identity.
HTTPS takes the well-known and understood HTTP protocol, and simply layers an SSL/TLS (hereafter referred to simply as “SSL”) encryption layer on top of it. Servers and clients still speak exactly the same HTTP to each other, but over a secure SSL connection that encrypts and decrypts their requests and responses.
The SSL layer has 2 main purposes:
- Verifying that you are talking directly to the server that you think you are talking to.
- Ensuring that only the server can read what you send it and only you can read what it sends back.
The really, really clever part is that anyone can intercept every single one of the messages you exchange with a server, including the ones where you are agreeing on the key and encryption strategy to use, and still not be able to read any of the actual data you send.
How is HTTPS more secure?
The primary benefit of HTTPS comes from encryption. Observers can’t see the content of the information as it moves between the application and the web server. So, it’s a basic layer of privacy between your data and the outside world.
This also ensures that the information isn’t modified or corrupted in transit without detection. So, if an internet service provider tries to sneak some malicious code in with the content you requested, the browser will notice. Finally, it stops what are typically called “man-in-the-middle” attacks, in which a third party sneaks in between the browser and the server and replaces the data with other, typically harmful data.
By encrypting the data transferred between your machine and the web server, HTTPS makes sure that the site you’re viewing adds a basic layer of security.
Even if you’re not sending sensitive data like personal info and passwords to an HTTP site, it’s still possible for outside observers to look at aggregate browsing data of the users and “deanonymize” their identities by analyzing behavior patterns.
In today’s online landscape, security is paramount. The good news is, you don’t need to set up complex defenses or hire paid solutions to secure your users’ data. A lot of times, all it takes to provide a safe experience is to obtain an SSL and enable HTTPS.
Now that we’ve served all the information about HTTPS, it is highly recommendable to enable HTTPS for your website. On top of upgrading your site’s security, using HTTPS can also provide you with a modest SEO boost.
Plus, users may feel more at ease while using your site, improving their overall experience.