HTTP vs HTTPS - How secure is your connection, and does it matter?

Geek Insights

What are we talking about here?

Every time you load a page on the web, data is being transferred for you to view. HTTP and HTTPS are the two protocols at work to enable this transfer, and which one your website is using can be a pretty big deal.

Here's how you may have encountered these protocols visually whilst surfing the web - these screenshots are from using the Google Chrome browser:

Increasingly the web is moving away from HTTP to HTTPS. So what are these acronyms, how do they affect you, and why the trend towards the 'S'?

define: HTTP

HTTP (HyperText Transfer Protocol) enables the transport of data so that you can load webpages and interact with the web, over a non-secured connection.


define HTTPS

HTTPS (Secure HyperText Transfer Protocol) is the same, only the connection it uses is secure. To make it secure, it utilises a second protocol to encrypt the connection over which that data is sent and received: SSL (Secure Sockets Layer), or TLS (Transport Layer Security - newer than SSL).


SO

HTTP + SSL or TLS

= HTTPS

= data transfer over a secured connection

Comparison table of HTTP and HTTPS


Properties

  1. Set up complexity
  2. Set up cost
  3. Data security
  4. Load speed
     

HTTP

  1. Basic
  2. None
  3. Cannot protect sensitive data
  4. Normal
     

HTTPS

  1. Longer process*
  2. Recurring costs
  3. Encrypts the connection via a secure key
  4. Can be slightly slower
     

*You need to choose a recognised/trusted provider of SSL, then complete the process to qualify your eligibility for the secure certificate.


Traditional use of these protocols

Generally if a website needs users to share sensitive data the website has purchased a security certificate - or extended validation certificate (a more advanced version) - from a trusted provider and set up the HTTPS protocol, either for the whole website or just the pages that involve sensitive data. Therefore usual operators of the HTTPS protocol are e-commerce / online shopping sites, banks that offer online banking services and other such businesses.

Changing with the times

Some scenarios require you operate your website over HTTPS / a secure connection. The usual example is taking sensitive data from visitors, but there are other, newer instances too, for example:

A custom Promotion page on Facebook:

You can enable your Facebook page to display content from a web page you have hosted elsewhere, but only if it’s hosted securely over HTTPS. It can be a bit fiddly to set up but the end result is a fully customised tab integrated into your Facebook page that can convert Facebook fans to customers.


Examples of Custom tabs in use on the Facebook pages of mobile carrier OPTUS and Film distributor/studio SONY

Utilising HTTPS proves not only that you care about the encryption of data for people using your website, but also that:

  • You’re a registered business
  • You own the domain
  • You have the financial strength and consistent presence to implement and maintain the Secure Certificate

So when people are browsing your website and notice that it’s ‘secure’,  you’re conveying that your business can be trusted.

And it’s not just those people that are forming this impression of your site: Google cares too. Google have openly stated that

“Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default… At Google I/O a few months ago, we called for “HTTPS everywhere” on the web.
…For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”


However 9 months later here in May 2015, Google has not yet appeared to make this a strong factor in terms of how it ranks sites in those all-important search engine results, although it obviously wants to move towards that. In the near - and perhaps not so near future - if you’re at all concerned about how your site is ranking, I would avoid worrying about all this HTTPS business from a purely SEO basis, and instead focus on the priority, high-impact changes you’re likely to be able to make instead. In fact, some web masters have transferred sites over to HTTPS and struggled to maintain the ranking the site has before. Which brings us to…

Why not just stick with good old basic HTTP?

This question is working on the assumption that there is no data exchange on your site that involves sensitive data. For example, blogs, simple window-display type sites… the connections do not really need to be secure. Let’s also remember some of the potential negatives of moving away from the basic HTTP:

  • HTTPS tends to require additional ongoing budget
  • Good old basic HTTP can mean a faster web browsing experience. The extra time required to encrypt and decrypt the connection at both ends when using SSL/TLS can cause the site to load slower. (And it’s worth bearing in mind that site load speed is super important - how long do you wait for a web page to load before getting bored and leaving?)
  • HTTPS needs more processing power to encrypt and decrypt that connection, on both ends of that line, so it uses more energy. That’s right, there’s an environmental and resource consideration to be had here too!

Plus, Facebook just got involved and wants to involve millions of users

Have you heard of the Internet.org project? It’s a ‘free mobile data’ scheme led by Facebook, that aims to widen access to the world wide web by enabling basic services that work on low-end phones, for free. The Internet.org project is already live in a range of developing countries including India, where we know millions of people are rapidly adapting mobile phone use and surfing over mobile internet. In other words, this scheme is already enabling selected website free-access to a sizeable portion of our planet’s population, and that’s only set to increase.

Why is this relevant to the HTTP vs HTTPS discussion you may ask… well in order for web services to be available through Internet.org, they must meet three criteria:

  1. they cannot be data-intensive. Videos, high-resolution photos and internet-based voice and video chats are among the banned content
  2. they must be able to run on cheaper feature phones as well as more powerful smartphones. To ensure this is the case, the use of JavaScript, Flash, the secure HTTPS communications protocol and certain other web-based products are not allowed
  3. they should encourage the exploration of the broader internet if possible, to encourage users to ultimately pay for access

Whilst reputable services including BBC News, Wikipedia, Accuweather and more are currently part of this project, there has been a lot of controversy about the whole scheme since in some respects it does not allow for all principles of net neutrality, and we will have to wait and see whether the scheme becomes a stalwart of internet access for millions of people, or sinks amongst arguments left right and centre.

Interesting to note that the actual Internet.org website loads via https, as per the above screenshot...

Now the Internet.org project isn’t really designed to affect a large proportion of the sites on the web, so whilst relevant for the trend of HTTPS vs HTTP, it’s not necessarily relevant for your business/personal website. It’s certainly an interesting story to watch though, which is why my recommended read of this week is this article: http://www.bbc.com/news/technology-32580586

Let’s conclude

Essentially HTTP and HTTPS each have their own advantages, and in some cases which protocol to utilise on your website will be an easy choice. If you need to keep data secure, it’s got to be HTTPS. If you don’t, you now have some information to allow you to explore your options from, hopefully, a more informed perspective. If your web masters are the nice, clever sort like those here at Clue Design, you can choose for some pages to load on HTTP and relevant ones to load on HTTPS, which could enable you to enjoy some of the pros from both sides.

If your website is with Clue Design, or you’d like it to be, we’re happy to discuss your options if you’re curious about HTTPS. Call us on (08) 9368 0777.