Originally written by Philip Graves and edited by David Graves, 20th March, 2017; amended and expanded in consultation with Jonathan Downing and Kevin Ruston, 22nd March, 2017

A brief non-technical history of HTTP

Since the inception of the World Wide Web, HTTP (the Hypertext Transfer Protocol) has been the standard protocol for connections between websites and their users. It was proposed and developed by Tim Berners-Lee in 1989-1990, and first implemented live (as version 0.9) in 1991.

Later versions, and the years from which they became standard, have included 1.0 (1996), 1.1 (1997), and 2 (2015). Version 2 differs from version 1.1 chiefly in performance, which is to say, the speed and efficiency of data transmission.

Why HTTPS ?

Despite its ubiquity since the inception of the web, HTTP has major security flaws. These include a lack of data encryption and vulnerability to third-party interception.

Why would someone want to intercept a web request? There could be various intentions behind third-party interception. Here are some possible reasons:

  • Interception of passwords for malicious purposes
  • Injection of malware or advertisements into the website
  • Snooping out of personal curiosity
  • Monitoring of employee activity
  • Snooping by individuals and groups out of a desire to expose wrongdoing such as corporate malpractice, for instance via a file dump to a public website or an article in the press
  • Snooping by government agencies such as the police and intelligence services on individuals and groups suspected of planning or engaging in criminal activity
  • High-level government espionage by intelligence services interested in obtaining information from foreign governments
  • Theft of personal data and files from private individuals for malicious purposes
  • Disruption to, or interception of company and customer data and other corporate secrets from, commercial competitors’ websites
  • Theft of online card payment details or bank account credentials for purposes of making fraudulent transactions

HTTPS withstands these attacks by providing authentication, privacy by means of encryption, and data integrity. It ensures that what the user receives is exactly what was sent by the website. The purpose of this article is not to go into the technical details of how and why that works, information on which can be found elsewhere for those interested. But it is to educate and remind web users and website owners of the importance of achieving secure data connections.

Why has Google’s advice on HTTPS changed?

Originally, HTTPS use was primarily restricted to log-in pages for making payments, pages for processing payments, and online banking services.

In the last few years, the use of HTTPS has become more prevalent as users have become more concerned with and aware of issues relating to the privacy of their data online.

Additionally, the availability and affordability of SSL certificates (electronic files that securely identify the website) has increased exponentially.    

In late 2016, Google announced plans to progressively place warnings on all web-pages accessed with its popular Chrome browser that do not use HTTPS connections, even if payment-related pages do.

In January 2017, it implemented the first phase of this process by marking all pages that require the input of passwords or payment information as non-secure. It plans at a later date to extend this to the placement of warnings on all sites that contain any HTTP pages at all.

Already in 2014, Google had announced that it was starting to give a slight search engine ranking boost to sites with SSL certificates.

At first glance, this might sound as if Google is making more work for the owners and developers of websites, and alarming web users.

However, Google's move has the best interests of users of the Internet at heart; and migrating to HTTPS, while it is inconvenient, will make both the owners and the users of websites much safer from the kinds of risks outlined above.

Log-in pages other than those for making payments are also vulnerable to data interception when HTTP is used, allowing credential theft. Posing as the account holder, a person could then do anything that the user whose credentials he / she has stolen could do. This exposes the user to reputational risk. For example, the thief could:

  • Post personally damaging comments, images and videos (or links to any of these) that appear to be attributed to the legitimate account holder.
  • Alter or remove connections with other users of the website, if it has a social networking functionality
  • Send personally damaging messages to connected users or to the administrators of the website
  • Place or cancel orders for purchases
  • Delete the entire account
  • If the account has administrator privileges at a website, maliciously alter, add to or delete selected website contents and user accounts

How to migrate to HTTPS

An SSL certificate needs to be obtained and installed on the server or other platform hosting your website to validate its HTTPS connection.

You can obtain an SSL certificate for your website from a certificate authority. Your hosting company or web design company may also be able to provide one for you.

If you are using a website builder like Wix or Squarespace, the SSL certificate should be obtainable through the normal control panel.

If you are running your own web server, you will need to consult the documentation in order to configure your server securely.

Check you have a secure HTTPS certificate

Perhaps you already have your website configured for HTTPS and feel there is nothing to be concerned about.

This is not necessarily true, however:

Not all HTTPS certificates are secure!

Some HTTPS configurations are less secure than others. Weak SSL certificates and insecure ciphers are potential minefields.

In February 2017, for example, Google demonstrated that certificates signed with the SHA-1 hashing algorithm can be spoofed. Although there is no known practical attack application for this vulnerability at present, Google has taken the precaution of warning users of its Chrome web browser when they visit a site with a SHA-1-signed certificate.

For any business with an online presence, having the wrong type of certificate is a liability, since site viewers will be served alarming security warnings and discouraged or blocked from visiting your website.

Setting up your servers properly with secure HTTPS connections will help you gain and retain the trust of your users and customers.