Should your site use HTTPS encryption by default?
HTTPs is a protocol for secure communication over a computer network. The underlying technology is TLS and sometimes HTTPS is known as HTTP over TLS (Transport Layer Security). In 2014, Google started to talk about HTTPS Everywhere. This is their effort to make the web a safer place by encrypting data when it's moving and at rest. So far it has made Google search, Gmail and Google Drive all encrypted with the HTTPS protocol. If you're not a developer or involved in the workings of the web, you will probably have noticed it as part of the web address that appears in your browser. If a site is using the HTTPS protocol, then it will normally show a padlock to the left of the address. The only time you're likely to have seen this on a website is when you're entering sensitive data like a credit card numbers into a webpage. Having HTTPS as the protocol means the data is encrypted before it travels back to the server for processing. Google's big idea with HTTPS Everywhere is to encourage the use of HTTPS for all communications from the web, like your website, your music playlists and your tweets. HTTPS doesn't just deal with encrypting the data coming to and from a website. All three of the following form to make a secure website. Authentication - Am I talking to who they claim to be? Am I interacting with my bank or a website that just looks like my bank? Data integrity - Has anyone tampered with the data whilst it's being returned to me or sent from me. Encryption - Can anyone see my conversation. Is it protected from eavesdroppers? One of Google's concerns is that the information flowing between server and client when we browse websites is generally, in itself, pretty boring and a single intercepted communication will not reveal a great deal of information. However, if millions of pieces of data are intercepted and an aggregate picture is formed, the data becomes far more revealing about our browsing practices. HTTPS stops someone in your local coffee shop snooping in on the data flowing over the public wifi connection. Instead of listening in passively on data over your local coffee shop's wifi, some hackers target a particular user by tricking them into visiting a site that is not the site they expect it to be. HTTPS helps us in this situation with server authentication. When a secure HTTPS certificate is installed on a website you are providing a guarantee that when the client (your laptop's browser) connects to the server (computer in a big building somewhere) they are actually talking to the right server. This is what provides the padlock in the browser. So in conclusion HTTPS provides us with three important safety features on the web
- Passive & active attackers can't listen in
- Active attackers can't tamper with the data
- Active attackers can't impersonate the destination