HTTPS: How it works and why you should care

For better or worse, Google has been the leader of many changes and developments into how developers build, host, and fill websites with content. HTTPS is one of their latest areas of interest, and no matter what kind of website you host from your VPS, you should care about how HTTPS works and why it’s necessary. It’s July 2018, and Google’s Chrome version 68 is almost here. With this version, Chrome will start flagging all the websites that operate on HTTP as insecure. Even before this, Chrome actively marked sites which used HTTP and had forms where users can input data as insecure, leading to concerned users and frustrated business owners. But now Google is getting stricter than that. If your site doesn’t have HTTPS enabled, you run into the trouble of losing SEO ranking due to being marked as insecure in the URL bar. All your content marketing and keyword targeting efforts could disappear overnight if Google starts to de-prioritize your content, thus not showing it to nearly as many people. Your users might even begin to look elsewhere. If there was ever a time for people to start taking HTTPS seriously, it’s right now.

SSL, TLS, and TLS versions

HTTPS is HTTP with TLS, where TLS stands for “Transport Layer Security.” Often TLS and SSL are used interchangeably in this context, but the fact of the matter is that SSL is the predecessor of TLS. Currently, most websites are using TLS version 1.2 and transitioning towards version 1.3 with older versions supported as well. Now that we have the acronyms and versioning sorted let’s ask the critical question here.

What is HTTPS?

Data flows over the internet through a wide range of interconnected servers, some state-sponsored, and some maintained by corporations. Others could even be set up by malicious entities. Even if your web server is secure, there is no guarantee that the data it sends to a client, over this network of untrusted entities, will not get intercepted by some third-party along the way. Often this is termed as the “man-in-the-middle” attack (MITM). HTTPS attempts to solve this and many other problems by establishing an encrypted channel between the client (the web browser) and the server. Encryption upholds the fundamental principles of data security to a reasonable degree of certainty. These principles are: Data integrity: Ensuring that the data received was not tampered by any uninvited guest who intercepted it as it was on its way. Privacy: Even if someone decides not to modify the data, but merely listen in on it or make a copy of the traffic as it flows through, that would violate the user’s privacy. In principle, if the server uses HTTPS, this third party won’t be able to make any sense of the data because the data is encrypted (scrambled) and only the trusted parties have the key (think of it as a password) to decrypt (unscramble) it. Authenticity: Authenticity implies that websites are what they claim to