HTTP vs HTTPS

You click to check out at an online merchant. All of a sudden your browser address bar says HTTPS instead of HTTP.

Panic attack! What’s going on?

Is your credit card information safe?

Good news. Your information is safe!
The website you are working with has made sure that no one can steal your information.
Instead of Hyper Text Transfer Protocol (HTTP), this website uses Hyper Text Transfer Protocol Secure (HTTPS).

HyperText Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The “S” at the end of HTTPS stands for “Secure”. It means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

A web browser such as Internet Explorer, Firefox and Chrome also display a padlock icon in the address bar to visually indicate that an HTTPS connection is in effect.

HTTPS pages typically use one of two secure protocols to encrypt communications – SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an “asymmetric” Public Key Infrastructure (PKI) system. An asymmetric system uses two keys to encrypt communications, a “public” key and a “private” key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.

As the names suggest, the private key should be kept strictly protected and should only be accessible the owner of the private key. In the case of a website, the private key remains securely ensconced on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.

When you connect to a website with regular HTTP, your browser looks up the IP address that corresponds to the website, connects to that IP address, and assumes it’s connected to the correct web server. Data is sent over the connection in clear text. An eavesdropper on a Wi-Fi network, your internet service provider, or government intelligence agencies like the NSA can see the web pages you’re visiting and the data you’re transferring back and forth.

There are big problems with this. For one thing, there’s no way to verify you’re connected to the correct website. Maybe you think you accessed your bank’s website, but you’re on a compromised network that’s redirecting you to an impostor website. Passwords and credit card numbers should never be sent over an HTTP connection, or an eavesdropper could easily steal them.

These problems occur because HTTP connections are not encrypted. HTTPS connections are.

When you request an HTTPS connection to a web page, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the “SSL handshake”. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website.

When a trusted SSL Digital Certificate is used during an HTTPS connection, users will see a padlock icon in the browser address bar. When an Extended Validation Certificate is installed on a website, the address bar will turn green.

All communications sent over regular HTTP connections are in “plain text” and can be read by any hacker that manages to break into the connection between your browser and the website. This presents a clear danger if the communications is an order form and include your credit card details or social security number. With an HTTPS connection, all communications are securely encrypted. This means that even if somebody managed to break into the connection, they would not be able to decrypt any of the data which passes between you and the website.

The major benefits of an HTTPS certificate are:

• Customer information, like credit card numbers, is encrypted and cannot be intercepted
• Visitors can verify you are a registered business and that you own the domain
• Customers are more likely to trust and complete purchases from sites that use HTTPS

The presence of HTTPS itself isn’t a guarantee a site is legitimate. Some clever phishers have realized that people look for the HTTPS indicator and lock icon, and may go out of their way to disguise their websites. So you should still be wary: don’t click links in phishing emails, or you may find yourself on a cleverly disguised page. Scammers can get certificates for their scam servers, too. In theory, they’re only prevented from impersonating sites they don’t own. You may see an address like https://google.com.3526347346435.com. In this case, you’re using an HTTPS connection, but you’re really connected to a subdomain of a site named 3526347346435.com-not Google. Other scammers may imitate the lock icon, changing their website’s favicon that appears in the address bar to a lock to try to trick you. Keep an eye out for these tricks when checking your connection to a website.

All the clients who have a web hosting plan with Ace SEO Consulting have been given HTTPS status at no additional cost.

As a veteran Calgary web design firm, we create beautifully designed, Google friendly and user-friendly, responsive websites; And, as an SEO company in Calgary, we rank your business higher on Google and other search engines so that you get more traffic to your website and grow our business. Contact us today. In Calgary, call 403-800-0325 or toll-free: 888-235-1258.