We’ll forgive you if the first time you saw HTTPS instead of HTTP in the URL bar at the top of a web page you thought the extra S was some sort of typo.
Actually, that one little letter is a newish protocol and a pretty big deal, big enough that the almighty Google has announced it will penalize non-compliant websites with lowered search rankings sometime in 2018.
Eventually, you probably noticed that extra S showing up enough to come to the conclusion that it wasn’t a typo.
But what does it mean and how can you find out without appearing to be a total nimrod? Luckily, you’ve happened across an article that will educate you on the difference between HTTP and HTTPS.
Tim Berners-Lee Had an Idea
Tim Berners-Lee created HTTP (Hyper-Text Transfer Protocol) back in 1991 as a means to transfer digital files for a little side project he was working on that would eventually become what we know as the same World Wide Web, that very same internet upon which we live, play, and work today.
Thanks to HTTP, computers can talk to one another and arrange for the transfer of files from servers to computers for display in browsers as websites.
In other words, it was HTTP that brought the online environment into the mainstream.
Pretty important? Yes.
At this point, it would be easy to disappear down the rabbit hole of computer techno-speak and likely send you into a temporary coma, but we won’t.
The point here is not the minutia of HTTP but rather how it lasted so long and why Google has decreed now that it must become extinct like the neanderthal and replaced by HTTPS.
HTTP – the Short Version
HTTP has been the primary means of online data transfer for nearly three decades. The reason it has lasted so long has a lot to do with the simplicity of design.
During an HTTP transfer, data is reduced to plain text, which is dead simple and leaves little room for error during transmission.
The problem with this protocol lies in the growth and spread of a little technique called hacking. A plain text data transfer can be easily read and intercepted by those with a certain skill set like, say, a hacker.
With the recent very public escalation of a seemingly unending string of network data breaches that have resulted in the loss of vast amounts of personal data and given rise to the cottage industry of selling the bounty of these penetrations on the dark web, it eventually came to the attention of the people who put this internet thingie together that it would be nice if the data transfer between servers and computers were encrypted.
Until recent years, actually 2018 to be specific, the primary use of HTTPS was in relation to websites engaged in e-commerce – online shopping – or online bank or other types of financial transactions.
As hack attempts spiraled upward, Google began to get more serious about making site security part of the algorithm that determines search engine rankings.
In other words, sticking with the plain old HTTP can cause your website to rank lower.
There have already been reports that some browsers (Chrome is one – a Google product) already display a warning to anyone attempting to visit a non-HTTPS site that they should proceed at their own peril.
We said all that to say this. The single monumental difference between HTTP and HTTPS is that the latter is secured (that’s what the extra S stands for) through one of two encryption methods – either SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
More about these in a moment.
For now, we have revealed the glaringly obvious shortcoming to HTTP. It’s a Las Vegas smorgasbord for hackers on the prowl for information.
Better Get an SSL Certificate
Should you use SSL or TLS?
The answer is easy if you want to avoid complete irrelevancy to Google. In other words, one is better than the other. Let’s dig into this topic more.
SSL and TLS are both cryptographic protocols that do the heavy lifting of data authentication and encryption over networks.
The original SSL technology was developed and released by Netscape back in 1995, then a new version came out the following year. By 1999, when TLS arrived on the scene, the original SSL protocol had been shown to have a few substantial vulnerabilities.
Today, with TLS having been built on the SSL framework, most people who pay attention to this sort of thing look at it as a continuation of the original network encryption protocol.
Anyone with either version SSL 2 or SSL 3 on their server should disable them and activate TLS.
Considering the preceding paragraphs related to SSL vulnerabilities and obsolescence, why on earth would Google be so dead set on every website having an SSL certificate?
It turns out the issue is simply one of semantics.
Though nearly every reference to HTTPS is accompanied by a discussion of an “SSL Certificate,” you should be aware that a more accurate term would be to say “A certificate for use with SSL or TLS.”
The certificate itself is simply the electronic handshake that goes on between browser and server that allows the data encryption process to begin, kind of like a sentry checking that a visitor knows the secret password before letting them into the clubhouse.
HTTP vs HTTPS – By the Numbers
Let’s have a quick recap of everything that we’ve talked about so far in regard to how these two data transfer protocols differ.
- No certificate is needed for HTTP to operate, while HTTPS needs an SSL certificate for each website
- HTTP has no encryption; HTTPS is encrypted so as to be “logically unbreakable”
- HTTP is present in the application; HTTPS works in the transport layer
- HTTP is an unsecure process, while HTTPS is considered secure
- HTTP uses port 80 and HTTPS uses port 443
- For nomenclature, HTTP is expressed http://, while HTTPS is https://
If you’re starting to get the idea that you should make the switch to HTTPS if you haven’t already, good, you’ve been paying attention.
In the next section, we’ll lay out the steps required to bring your website into compliance with Google’s wishes.
Make the Switch to HTTPS
The following process can be greatly abbreviated if you only have a small website.
For people with a larger, more complex site, let’s just say you shouldn’t attempt it without the oversight of an experienced webmaster. There’s a lot of potential for screwing things up in these steps.
Here they are:
- Buy a dedicated IP address and SSL certificate from your web host
- Install and configure the certificate
- Do a full backup of your website in case something goes wrong
- Change internal website links from HTTP to HTTPS
- Update any code libraries and third-party plugins
- Redirect external links to the HTTPS format
- Traffic for any .htaccess applications should be redirected to HTTPS as well, such as Apache or Windows webs server
- If you’re using a content delivery network, and serious website entrepreneurs should, update the SSL settings
- Update 301 redirects as needed
- Update email links, landing pages, paid search links, and the like
- Create an HTTPS website in Google Analytics and Google Search Console unless obscurity is your goal
That leaves us with a final topic to address – which type of SSL certificate should you get?
Three Varieties of SSL Certificates
When pondering which type of SSL certificate you want, keep in mind that it’s all about trust.
The eventual selection you make can have a very real effect on how willing people are to spend time on your website and enter their credit/debit card details to make a purchase.
An SSL certificate functions sort of like the review system on Amazon. People tend to be more comfortable and are more willing to buy a product if there are several positive reviews, much more so than something with poor reviews or none at all. Each type of SSL requires a different and progressively more thorough vetting of the applicant.
Let’s take a quick look at the options.
Domain Validated Certificate: This is the cheapest option.
The only check made is an automatic inquiry to verify that the domain is listed on a domain registry. This is the Amazon equivalent of a product with no ratings.
No company information is required for this type of SSL.
If you have any kind of commercial website, a domain validated certificate would be a poor choice. The only valid use would be on a website where security is not a concern.
Organization Validated Certificate: This one is a hefty step up in verification.
The authenticating agent conducts an online search of the government databases where the business is registered and verifies that the business is legitimate.
This verification could include requests to inspect formative company documents or even conduct actual conversations with company representatives. Obviously, this process takes longer than the simple automated domain verification but provides a much higher level of trust.
Extended Validation Certificate:
This is the most thorough vetting process of all. In light of the ease at which some fraudsters have been able to procure either of the first two types of SSL certificates, more companies have turned to the extended validation (EV) certificate to prove they are on the up and up.
There you have it. The key differences between HTTP and HTTPS in something a bit larger than a nutshell.
The reality is that we’re in a transitional period.
Before too long, HTTP will assume a position on the dusty shelves of internet history, recalled by fewer and fewer people as generations come and go and eventually will probably only warrant a passing mention in the first paragraph of a high school essay on the topic: “Apparently, online data transfers used to be unencrypted. How quaint.”
For those living through the transition in the here and now, you should realize that we are at the point in time where the powers-that-be (we’re looking at you, Google) are in the process of making HTTPS no longer a choice but a requirement in order to present any sort of credible website that attempts to draw traffic or sell a product or service.