As a customer, when you connect to a website that does not have HTTPS enabled, you cannot be certain that your communication is private and that you are actually talking to the “real” web site. As a web site owner, the lack of SSL will lower your SEO ranking with Google and produce browser warnings that your connection is not secure, which will scare your customers away.
What is SSL?
When you contact a website or other service on the open Internet, you face two clear dangers: First, your communication can be intercepted and the content of your messages may be read by someone other than the intended recipient. Second, an imposter can impersonate the intended target.
To put this in simple terms, without SSL, when you send a message to someone on the internet, anyone along the way can read it. In addition to reading your message without you knowing it, someone other than the intended recipient can even respond, pretending to be the person you were trying to reach. So you would potentially exchange confidential information with a complete stranger, never knowing that your communication was intercepted.
SSL solves both these problems with a special kind of encryption which does not require that you exchange a password. This is a key point about SSL, a form of Public Key Cryptography, when we compare it to standard encryption methods. Think about how difficult it would be if you had to exchange a secret password between two people in different countries or continents. It simply would not work for the Web!
What is HTTPS?
HTTPS is nothing more than putting SSL, over HTTP, the protocol that powers the Web, which essentially applies the benefits of Public Key Encryption to web traffic. It guarantees that when we go to our bank’s web site, nobody can read our balances and that nobody can pretend to be our bank. We can be certain we know who we’re talking to.
Why do I need it?
Stolen sensitive data
Obviously, if everything we say could be read by anyone and if we could not be sure who we were talking to, the Internet would not be suitable for any confidential communication such as banking. Sites that don’t require HTTPS essentially publish all information stored on them to the entire world and expose their customers to identity theft.
Stolen passwords
Even when you log in and enter your password, your entry can be stolen along with your identity. Most dynamic sites have a login screen which means most sites are vulnerable. Therefore you don’t even need to do banking to have this problem.
Any site with as much dynamic functionality as a login screen should have SSL enabled!
A common way of implementing a login screen is to transmit the user name and password in the header of each HTTP request, in clear text. This is what most web sites do and it is called HTTP Basic Authentication. Consequently, when a password is entered into a form by a user, that password will travel through the wire in open HTTP frames, for anyone to see.
If we switch to HTTPS, these header records will be encrypted along with everything else, which means that these passwords can only be read by the intended recipient. You should never enter your password into a form that is served via HTTP, because it can be stolen!
Search engine ranking (SEO)
Websites which are not SSL enabled get lower ranking from search engines because they are not considered secure. This means that a web site will become harder to find and will receive less traffic. To keep rankings high, only HTTPS requests should be allowed. When someone tries to connect via HTTP, that request should be automatically redirected to an HTTPS version of that URL, using a permanent HTTP Redirect 301. This will signal to anyone browsing and all search engines that the site is forcing secure communication.
Browser warnings of insecure content
A while back Google started to warn Chrome users when they were connecting to insecure HTTP sites or when they were loading a page that had mixed content, meaning that at least some of it was loaded via HTTP. Getting a warning message from the browser that we are loading insecure content of course would scare a lot us away. There should be no part of any page that is loaded via HTTP.