Internet security has had the spotlight in the news for more than a year since former National Security Agency (NSA) employee, Edward Snowden, disclosed classified documents to the media that detailed information about global surveillance programs. Since then, the biggest players on the Internet have been transitioning their services to more secure technologies.
The widespread Heartbleed security bug that plagued the Internet earlier this year leaves no room for doubt about the need for all website owners to pay attention to the security needs of their users. If you can’t assure your website visitors that your site is secure, now is the time to start taking the necessary steps to lock things down with HTTPS and SSL digital certification.
WHAT IS THE HTTPS PROTOCOL?
Websites are built on the Hypertext Transfer Protocol (HTTP), a common applications protocol for communication and the display of web pages on the Internet. The added “S” to HTTPS stands for “Secure,” with the HTTPS protocol being a combination of HTTP and the SSL/TLS protocol.
Until recently, HTTPS was primarily used for websites that required some security, such as those that facilitate payment transactions, because it offers the ability to create a secure channel over a network that may not be secure from eavesdropping and other hacking attempts and attacks.
WHAT IS THE SSL/TLS PROTOCOL?
SSL stands for Secure Sockets Layer, which is the predecessor of TLS; TLS stands for Transport Layer Security. Both SSL and TLS are cryptographic protocols that have been designed to satisfy the need for secure communications over the Internet.
Combined with HTTP, SSL/TLS provides for a digital security certificate authority, in conjunction with a public key infrastructure (PKI), to provide verification of the security of an HTTPS web page by validating the certificate with its owner.
WHAT IS AN SSL CERTIFICATE?
HTTPS is endorsed by various digital certificate authorities. Visitors to web pages that utilize HTTPS are encouraged to confirm that the site has a valid certificate that is issued and signed by a trusted certificate authority and that the certificate correctly identifies the viewed website.
Some web browsers indicate the security of a displayed web page in its address bar, commonly by displaying a padlock icon and the https:// prefix. A website visitor can double-click the padlock icon to view the SSL certificate that displays its issuing authority, to whom the certificate has been issued and its expiration date, and the level of encryption that is provided by the certificate.
A properly secured website assures the visitor that the session is encrypted and it can be reasonably assumed that data transmitted in the session are safe from eavesdropping and attack. However, SSL/TLS is not invulnerable to attack. Furthermore, SSL certificates do not protect the visitor from client-side malware or viruses that monitor user keystrokes, nor can they assure visitors that the business is legitimate.
WHY GOOGLE SWITCHED TO HTTPS
When it was suggested that the NSA spied on Internet users by collecting data that traversed the communication links that are used by Google- and Yahoo-owned data centers, David Drummond, chief legal officer for Google, issued a statement in October 2014: “We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”
Since then, Google has been fast at work to adopt technologies to preserve the security of the Internet and is encouraging everyone to do the same. In June, at Google I/O 2014, the leading search website company announced its “HTTPS Everywhere” campaign:
HTTPS Everywhere is a browser extension that was developed by the Electronic Frontier Foundation and The Tor Project in an effort to simplify the use of HTTPS. Released as a public beta in 2010, the functionality is now available for the Chrome and Firefox browsers, along with Android phones.
Google’s HTTPS Everywhere campaign aims to educate webmasters on how to secure websites with the necessary technology and instruct them on best practices for configuration, performance, website migration, and search-friendly improvements.
YAHOO! SWITCHES TO HTTPS
On November 18, 2013, Yahoo announced its commitment to protecting user information by assuring the public that the NSA and other government agencies had never been granted access to Yahoo data centers. The announcement included specific goals that were to be attained by the end of Q1 2014.
In a significant status update on the massive project to deploy encryption technologies that was issued in March, Yahoo announced that by January 2014, Yahoo Mail was using HTTPS by default and that traffic moving through its data centers was fully encrypted. HTTPS encryption had been enabled by default on the Yahoo Homepage and on search queries that run on the Yahoo Homepage. Visitors to the Yahoo News, Sports, Finance, and Good Morning America websites had the option to manually enable HTTPS by typing “https” in the browser address before the site URL.
Revisions to Yahoo Messenger , to be deployed before the end of the year, will include encryption. Yahoo intends to enable default encryption of its entire platform for all users in an ongoing effort to stay ahead of the curve with “the best possible technology to combat attacks and surveillance.”
HOW GOOGLE USES HTTPS AS A RANKING SIGNAL
It is official. Google announced on Wednesday, August 6, 2014 that HTTPS is now being used as a ranking signal in the Google search ranking algorithms following positive results of tests that have been conducted in recent months. In the announcement, Google asserts its commitment to helping to make the Internet more secure and has provided a link to resources that aim to assist webmasters with preventing and fixing security breaches.
At present, HTTPS is described as “a very lightweight signal” that affects less than one percent of global queries. High-quality content is still, and will probably remain, one of the most significant contributors to higher ranking web pages. In an effort “to encourage all website owners to switch from HTTP to HTTPS,” Google has warned that it may strengthen the use of HTTPS as a ranking signal. Detailed best practices for TLS adoption are now available in the Google Help Center.
Like many ranking signals that Google adopts, webmasters are not given much choice in deciding whether or not to respond by making the appropriate adjustments. It’s only a matter of time before you’re going to need to display a digital certificate on your website.
How to move from HTTP to HTTPS:
This is one of those situations where, even if you have been doing all of the right things by publishing relevant and engaging content for your website visitors, you are well-advised to make this minor adjustment to maintain the page ranks for which you have worked so hard to achieve. Google’s Webmaster Trends Analyst John Mueller says that content sites benefit from security by ensuring data integrity and authentication.
Even if you are already using HTTPS, you should follow Google’s advice to test the level of security and configuration along with the effect of TLS on your website’s performance.