HTTPS stands for ‘Hyper Text Transfer Protocol Secure’ is a kind of internet protocol used to carry out data transmission between two devices in a secure way that necessarily involves coded encryption. In internet, millions of devices interconnected to each other to exchange and share informations back and forth every moment. Here security and trust are of utmost importance to run the session with ease and secrecy. This is why https is used for websites. It not only allows for data transfer in a state of being encoded but also entails the required actions to validate both the participants through web application and security management so that none can manipulate a bit of information by any means for his personal ends so long as it is in transit.
Page Contents
Evolution of HTTPS
At the dawn of world wide web, Sir Tim Berners-Lee invented http which stands for ‘hyper text transfer protocol’ used to send and receive plain text-based messages and information through a number of computer networks. In http the messages are open, not encrypted, vulnerable to malicious attack, hacking and stealing by eavesdroppers. To counter these vulnenerabilities, the protocol was developed, sophisticated and standardised so as not to be manipulated and sniffed at by any means. The updated protocol is HTTPS where ‘s’ referrs to “secure”. It has added to it some extra features such as public key, encryption of 128/256 bits, SHA-2 with RSA combined with TLS/ SSL etc.
Difference between HTTPS and HTTP
| HTTP | HTTPS |
| HTTP stands for ‘Hyper Text Transfer Protocol’. | HTTP stands for ‘Hyper Text Transfer Protocol Secure’. |
| It’s insecure. | It’s secure. |
| It uses port 443. | It uses port 80. |
| Browsers flag it as insecure. | Browsers flag it as secure. |
| Starts with http:// | Starts with https:// |
Importance of HTTPS
HTTPS is an internet transport layer security protocol that enables transmission of data in encrypted form between the server and the browser—–the duo involved in the process. As a user you can ask me, “Why should I switch to HTTPS instead of HTTP? Is HTTPS enough for security? Is HTTPS compulsory for website? ” These are some of the question that may appear in your mind.
No matter, whatever the site you own and use. HTTPS is a good scheme that helps preventing your site from being hacked by intruders. Nowadays, data breach is an increasing factor and a matter of concern for every website owner, be you a small entity or a large organisation, it’s equal for all so far as security is concerned. Website using HTTPS maintains data integrity. When some visitors visit your site from their device, the participating browser and the server check each one’s identity before passing information to each other. Here, on what I want to put emphasis is the integrity of the website which is maintained owing to runnig HTTPS and conversation remains confined between the duo—–the web sever and the browser.
During transmission data passes being encrypted, so none can decode it. Thus neither hacker nor manipulator can abuse it so long as it stays in transit. Thus it prevents man-in- the middle attack and maintains data integrity.
Nowadays, online transaction is on the increase. while the visitors browsing over your site, try to purchase a product, find out a service or do anything else, felt obliged to register to login successfully. Here if they feel lack of security, may leave your site forthwith, as everyone is aware that how rapidly is increasing online identity theft and cybercrime. But if your site is HTTPS enabled, it will show a padlock or a green padlock icon—– a sign of security and trust as indicated as follows.
Here, on the screenshot picture you can see the padlock icon indicated by browsers while visiting the site ‘www.blowwager.com’. The green padlock is shown by the Firefox. In the upper left corner of the picture sheet it has been indicated by a red-coloured arrow. It also says that the connection is secure. In the lower part of the picture, the black-coloured padlock has been displayed by another browser, the Google Chrome. Here it has been pointed out by a blue-coloured arrow for the convenience of visitors. Go down further and you can notice that the connection between the server and the browser is secure. It also shows HTTPS at the beginning of the url. You, too, can check whether the connection is secure or not. To do that just click on the padlock icon on your browser and it will open a new section like the upper part and lower part of the above picture. Besides, by clicking on the three dot(…), too, as shown on the right end of the address bar of the browser,the Google Chrome, you can check whether the site you are going to visit is secure or not.
A survey report says about 97% online customers prefer to put sensitive information like creditcard details only in those sites which run HTTPS, while the rest, i.e., only 3% people use the websites even not equipped with it.
On the other hand, the major browsers like Chrome and Firefox flagg Non-HTTPS sites as insecure! It may decrease your site’s ranking a bit in SERPs. So, from this aspect we can say HTTPS not only revamps your site’s performance but also maintains privacy and security of user’s information.
With the launch of Google Chrome(68), HTTPS has been a ranking factor in search engine like Google. Now any site not using HTTPS is flagged as insecure. Browsers like Chrome and Firefox give warning to visitors to come back to safety. Because, http uses no encryption. Here, data transfer takes place in plain human readable text. The TCP can be disrupted or modified. Any attacker can hack it in the transit before going to the destination. That’s why http sites are vulnerable to online intruders. But unlike http, HTTPS uses public cryptography consisting of private key and public key to encrypt and decrypt information between the participating client and the server. That said, it saves customers from being hacked by eavesdroppers. Furthermore,it reduces loading time of webpages on browsers. So, this protocol boosts site’s speed and loading time, though not too much, but a bit.
Any conscious customer while going to put information on a site not equipped with security setup, will feel scared and leave it away in no time. As there is risk of data breach and fraud, you will lose potential customers, too. So, I can assure you, ” HTTPS is essential from thee perspective, such as it saves website’s integrity, gives the customers privacy and protection of their personal information entered therein and allows for data transmission in encrypted form through identity check-up before being reached to the desired server and the browser with the help of private and public key .”
How Does HTTPS Work?
HTTPS keeps your data in encrypted form untill it reaches the client or the browser from the web server. Neither your ISP, a hacker, a government agency nor any cybercriminal or eavesdropper can decode your stuff so long as it remains in transit. As a curious reader you can ask me, ” How does HTTPS work? ” Indeed! it’s a good question that desrves due answer. I, too, will discuss it in this article but before going to know the working procedure you should know some related terms with it, such as follows:
- What needed to encrypt data?
- What is cryptography?
- What is private key?
- What is public key?
- What do you mean by asymmetric encryption?
- What’s symmetric encryption?
HTTPS runs on port 443 combined with SSL/TLS. Here data encryption is a significant matter to prevent leakage of information. So, to encrypt data you require three things as follows:
- The required data.
- An encryption key. It’s a unique long string of random texts.
- An algorithmic encryption key, a kind of mathematical function to complete a computing process.
Data and key are placed into the algorithm that works on it and yields an output on the other side. This output is known as cipher text that looks gibberish, making no sense. Now, none can decrypt this encoded cipher text except reversing the process using the same key to restore original value as was before.
That’s why private key and public key must be conceived that are discussed in cryptography. Fore more clarification, cryptography is a science that deals with data secret. It’s developed with the intention of keeping specific data secret and in encrypted form so that none can modify this.
Private key: The private key is used to encrypt and decrypt data or sensitive information. This key is shared between the sender and the receiver of sensitive data. As the key used by both the parties involved, hence it’s called symmetric. It’s faster than public key. So, private key is a must to decrypt cipher text into readable and meaningful text.
Public key: In public key, two keys are used, one is to encrypt and the other is to decrypt. The key is shared between the sender and the receiver of sensitive data. It is related with asymmetric cryptography because it facilitates oneway data flow. In comparision with private key, it’s slower in speed. Public key converts plain texts into cipher text that’s again decrypted by private key to read as plain original texts.
Symmetric Encryption: In symmetric encryption, the same key is used by both the participants. The same key encrypts and decrypts data. Here data flows towards both the sender and the receiver. In home WiFi we use the same key for authentication. It’s a kind of symmetric encryption.
Asymmetric Encryption: In asymmetric encryption two different keys are used. One encrypts and the other decrypts. In public cryptography, this type of encryption used to keep data secure on both end. All the SSL/TLS work on this from web server.
So far, I have defined some key terms used in depicting working method of HTTPS. Now, let’s know how this protocol works. HTTPS makes information go and come using encryption and decryption keys but before this happening it follows some step by step process that runs between the browser and the server. Whatever work you do over internet, you use a browser installed on a device like pc, android or laptop. Here the browser sends this as request to the server. But before approaching the server, the browser starts handshake process by sending ” Client Hello ” to it. This message is the part of TLS/SSL handshake. It contains the set of algorithm( known as cipher suites) to make HTTPS connection. Correspondingly, the server responds by sending the ” Server Hello ” message to confirm whether the browse can support the cipher and the required TLS version.If it is enabled to support the TLS, the process goes on to the next step, otherwise, the browser displays an error message indicating ” Weak Signature Algorithm “.
On the next step, the browser verifies the SSL Certificate as to whether it belongs to the actual owner of the website. So, to speak broadly, it verifies and ensures the domain name, host name, IP address, date of issue and expiry of the certificate etc. Besides, it also ensures concerning whether it can support the cipher or not.
On the following step, the browser checks whether the SSL/TLS Certficate is issued and signed by a competent third party CA supported by the browser forum. Because every organisation or agency can’t issue SSL. To become a trusted CA it should abide by some indispensible rules and norms. So, to check the competency of the issuing authority, i.e., CA, the browser uses its pre-installed root store. If the signature proved valid, the handshake process becomes complete and it follows the next turn. On the other hand, if not, the browser displays a message indicating “INVALID AUTHORITY “.
On the contrary, if you use a self-signed certificate, the browser will not trust it and it will show a message pointing out ” SELF-SIGNED CERT “ .
Till now you have noticed that in order to establish a secure SSL connection between the server and the browser Hello Exchange has taken place that is followed by SSL verification and Digital Signature authentication. Now the process will move to the Key Exchange between the two involved participants for further workflow with encryption. To make this happen:
- The server sends a public key while keeps the private key a secret.
- The browser generates a third key called, the session key.This session key is encrypted by your computer with the previous public which you got from the server.
- Then, the encrypted session key is shared with the server.
- Now the both end having got the session key , public encryption gets terminated and it is substituted with symmetric encryption.
- So far, all the required steps have been processed with success. So, data can flow between the server and the browser over HTTPS. Neither Man-in-the Middle Attackers nor hackers can steal or modify your data. This secure connection remains until you leave the website.
How HTTPS Works
Is HTTPS Essential?
Whether HTTPS is essential or not is a good question that most website owners ask. Indeed! that is a good question, I, too, say. Nowadays data breach is an increasing factor on the web that needs advanced way of protection so as to prevent all means of theft and hacking. Even Google, too, has taken into account this concern as a matter that draws urgent attention. Data theft and lack of security affected e-commerce and online business tremendously. That’s why in October 2017, the IT giant like Google started issuing “Not Secure ‘ warning to browsers visiting websites having no HTTPS. It issued such kind of warning for the lack of security so that customers could become aware of fraud.
Similarly in July 2018, Google Chrome started to display “Not Secure “ and “Go Back To Safety ” to the visitors while visiting sites not run on HTTPS. Here if you want to lead more traffic and sale, then the site must be trusted to the customers. If, it done, you will gain more trust as well as traffic who may turn into potential customers. They will not feel any sense of distrust. So, Google announced HTTPS to be ranking factor in August, 2014. From these discussions, we can say, HTTPS is an essential factor that is to be dealt with utmost care if you want to have success in online business, lead generation as well as customer’s satisfaction.
Statistics on HTTPS
The HTTPS statistics given below provides you in details the growth rate and total growth since Jan5, 2014 till 4th Oct, 2020. I have collected data from authentic sources and analyzed the data as follows.
The above chart shows HTTPS traffic was merely 50% on Jan4,2014, and that stood at 65% at the end of December, 2014 making a growth of 30.50% per year. That’s indeed a rapid growth in comparison with other coming years that the chart itself shows. Similarly, the growth amounted to 78% at the end of December, 2015, accruing an annual growth rate of 20.39% . From Jan to December25, 2016,, the growth rate stood at 8.27% and reached to 85% at year end. During the period of January to December, 2017, it recorded a growth of 7.05% per year and stopped at 91% . During this session the traffic on this security protocol increased but comparatively slower than the last year. 2.19% annual growth took place during 2018, from January to December. During 2019 no growth took place in respect of initial and end point of the chart, though the growth record reached to 94% from 93% during the last end of May till the mid of December. Till october 4, 2020, it reached to 95% from 93% and made an average annual growth record of 1.30% since Jan 1, 2019 till Octo 4, 2020 . You can see maximum growth took place during 2014. Since 2014, onwards until October 2020,HTTPS traffic growth increased but the annual rate of growth per year decreased.
According to Let’s Encrypt, a non-profit organisation, there are nearly about 140 million active installed certificates on websites run on HTTPS though it was merely below 50 millions in 2016. As of October 2020, about 92% web pages loaded by Firefox in USA use HTTPS and it stood at 57% for Japan and all over the world it is about 83.59%. But in November 2016 this figure merely amounted to 57% for US, 23% for Japan and for all users it stood at about 48.55%.
