Google, Twitter, Facebook and many other major websites have moved to securing their information via HTTPS for all traffic. The excuses for not doing so are increasingly thinning.
As users of the internet, we all know we should not enter payment details or personal information on pages which are not encrypted using standards like HTTPS or TLS. That green bar at the top of the browser gives us comfort that the traffic we are sending and receiving cannot be intercepted and interpreted by malicious users.
What these larger sites have found, however, is that the line is blurring between what is personal information and what is considered general browsing. Hackers are now using seemingly innocuous data to piece together who we are, what we like and even what our account passwords for important data may be.
For example, many internet users carry one password across multiple accounts. Sometimes, that password can be used in websites which do not use HTTPS for the login form. However, from a non-HTTPS site, that password can be intercepted and interpreted then tried against all the other websites which the user frequents.
At the same time, hackers are skimming activity from users’ computers to understand the user’s interests, websites visited, and activities undertaken to improve the strength of targeted spoofing attacks. While less frequent (due to their more manual nature), Google has found these attacks are much more damaging when they occur.
By moving all traffic to HTTPS, attackers can no longer interpret the traffic travelling between the users’ computers and your website so there is less chance they can piece together any data about your website’s users.
What’s the cost?
Traditionally, websites have avoided serving pages over HTTPS due to the higher compute cost required and the longer time required to deliver pages served over HTTPS. However, that has now changed.
In order to establish HTTPS communication between a browser and a website servers, there are a few more steps to the handshakes undertaken between those computers. Historically, this has been a costly overhead for the web server, serving the website. However, this is not the case anymore, and correctly deployed, a ‘ HTTPS everywhere’ solution will not significantly increase server activity.
While previously, HTTPS has been shown to slow pages down, newer web delivery protocols such as SPDY mean secure pages can actually be faster than plain old HTTPS. Our testing at Squixa has shown material speed improvements for secure pages on SPDY for modern browsers.
Should you move?
Yes, you should; both for the protection of users on your site but also for the protection of those users on other websites. Data gathered on those users on your website might be used against that user just on your website. It could be responsible for attacks against that user or other businesses.
If you have HTTPS on your website now, you should move all pages to HTTPS. You will need to make sure all the parts of the page are served over HTTPS, or your users will see certificate warnings. If you are using a plugin on your website from a third party which does not have a HTTPS supported offering, it might be time to change providers.
If you don’t use HTTPS on your website, you should buy a 2048-bit SHA-2 TLS certificate and start using HTTPS. There are many providers of certificates from free to $30 . The most expensive ones out there don’t necessarily afford you any more protection. Again, as above, you will need to make sure all traffic on the page from all sources is encrypted to avoid those certificate warnings.
Stewart McGrath is founder and CEO of Squixa.