Using HTTPS on a website has historically been a pain, and therefore reserved only for e-commerce sites. In order to use HTTPS you would need to first purchase certificates which had a cost associated; then you would need them installing, which your hosting provider would need to support. As a result adoption of HTTPS for ‘regular websites’ was low. Last week, I took the opportunity to secure this website. The best part was doing so cost nothing, and it took just 10 minutes! This led to the conclusion – there’s no excuse not to use HTTPS.
What is HTTPS?
When using an unsecured connection, you request a resource from a server. If the server is able to fulfil your request, it responds with the resource. The problem is that the resource can be viewed or tampered with at several locations between leaving the server and arriving at your browser. HTTPS signifies the HTTP protocol has been secured. This is currently done using TLS, or transport layer security. Without going into technical detail, the advantages of a secure connection are:
- The identity of the server is verified. It is very difficult to impersonate another server;
- Third parties cannot monitor content provided by the server;
- Third parties cannot modify content provided by the server; and
- Data sent to the server cannot be monitored or modified by third parties.
Let’s Encrypt – Making security easy
Part of the reason certificates are costly is that they provide more than electronic security to communications. A certificate represents trust in the party it represents. When Amazon issues a certificate for its website, it’s actually doing two things:
- Assuring you that you are dealing with the real Amazon. This stops an attacker redirecting your connection to a clone of the Amazon website.
- Securing your connection “on the wire”. This prevents the interception of password or credit card information in transit.
While the second part is easy, the first part is logistically difficult. Validating that the certificate’s requestor is genuine cannot be done automatically, which adds to the cost. In most cases though, there is no need to trust the identity of website itself. Let’s Encrypt – an initiative of the non-profit ISRG (Internet Security Research Group) is doing just this. Let’s Encrypt only uses domain validation in its system. Domain validation allows the certificate issuing process to be fully automated and therefore free of charge.
The downside to obtaining a certificate from Let’s Encrypt is that it only lasts for 90 days before expiring, meaning manually installing it and forgetting about it is not an option.
HTTPS: It’s on your hosting company now
The renewal and installation of certificates will need to be automated due to their short lifespan. Unless you are the administrator of the web server, this responsibility will ultimately fall to your hosting company. This is where I congratulate EvoHosting for the great job they do with my site. A few weeks back, EvoHosting announced they would be supporting HTTPS on their sites using Let’s Encrypt.
All I had to do was raise a support ticket. This took literally two minutes – I spent more time logging into my clients area than raising the ticket. The site was HTTPS enabled within 30 minutes. Another two minutes allowed me to set up the HTTP to HTTPS redirect that forces visitors to use the secure connection. Finally, five minutes allowed me to change the WordPress settings to use HTTPS and relink the header image. It really was that simple.
In conclusion, HTTPS makes sense. It protects you as administrators, and it protects your user’s security. It’s free to get, and easy to set up. It will also help you to get ahead of the curve, since the use of security is likely to become an SEO ranking factor, and WordPress may in fact require the use of HTTPS. If your web hosting company doesn’t offer this. Perhaps it’s time to change?