When we are interested in the truly technological aspects of the web, it is often because we encounter a problem.
We do not always pay attention to it, but each time we enter an address in the bar of an internet browser, it is preceded by the letters “HTTP”.
If you are used to consulting your bank’s website or accessing personal data on the internet, you will certainly have noticed that this acronym becomes “HTTPS”.
More than a purely cosmetic addition, the HTTPS protocol aims to reinforce the security of the connection. Concretely, HTTPS makes it possible to be sure that one connects to the displayed site and that one is not diverted (or that information which one provides is not sent) towards another site.
A site on which the connection is “HTTPS” is therefore a real guarantee of security for visitors, and credibility for the owners and hosts of the site.
Almost all sites now install SSL certificates to encourage secure connections (especially since Google has hinted several times that “https” is a quality signal for the search engine) . Fortunately, it is not absolutely necessary to be a virtuoso of web programming to make use of an SSL certificate or even to set up an HTTPS policy.
Why use HTTPS?
The HTTP protocol has long been the established standard for accessing websites. The problem is that, like many early web technologies, the HTTP protocol has proven to be less secure than initially thought . Indeed, hackers and malware can carry out malicious attacks by deceiving visitors’ internet browsers.
HTTPS helps hinder such initiatives. By offering a site that only works with this protocol, webmasters provide an additional measure of protection.
That said, the question remains unanswered as to how to force Internet users to use only the HTTPS version of the site. Indeed, a simple redirect can be bypassed by making the browser believe that it has already arrived at its destination. This technique is often used by hackers and malware. Thus, by deceiving the users, they can usurp the address of the site and set up a formidable arsenal of tools and strategies to access their personal data.
How to impose a security standard on your visitors?
It is therefore not enough to offer a secure connection to its site. It is still necessary to ensure that Internet users always use it. The most elegant solution is to impose the HTTPS (HTTP Strict Transport Security) policy. In French, Transport Security Strict by HTTPS. This is a connection mode which requires all browsers accessing the domain to communicate only by HTTPS requests.
What is an SSL certificate?
The SSL certificate is a kind of digital key that links an organization to an internet domain name. It could be compared, in real life, to a land title or a property right on land. This is proof that a specific domain name is linked to a given organization. This Secure Socket Layer certificate indicates to internet browsers that the site is only accessible via a secure connection.
To identify a site that has a valid SSL certificate, simply consult the address bar. A padlock symbol generally appears, accompanied by the name of the entity to which the certificate belongs , and the HTTPS protocol.
HTTPS – How does it work ?
As indicated above, the presence of the certificate is not sufficient in itself to guarantee the full security of visitors. You could think of the certificate as an uncompromising vigil. It is able to thwart 99% of threats, but it will be absolutely useless if there are access routes, other than those which it keeps. The role of the HTTPS, in this example, is in a way to force all visitors to obtain the green light from the security guard.
The HTTPS protocol modifies any unsecured request from a browser to a request secured by HTTPS. All data exchanged between the web server and the user is continuously protected by encryption.
You therefore need two things to set up this security measure:
– A valid SSL certificate for your domain name;
– A Strict-Transport-Security header (HTTPS header);
The header is a file installed on your web domain that calls the browser upon the first connection. It generally indicates certain information and rules to follow when interacting with the domain in question. In the case of an HTTPS header whose rules define that the browser will no longer be able to access the non-secure version (in HTTP) of the site, for a certain period of time. This period is fixed at several months, even several years.
The implementation of HTTPS
The implementation of this protocol must be done gradually. To start, it is recommended to set the duration of HTTPS validity to a few minutes, just to test all the functionality of the site and to ensure that user sessions and data are managed properly. Then, the deadline can be extended to a week to identify less obvious bugs. When everything is running smoothly, you can finally set the duration to two years, for example.
It goes without saying that if for some reason you stop using the SSL certificate and the HTTPS version of your site is no longer accessible, the HTTPS protocol will prevent browsers that had accessed it in the past from go back there again. Take care to always have a valid certificate.
HTTPS is not a foolproof solution against hacking or data interception. There are still ways to circumvent these security measures, but they are not within the reach of the first comer. In addition, the implementation of HTTPS contributes considerably to increasing the reputation of your site and therefore its ranking on search engines.