Many think it is unfair, or that there is no need to have all websites running on HTTPS. We look at it from a different angle; as Google said will it really make the internet a better and more secure place?
A few weeks back Google announced that it will use HTTPS (HTTP over TLS) as a ranking signal, thus encouraging every website owner to run the website on HTTPS. Google took this decision in the hope that one day all of us can have a more secure and safer internet. But even though having every website running on HTTPS is all for the common good of the internet many people questioned Google’s move.
Questioning the Facts: Is HTTPS Necessary for All Websites?
Browsing the internet you cannot but notice that a lot of people are complaining and questioning Google’s decision; why should Google police the internet? Why should static, read only websites run on HTTPS?
Many think that HTTPS is only used to encrypt the communication between two end points, hence it is not needed when browsing read only websites; it is only needed when submitting sensitive data over the internet, such as credentials or credit card details.
In reality HTTPS has several other purposes other than encryption and Google’s decision makes a lot of sense if we want a safer and more secure internet, as this article explains.
What is the Use of HTTPS?
HTTPS, or as technically known Hypertext Transfer Protocol over Secure Socket Layer serves for three main purposes, all of which are listed in this section.
HTTPS is used for Authentication
When browsing a website over a normal HTTP connection it is not possible to verify the owner of a website, hence there is no guarantee that the website really belongs to the company or brand it claims. On the other hand if a website is running on HTTPS it is possible to verify the owner of the website from the details in the HTTPS certificate.
When applying for an HTTPS certificate businesses have to provide official documentation and go through a number of verification checks to prove that the business is legitimate and that they own a specific website and domain, hence making it possible to verify the owner of a website from its HTTPS certificate.
If all websites were to run on HTTPS it would be possible for everyone to verify the website owner, thus protecting internet users from a number of attacks. For example malicious hackers take advantage of this limitation and the fact that users cannot and do not verify the website owner since most websites still run on HTTP. So they build phishing websites, i.e. a website that looks like a legitimate business website, such as an online banking portal and trick their victims into visiting their website. Once the victims visit the phishing site, thinking that it is a legitimate website they submit their online banking details, which are then recorded by the phishing website for the attacker to use.
HTTPS is used to Encrypt Communication
When browsing a website over HTTPS the communication between your browser and the website is encrypted; it cannot be read by third parties even if captured, thus ensuring privacy. Encryption should ALWAYS be available, even when browsing read only / static websites. If the communication is not encrypted, it is possible for a third party to monitor your activity. And by monitoring your activity an attacker can build a wealth of information on what browsing intends you have, hence making yourself an easier target.
For example if the attacker notices that you are looking for something specific, he or she can easily trick you into a phishing attack. For those who are not familiar with such term, a phishing attack is the activity of defrauding an online account holder of financial information by posing as a legitimate company.
Therefore by encrypting all communication, even when browsing read only and static websites you are actually improving your privacy and making it more difficult for attackers to target you.
HTTPS Ensures Data Integrity
When browsing a website over a normal unencrypted HTTP connection your data can be captured by third parties and modified in transit, hence it is not possible to guarantee that the data you received is legitimate. Such type of attacks could lead to misinformation and make it easier for attackers to craft an attack against you. On the other hand, when browsing a website over an HTTPS connection the communication between the website and the visitor’s web browser is encrypted. Therefore if such data is captured it cannot be tampered with, ensuring data integrity.
Ensuring that the data that reached you has not been tampered with is very important, even when browsing a read only / static website. For example if you are following a guide to setup your VPN client, how can you make sure that the guide you are reading was written by the developer and not by a malicious hacker that has written the guide to fool users to connect to his server? It is only possible to very that if the website is running on HTTPS.
Does HTTPS Make a Better and More Secure Internet?
Yes – if every website runs on HTTPS the internet will be a better, safer and more secure place. There will be fewer attack opportunities for malicious hackers to exploit. By encrypting all communication internet users can also better protect their own privacy and can verify that the content they are reading is legitimate, and the data has not been tampered with.
Therefore were Google right to enforce HTTPS on every website? Yes they were, although technically speaking they never enforced anyone; they are just telling web masters that if they want to keep ranking well in search engine results they should implement HTTPS. It is all for the common good.