HTTPS stands for Hypertext Transfer Protocol Secure, with 'Secure' being the keyword we want to focus on in this article. HTTP was the predecessor of HTTPS, and does not have the required security features for modern websites.
HTTP and HTTPS serve the same function; they are both the way in which data is sent and received from your web browser to a website. For example, when you fill out a contact form on a website and hit send, HTTP/HTTPS is the method used to transfer the information from your browser to the website so that a business owner can view your message.
HTTPS will take data and encrypt it before transferring it to the intended website and only the website you have sent the data to will have the ability to decrypt the data. Because of this encryption, if anyone was to try and intercept the data in transit, they would only be able to see an unintelligible string of letters and numbers.
So, if you were to enter your name and phone number into a contact form, HTTPS will encrypt this data so that it cannot be intercepted by a third party. Whereas HTTP will send your name and phone number in their original form to the website, which leaves your information vulnerable to attack.
HTTPS is the norm for all websites across the internet, and there are three main reason why it is so important:
HTTPS is now the expected standard for all websites on the internet because of its security. All modern browsers will detect if a website is using HTTPS and display the padlock on the URL bar. If a website does not use HTTPS, a notification will display on the URL bar saying “Not Secure” to warn users. On browsers such as Chrome, the website can be blocked and content not shown at all because of security concerns.
So much of our lives now takes place on the internet, from bank details to health information, we share a lot of information online and expect that only the intended recipient can access this information. Without HTTPS the information we share could get into the wrong hands and cause real world damage.
As well as ensuring the data we send is secure, it is also important that we can trust the data we are receiving. HTTPS ensures that we are viewing the authentic website. Without this secure protocol it is possible for third parties to conduct Man In The Middle (MITM) attacks. This can take the form of a fake website or an intrusive pop-up not created by the original website.
In the HTTPS protocol, we build upon the existing HTTP connection by adding a secure encryption layer to the request called Transport Layer Security (TLS). You may have heard of this being called SSL/TLS. Secure Socket Layer, or SSL, is the predecessor to TLS.
Broadly, this process can be broken down into 5 steps:
In AWS hosted architectures, we use the AWS Certificate Manager service to provision and manage our TLS certificates. This enables us to fully automate the HTTPS/TLS process and reduces any manual overhead for ongoing maintenance.
On other hosting providers such as Google Cloud & Vercel, the implementation details will differ. Get in touch if you’d like to discuss implementation details for your specific project.