A plain English Explanation of secure websites (HTTPS)

So what is with that Green lock icon that you see in the address bar of the browser?

The green lock (check in your address bar above) indicates that the site is using a secure channel to send and receive data between your computer and that website. This is done using a technology called Secure Socket Layer (SSL). When you type in a URL that begins with “https” you are using a secure website.

What that really means is that the data you are sending to and receiving from that particular website are encrypted between you and the server that the website is on.

When something is encrypted it is scrambled so that it can’t be read anymore. So any message when encrypted becomes a string of random (well actually not so random) characters, many of which can’t even be printed!

The main thing with encryption is that there is a key and certificate used to identify, encrypt and decrypt the data. A key is kind of like a password, but usually much longer and is made up of a long string of letters and numbers. Depending on the type of encryption the same key (symmetric encryption) or a different key (asymmetric encryption) can be used to decrypt the message to it’s original form. Certificates on the other hand are used to confirm the identity of the site, which is the topic for a whole other blog post!

So why would I need this?

Without it it is possible for someone to intercept the data, including passwords, credit cards, email addresses as it travels from your computer to the websites servers. This is often called a “man in the middle” attack. And since Snowden’s revelation of the US and global surveillance programs we all know that anyone could be listening in.

So if you are:

  • Capturing credit card information?
    • You definitely need it
  • Logging in using a password?
    • You definitely need it.
  • Capturing any privacy related information such as phone numbers, email addresses and names?
    • You should be using it.
  • Not doing any of the above?
    • Then you can get away without it but

Enable it on the whole site or just the secure bits?

My recommendation is to enable security across the whole site.  If it’s worth doing it’s worth doing properly.  Enabling https across the whole site will give visitors the confidence that everything they are doing on your site is secure.

Besides, having only some pages using https is a lot harder to configure on the server than just enabling it across the board!

The downsides to enabling https

Because SSL requires additional computation to encrypt any traffic to your site there is an impact on server performance. For most small and medium businesses this is not going to be an issue since the amount of traffic encountered by your site would be small enough to not see any noticeable impacts.

Also when a page is loaded by the browser securely then the entire page has to use security. Most webpages load information from a number of servers this could be images or javascript libraries that are hosted on another server. If some of these are not also loaded securely then the web browsers can complain about something called mixed mode and some browsers will even refuse to load the page at all. This typically can happen if you are using WordPress plug ins that haven’t been configured correctly.

The Kuter Solutions recommendation

All of the websites that I maintain are setup to only use secure SSL channels. This means if you visit the “http://” address of my site you will automatically be redirected to “https://”.  Note that this does add a bit of complexity to the server configuration, however I feel that it is worth it. Enabling it will depend on a number of factors and is the topic for another day. If you need assistance in reviewing your website and enabling SSL then feel free to contact me here.


Alphabet Soup of Secure Websites

HTTP Hypertext Transfer Protocol An agreed language that computers use talk to each other. It’s the main language used when browsing the web.
HTTPS “HTTP over SSL” or “HTTP Secure” This means that the browser and server agree on a security language before starting to talk HTTP. After they have agreed all web pages are sent using the secure channel.
SSL/TLS Secure Sockets Layer / Transport Layer Security The technical name for the agreed way computers agree on the secure channel to talk to each other. There are many different versions with each newer version being (hopefully) more secure than the previous.
URL Uniform Resource Locator An agreed way of writing how to connect to a specific resource on the internet. Although this usually is used do refer to a webpage using “http” or secure webpage using “https” a URL can be used to refer to many different “resources” available via a computer.
Posted in Explanations.

Leave a Reply

Your email address will not be published. Required fields are marked *

Yes, subscribe me!