The Hypertext Transfer Protocol Secure (HTTPS) is an extension of the HTTP protocol that uses Transport Layer Security (TLS), and Secure Sockets Layer (SSL) to securely encrypt HTTP traffic. HTTPS URLs start with
https:// and usually use the port 443. More simply put, it’s represented by that little padlock icon in your browser, and it keeps the bad guys out.
Problems with Unencrypted HTTP
Plain unencrypted HTTP, which is found on URLs starting with
http://, is vulnerable to various man-in-the-middle and eavesdropping attacks. This means that someone who can intercept your connections on the network, can both see and modify everything you do on the website. They can also access your session token or even username and password. There are many easy-to-use tools, such as Firesheep and CookieCadger, that make it easy for people without hacking skills to take over user accounts by just being on the same network.
HTTPS to the Rescue
These security problems can be prevented by using HTTPS, which encrypts the HTTP traffic using TLS. TLS is a cryptographic protocol that provides end-to-end communications security for HTTPS with the help of public key infrastructure (PKI). HTTPS also verifies that you own your domain through the use of CA-signed certificates. Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When you choose to activate TLS on your web server you will be prompted to answer several questions about the identity of your website and your company. Next, your web server will create two cryptographic keys - a private key and a public key. Although the makeup of a certificate consists of a private and public key, the certificate itself is sometimes referred to as “the public key.”
There are two types of certificates: a self-signed certificate and a signed certificate (also called CA certificate or trusted certificate). CA-signed certificates are signed by trustworthy certificate authorities (CAs), who verify that you own the domain. That prevents an attacker from being able to create a fake certificate to hijack a connection to your website. It is also possible to self-sign a certificate for testing purposes, but modern browsers do not trust these types of certificates. A certificate makes sure that you really are visiting the website you intended to, and are not being secretly redirected to a phishing site, for example. Another plus is that HTTPS is easy to implement in most modern web servers, such as Apache and Nginx. Services like Let’s Encrypt issue HTTPS certificates for free. HTTPS provides other benefits, including the generation of higher rankings in search results and HTTP2, which drives faster load times (all modern browsers only accept HTTP2 connections over encrypted HTTPS).
Further Securing HTTPS
Using HTTPS provides markedly better security than HTTP does, but additional steps can be taken to make it even more secure. Here are actions you can take to improve the security of HTTPS.
Cookie Secure Flag
When switching to HTTPS, you should use the
secure flag for your cookies. Doing so means that your cookies can only be accessed and modified over an HTTPS connection.
HTTPS Redirect and HSTS
HTTPS won’t protect you if the attacker simply forces all traffic to go over HTTP instead. An effective way to mitigate that threat is to use HTTPS redirects and HTTP Strict Transport Security (HSTS). HTTPS redirects are fairly self-explanatory. Each time you visit an HTTP page, it redirects you to the HTTPS version of it. However, with the right tools, an attacker could still downgrade the connection to HTTP. That’s where HSTS comes in. HSTS is a header you can set on your website that makes the browser remember to only use HTTPS on your website in the future. This way, when an attacker attempts to downgrade the connection to HTTP, your browser remembers that it shouldn’t and will block the attack. An even better method is to submit your website to the HSTS Preload list. That’s a list of HSTS domains included in all modern browsers that makes sure no HTTP downgrade attacks are possible even if you’ve never visited a site before.
While HTTPS is better than nothing, allowing the use of older TLS/SSL ciphers is insecure. When older ciphers are allowed, hackers can perform downgrade attacks to force a browser to use older insecure ciphers. These days, it is recommended to only allow modern cipher suites, such as TLS 1.2 and 1.3. Everything else should be blocked. Tools such as testssl.sh give you a lot of useful information, such as which ciphers are in use.
Since HTTPS certificates are generated by certificate authorities, there isn’t anything stopping them from creating a fake certificate for your domain. This kind of attack has been even used against Google. The solution to this problem is Certificate Transparency - a public log of all certificates issued to a domain. You can check out the CT log for your domain here.
In addition to plain HTTP being highly insecure, it can also lower your website’s performance and negatively impact search engine optimization (SEO). Using HTTPS is a first line of defense, a necessity to prevent attacks against your users. It’s free, and setting it up is easy, however, it’s very important to make sure you configure it properly, to take the extra steps to make it as secure as possible.