Why is the world migration to HTTPS and not just for Security
Every time Google introduces a new preference, the internet takes/ is forced to note. Something similar happened when Google announced that websites with SSL Certificate / HTTPS will be preferred in search engine results. I will try to cover the fundamentals of web protocols — specifically HTTP and HTTPS.
Before we dive deeper into understanding about HTTP and HTTPS, let’s try to understand the meaning of the word protocol
A Protocol is a set of rules that we use for specific purposes. In the current scenario, when we are talking about protocols, it is about communication- the way we talk to each other. For instance, a newsreader speaks in English and because you understand English, you are able to understand. English is the protocol. The moment the newsreader starts speaking in a language that you don’t understand, the protocol beats it’s purpose. Thus, we need both the parties to agree to a set of rules for the communication to take place. The protocol in this case is for communication.
Now, talking about the web in particular, multiple protocols are used to communicate. Primarily for end users the most important and visible protocols are HTTP and HTTPS. Though, there are many other protocols as well, but HTTP and HTTPS cater to most of the population.
Now, What does HTTP mean ?
HTTP is hypertext transfer protocol. Simply put — Rules to sending and receiving text based messages. As we all know, computers work in a language of 1’s and 0’s i.e. Binary language. Therefore, potentially every set of 1’s and 0’s construct something, it could be a word.
Let’s say I want to write ‘a’. Now, if 0 stands for ‘a’, 1 stands for ‘b’, and 01 stands for ‘c’, I can infer that a combination of 0’s and 1’s can construct a word as well. In this case, the text is already constructed and is being sent on the wire. The computer works on many languages — pure binary, text and some other formats like byte codes. Here, what is being transferred is text. I am emphasising on ‘text’ because this text is interpreted by the browser and the moment browser interprets it, it becomes hypertext, and the protocol that transfers the text is referred to as hypertext transfer protocol — HTTP.
Using HTTP, you can definitely transfer images, text, sound, and even videos.
So, why HTTPS? HTTP seems to suffice.
We agreed upon the fact that what is being transferred from one point to another is text. To understand why HTTPS, we first should know how wi-fi routers function. Let’s say you are at an airport and you are connecting to the wi-fi which is the property of a third party. Now, when you are communicating over HTTP, the text is being transferred by their router. And if I go to a low version of the router, I can comfortably check and read the text that is being transferred. There could be a password that I can use to login to your bank site and do a fraudulent transaction!. Point being — this is fundamentally insecure. This is called man in the middle attack.
Now, to save our data from such attacks, we need to encrypt that data.
Encryption and Encryption Levels
Encryption, is simple terms is a hiding information. There are various ways to do so. You must have heard these terms — 128 bit encrypt HTTPS and 64 bit encrypt HTTPS. 128 bit encrypt is a high encryption technique and it’s very difficult to decrypt (decode). In case of HTTPS when the data is being transferred on the wires, the man in the middle may will still know what is being transferred, but can not make sense out of it as the data is encrypted. Only the browser will decrypt it and show it, and the server will decrypt it and use it for transactions.
For the curious one’s — There also happens to be a movie on encryption, Imitation Games. The entire plot of the movie was based on decrypting the German codes, which were to reform the entire course of the war.
What happens when a request for a website url is made which is on HTTP protocol?
As the first step, it is the job of HTTP to find out the server and once the communication route is established, the server sends a text to the browser. This text could either be in it’s pure form or encrypted form, which is then rendered by the browser or used for whatever purpose it has to be used.
As there should be measurement of this difficulty quotient, we interpret that, higher the number of bits, more difficult it is to decrypt. However, it only increases the level of complexity making it very difficult to decrypt, but not impossible.
Deciding between HTTP and HTTPS
Anything and everything is personal. If you are searching for “How to install SSL Certificate”, that search would be private to you, isn’t it ? Whether you are browsing or looking for a product, reading an article, you generally do not want others to know about it. As an end user, I would want to keep it as private. There are things I might not want to keep private and for those I can use HTTP. However, for personal information, banks and transnational information, HTTPS has become a standard.
HTTPS sounds great. What else should you know about it ?
There is no denying to the fact that privacy has a cost to it. There are a couple of cons-
- HTTPS requests takes more time to process.
- Because it needs more time to process, it needs more hardware — the server that you are utilizing. This also means additional cost
Whereas, for HTTP you use lesser energy as compared to HTTPS as the communication happens faster (without encryption and decryption) . However, I will not refer to it as a limitation for HTTPS. It is highly subjective and personally I consider it a very low cost that we pay to ensure our privacy.
The idea of building a secure web has been around for a while. Building a Secure web as an agenda is being driven by likes of Google, Facebook, Akamai and so forth as I had mentioned this is primarily because of the following two reasons –
- User Data and User Privacy : Using HTTPS ensures that you as a developer care value user data, user’s privacy and its security.
- Protecting Your Data: As a developer, we would never want to give away our critical data to malicious participants
What is at stake/What will you lose if you don’t move to HTTPS ?
Here are some of the features which are now only available on HTTPS.
- GeoLocation: You can no longer seek user’s location if you are on HTTP
- Web Push Notification: Push Notifications are only avaiable on HTTPS.
- GetUserMedia: You can no longer trigger permissions of using user’s camera/ microphone if you are on HTTP
- HTTP/2: All major browsers, support HTTP/2 for HTTPS now.
Soon to be removed:
- AppCache: A feature that allows developers to cache content in the browser and make it available for offline viewing, will soon only be restricted to HTTPS sites.
- Encrypted Media Extensions: Ability to manage playback of protected content
Some Frequently Asked Questions
What is the “Cost” for migrating website with X user traction from HTTP to HTTPS?
It is a typical question, but I am afraid there is no answer to this. The cost will depend on nothing but the amount of data you are transferring. There are a lot of variables that will influence the cost, not just the user traction,. Here if we are talking about banking data, you need to bear the cost, however significant or insignificant it might be.
The entire cost calculation itself is very subjective and I don’t really have a number for this.
Does being on HTTPS impact the load time of your website?
Yes, it does absolutely! This is no more a problem given that you can optimize it efficiently
Why do web push notifications need SSL?
Yes, web push notifications have been there for a while and can only work on websites that are on HTTPS protocol. Before we answer that question, let us understand how this really functions
The reason for the web push notifications to work only on the HTTPS protocol is — the data that being pushed and received is a private data. To ensure the privacy, it is supported only on HTTPS. Notifications are fundamentally personal to users. We definitely want this communication to be secure. In this specific case, the server is able to ping the browser.
When the book of the protocols was written, it was mentioned that HTTP is a Connection-Less-Protocol. It means that the server sitting in the data center can not do anything until the browser raises/makes a request. And once the response is given, the browser will decide if it wants to do something about it or not. It is entirely the browser’s decision, the server can not command the browser to take actions. The idea of a random server controlling your browser or your screen / machine is scary. It is to prevent this possibility, HTTP is and continues to be a Connection-Less-Protocol.
Popular Misconceptions or Myths
- My website is not transactional in nature. Why do I need to be on HTTPS ?
- SSL Certificates are expensive
- Migrating to HTTPS from HTTP will impact website performance drastically
- Impact on other 3rd parties.
Watch this video from the Progressive Web App Summit to bust all these misconceptions
More about Web Push Notifications
Interestingly, in case of web push notifications, actually the server is pushing data to the browser. But it is saved in a manner that the server is only sending a blip to the browser intimating that there is a notification waiting for you — that’s it. Here is a step by step process of what actually happens –
- Server sends a blip to the browser
- Then the protocol kicks in, asking for data. This data could be very personalised. I might be sending you message — ‘You have transacted XX amount’.
- Notification is fetched by the service worker and displayed to the end user.
If I have to decide the protocol today, which has the potential to be extremely personalized (as notifications are personalized), I would definitely like to make it secure.
Can Web Push work on HTTP? Of course.
Should it work on HTTP? Strict No No.
Some Handy Resources and Guides
Originally published at blog.izooto.com on July 6, 2016.