in DevOps

HTTPS, also referred as HTTP Secure or HTTP over SSL, is a protocol widely used over computer network for secure communication.

Should I Use HTTPS?

A couple of years ago I would have said no, I mean why would you need HTTPS that cost fortune ? However, today I have reasons that it’s necessary to have it and here’s why.

  • To a certain degree encrypted connections make up for the inadequacy of the already insecure DNS infrastructure, as with HTTP you don’t get the same level of security.
  • When browsers are forced to use HTTPS connections it slightly raises the security policy, which means less opportunities for hackers on the client side regardless of the communication channel.

Let’s take Facebook for example, a few years ago they used to server their login page over HTTP. A government in the middle-east decided to inject JavaScript into the page to steal user’s passwords straight from the login form. It didn’t matter the password were sent to Facebook via HTTPS, the login page was running on HTTP which led to accounts being compromised.

  • Authenticity

Personally I would say this is the major benefit of sending data via HTTPS as it tells the end user that the content delivered is from the source and it hasn’t been tampered with in any way.

  • Confidentiality

The webpages you’re viewing and what you’re doing aren’t visible to anyone sniffing network traffic as it’s fully encrypted via HTTPS.

  • Protection

Protection is important when it comes to handle money transfers like with online banking or for e-commerce sites, so you definitely don’t want anyone malicious to send another copy of commands and transfer twice.

Google also loves security and would like to establish secure environment over the internet, therefore Google starts giving ranking advantage in search engine to secure HTTPS websites.

Conclusion

When most people think of a secure connection they take all above points into consideration, but I would say that authenticity is the most vital. Let’s say I go to quora.com, what I expect is exactly what quora sent, not anything else. I don’t really care if anyone sees what I’m reading, but I am concerned if there’s a man in the middle feeding me false content and injecting code for an attack.

The real question is: Why isn’t everyone using HTTPS? In short, it’s not the default configuration yet, but we’re slowly getting there.

Some free SSL provider

  1. https://www.cloudflare.com/
  2. https://letsencrypt.org/
  3. https://www.symantec.com/  (30 days free Trial)
  4. https://ssl.comodo.com/  (90 days free Trial)
  5. https://www.freessl.com/ (30 days free Trial)
  6. http://www.cacert.org/