You may have noticed for some time that, in the address bar of your browser, at the beginning of the URL and accompanied by the drawing of a padlock, the acronym HTTPS appears when you enter the websites you visit daily.
This is but an indication that the page has an encrypted connection, secure view and it is more difficult for someone to intercept it.
Many of the most popular websites already incorporate it. Facebook, Google, YouTube or Twitter are just some popular examples that everyone knows. However, and considering that Google is about to declare Internet insecure via Chrome, it is worth stopping to think about what HTTPS is, how to make a website secure, how to convert HTTP to HTTPS, and what it means not to use it.
Before you begin to assess the possible implications, it is worth remembering exactly what HTTPS is. It is an encrypted extension of the traditional HTTP protocol. To perform this encryption, each HTTP connection is sent over an SSL or TLS layer.
The objective of enabling HTTPS answers two questions: firstly, certify that the website visited is legitimate, and secondly that the integrity and privacy of the connection data are maintained. By having these two aspects covered, you get protection against man-in-the-middle attacks.
Additionally, it offers two-way encryption for communications between servers and clients, which protects against espionage and manipulation of communication contents. Don’t even get us started on how there should be careful consideration for resolving WordPress https mixed content.
In practice, it serves as a reasonable guarantee that we are communicating with the web we want and not with an imposter, which also protects against phishing attacks, such as the one that occurred in the National Democratic Committee before the last presidential elections from the USA.
Historically, HTTPS connections have been used primarily for economic transactions, e-mail, and to provide greater security for corporate communication systems. In the late 2000s and early 2010s, its use began to become widespread to protect all types of websites.
In order for your website to make HTTPS connections, turning on SSL or TLS certificate on your web server is vitally important. There are two types of HTTPS certificates:
As you have read above the HTTPS protocol makes its connections under SSL encryption. The acronym SSL responds to the English terms Secure Socket Layer is a security protocol with which the information travels encrypted and secure between two sockets or ports, in this case between those of the web server and our browser.
To be able to use this encryption in the connections of our portals, it is necessary that the hosting server that we have hired supports SSL Certificate For WordPress.
A valid SSL certificate for WordPress implements a model based on digital keys to secure check the connection.
For this, our web server will host two keys for encryption, a private key and a public key, which will act as a key and lock between connections. The public key is accessible to anyone and is used to encrypt the information, while the private key is accessible only by the server and is used to decrypt.
The certificate itself is a kind of "official signature" that ensures that the server that issues it is secure, that it is the owner of the domain and that it is using secure SSL connections. To be "official", it must be signed by a certifying authority (CA), or a trusted third party.
Browsers and operating systems ask the certificate authorities for the public keys of the certified domains and store them. With them, they are able to verify the signatures and validate them, detecting if the web we access is authentic or there is an impersonation.
Furthermore, a plugin for SSL insecure content fixer can be chosen but it’s still recommended that you opt for a professional WordPress hosting and maintenance service to counter these issues.
TLS or Transport Layer Security protocol is another class of certificates that are the second generation of SSL certificate. TLS allows secure exchange through applications such as TTP, POP3, IMAP, SSH, SMTP or NNTP, adding two more protocols to the SSH protocols: one for authentication (called TLS Record Protocol) and another called mutual agreement protocol (also known as TLS Handshake Protocol).
With them, a secure, encrypted and unique channel is created between the sender and the receiver, in which the cryptography that will be used in the communication is also negotiated.
It is common to see this type of connection in pages of banks or online stores, but the concern of Internet users to lose their privacy, that their documents or information are stolen, or even to be supplanted, grows every day on the Internet.
Just as mentioned above, in all encryption processes, a key is needed first to encrypt the information and, secondly, make it readable. In the case of HTTPS, it has to be unique for each session, and it must be generated without anyone else having the possibility to know it.
For this, a technique known as asymmetric encryption is used, which uses a system based on two keys: one public and one private. These keys are a pair of related numbers in a somewhat special way so that a message encrypted with a key can only be encrypted with its corresponding pair.
In other words: if we want to enter our Gmail inbox, the output connection of our PC is encrypted with the public key. When that connection reaches the Google server, it is decrypted using the private key.
However, before the connection request reaches its destination, the browser encrypts a pre-key generated at the moment with the public key of the server to which we want to connect. That is sent to the server, which decrypts the pre-key with its private key. Both the server and the browser will apply a certain algorithm to the key and obtain the same encryption key.
From this moment, overcoming the key to the exchange of the key, the client and server encrypt and decrypt the data with it. As nobody else knows it, communications are, in theory, safe. This is what makes HTTPS important because thanks to it, our communications with the websites will be only between them and us.
In the blog for Google developers, they have a special impact on the fact that
The use of HTTPS prevents espionage by intruders. Intruders include malicious actors, to legitimate companies that are considered invasive. This last category would include, for example, Internet service providers or ISPs.
Intruders exploit unprotected communications to deceive users, so that they offer sensitive information or install malware, as well as to insert unwanted or non-legitimate advertising into useful resources. From Google, the example of third parties that insert advertising on websites that can ruin the user experience and create vulnerabilities in user security.
Intruders can also take advantage of unprotected resources that move between websites and users. These resources can be images, cookies, script, HTML code, and so on. Intrusions can happen at any time in the network: a home machine, a Wi-Fi access point or an infected ISP, for example.
A misconception, but widespread, is that HTTPS is only necessary on websites that oversee confidential communications and information. Each unencrypted HTTP request can put out information about user behaviors and identities.
Most hosting providers do provide a free SSL certificate for 1 year but with The WP Help you can get an SSL certificate Free - forever! With this Free SSL certificate WordPress you can ensure a secure browsing experience and overall safety for your website.
According to Statoperator, currently "only" 116,675 websites of the most popular use HTTPS by default. From what we can see, the trend of the implementation of the secure protocol is on the rise, with which we can speculate that in the future the most promising websites will implement this encrypted communication system.
In an article published way back by Wired exclaimed that 79 of the 100 main websites use the HTTPS protocol. Of those 79, 67 use outdated encryption technologies. Among the names, we can find on that list name as important as the New York Times or IMDB.
This brings a point of huge importance that domestic internet users also need to stay on the HTTPS protocol. In fact, most web browsers are programmed with default settings with web pages loading in HTTPS format.
Many network giants, including Google, have declared that HTTPS is the future of the Internet. Given that security and privacy are always a hot topic and that we are increasingly aware of the importance of good encryption, it is not surprising that these companies lead their cause.