HTTP vs. HTTPS: How SSL/TLS Encryption Works

Team TypeStack
Team TypeStack ...
shareshareshare
share
Table of Content

We've all seen those little padlock symbols next to URLs in our web browsers, but what do they actually mean? In this post, we'll explore the difference between HTTP and HTTPS, and how SSL/TLS encryption works. Where you can get a free SSL certificate and why you might not want to do that. We will also go over how you can find and fix HTTPS related issues on your website.

What is HTTP?

HTTP stands for hypertext transfer protocol, which is basically a method to fetch resources such as HTML documents and images. For example, when you submit a request by entering a URL in your browser's address bar or by submitting a form on a page, a request is sent from your computer to the website's server. And that data will travel through the internet as plain text until it reaches the server where the website is hosted.

The server will then send back a response to that request and your browser will render, or show that data the way it is intended. Everything might seem well and good, but the problem happens when we add hackers to the equation. Because the information is sent as text, attackers are able to intercept and extract potentially sensitive information while it travels to and from web servers. Hackers might steal data like your name, usernames, address, credit card number, and passwords.

That's where HTTPS helps.

What is HTTPS?

HTTPS is basically HTTP but with security features. And you can tell whether a website is using HTTPS by looking for a lock icon in the address bar. Now, when you submit your request via HTTPS, that information is encrypted before it travels across the internet to the web server. So when an attacker intercepts that data, they won't know the details of your request to the web server because the information will be scrambled. And they also won't know the response that the web server sends back because that too is encrypted. 

HTTPS is now the main protocol for transferring data across the web because it protects people's information from being compromised. In fact, HTTPS is so important for keeping web users safe that Google made it a ranking signal in 2014.

And more recently, it's been categorized under their page experience signals which are used for ranking web pages. 

The way HTTPS secures your data is by using one of two cryptographic protocols.

SSL or TLS.

What is SSL?

SSL stands for Secure Sockets Layer. And it helps authenticate the identity of a website so a secure HTTP session can happen between the client and the server.

Here's how it works in a nutshell. When you try to connect to a website that's using SSL, the browser asks the server to identify itself. This process is known as authentication. 

The browser essentially tells the server, "Hey... I'm looking for x.com. I think that's you but I want to be sure. Can you send me some proof?" So the server will be like, "Howdy! Yep, that's me and here's my SSL certificate to prove it."

And when both parties are happy that everything looks legit, they'll do a virtual handshake and agree to send encrypted data to one another.

What is TLS?

TLS is the second cryptographic protocol. TLS stands for Transport Layer Security and it's actually the successor of SSL. It follows the same principles in authentication and encryption and is today's current security standard.

If your website is not using HTTPS, then you'll need to get an SSL or TLS certificate. And while anyone can issue a certificate, only publicly trusted CAs, or certificate authorities, are supported by browsers.

There are three different types of certificates you can get.

The first is a Domain Validation certificate or DV. This is your entry-level TLS certificate and it provides the most basic level of security. You can get one for free at LetsEncrypt.org, just follow their directions to install it.

Alternatively, your web hosting company may already have a user-friendly way to install an SSL with a free service provider like Let's Encrypt. For example, in Siteground's Site tools, you can install a Let's Encrypt SSL for your domain with just a few clicks.

DV certificates are usually fine for most sites, especially if you're running a blog, affiliate site, or a local service provider. Now, if you want to have more security and better identification, then you'll have to look to the other two types of certificates which are organization validation and extended validation – the latter having a more rigorous verification process. You can purchase these through various sites.

How to handle HTTPS issues?

If you started your site on HTTPS, then you shouldn't have anything to worry about.

But chances are, you haven’t started there at all, meaning, there could potentially be pages across your site that are still using unsecure HTTP. In fact, even Amazon, the world's largest Ecommerce site, has an entire subdomain that is still using HTTP.

There are numerous ways to check for HTTPS issues. One quick thing you can do is see if Google knows about any of your unsecure URLs. To do that, go to Google and search for, site:yourdomain.com and then add -inurl:https. If there are no results then you're all good on this front. But if you're seeing results like this, then you'll have to visit each page and add redirects or canonicalize as needed. 

The best way to find all HTTPS related issues is to run a website audit. And you can do that in Ahrefs Site Audit with a paid subscription or free Webmaster Tools account. After you run the crawl, head over to the "All Issues" report and you'll see a complete list of SEO issues we found on your site and the number of affected pages.

Now, if you do a search for HTTP, you'll see this issue, which shows whether you have pages with HTTP or HTTPS related issues. Hit the caret, and you'll get details on the issue and instructions on how to fix them.

To actually see which URLs are affected, just click on the number beside the issue name, and you'll know exactly where these issues occurred. HTTPS is the standard and as more and more people become aware of internet security, you'll need to have this for your website as the bare minimum. 

Now that you know the difference between HTTP and HTTPS, and the importance of it. Make sure your website is secure and you have the necessary certificates.

success