Learn about HTTP, HTTPS, SSL, and TLS and why it matters for your WordPress site. Increase your understanding of web security to protect private data and your WordPress site.
What is HTTP?
When any two systems communicate, they need to have rules they both understand and follow so they can communicate back and forth. Much like sending paper letters back and forth using a mail service, computer systems talk to each other by sending electronic messages back and forth across networks. When sending a package to a friend—as long as you follow the rules—you trust that the package will get to the right person at the specified place. The “protocol” or rules for mailing a package to a friend might look something like this:
- Put your gift in a box
- Pay postage in the form of stamps on the box
- Make sure to include a name and address on the box so the delivery service knows where to deliver it
- Put the box in a mailbox where it will be picked up for delivery
Hyper Text Transfer Protocol, commonly referred to simply as HTTP, is the protocol used by many computer systems to "talk" to each other. Importantly, it is what your browser uses to communicate with the servers that host the websites you visit. As essential as it is, however, it does have a weakness: security.
Even if you followed the correct mailing protocol to send your package to a friend, you might worry about a shady neighbor shuffling through your mail. Similarly, when data is being transmitted through a large network (such as the internet), it can be problematic if the data being sent is sensitive.
Since messages using HTTP can be read by any system that also uses HTTP and has access to the same network, there is a risk that messages can be read by others.
Thus, the need for HTTPS.
HTTPS, or HTTP-Secure, is really the same old HTTP that we have been using, but it's encrypted. If HTTP is like using a delivery van to deliver a gift in a cardboard box to a friend, HTTPS is like delivering that gift inside a locked safe in an armored truck. Instead of steel and locks, however, HTTPS uses sophisticated mathematics. What’s more, with HTTPS, only you and your friend have keys to the armored truck.
Just like a delivery service is only concerned with delivery of a package and not what you do with it after it arrives, nether HTTP or HTTPS affect the data before it is sent, or after it arrives. They are simply a means of delivery. So, while HTTPS is great for sending and receiving data, it doesn’t encrypt data stored on a browser, or on a website’s server.
What is the difference between HTTPS and HTTPS and TLS?
Remember earlier when we defined HTTPS as HTTP-Secure? This is because the “package to a friend” is still delivered using HTTP either way. It’s just how you package it that is different. The difference is that with HTTP your package is transported in a cardboard box via delivery van, and with HTTPS your package is placed in a locked safe inside an armored truck for its journey.
Think of Secure Socket Layer, or SSL and Transport Layer Security, or TLS, as the protocol for the encryption, or the “strength” of the safe and the armored truck you mail your package in. To summarize:
- HTTP: Like packing your gift in a cardboard box and transporting it in a delivery van
- SSL/TLS: A mathematical box safe and an armored truck
- HTTPS: Delivering the same gift, but in an SSL truck and safe
From a more technical standpoint, SSL is an older method for handling encrypted traffic. It is no longer considered safe for secure data transmission. We now use TLS, a more advanced method.
Despite the fact that they are different, the term SSL is often used (knowingly or not), when referring to TLS. Generally speaking, whether you see SSL, TLS, or HTTPS, they reference the same thing: encrypting data for transmission with TLS.
If I’m not transmitting sensitive data, why does HTTPS matter?
During its first twenty years, adoption of HTTPS was slow. It was only used when necessary because it involved additional costs and technical understanding to implement. Two independent sources show that HTTPS adoption doubled between August of 2015 and July 2016.
There are several things that have contributed to increased adoption recently.
Google Search will rank for HTTPS
First, Google announced in 2014 that its search algorithm would begin to take into account whether a site was using HTTPS in its ranking results. This provided an incentive for sites to use HTTPS for the potential search rank boost, even if they weren't necessarily dealing with particularly sensitive data.
Cost for TLS has gone down
Second, lower-cost or even free certificates have become available. In order for HTTPS to work, a cryptographic certificate must be generated by a trusted authority, installed on a server, and regularly renewed (usually once a year, but sometimes with longer terms). These digital certificates cost money, which is often a deterrent for sites that aren’t generating much, if any, direct revenue.
Let's Encrypt was created as a solution to this problem and provides free certificates. This has lowered the cost to maintain a site on HTTPS by removing what can be the biggest cost involved.
Many CDNs (Content Delivery Networks) include TLS automatically, as do many hosting providers, such as WordPress.com.
The Network and Social Effect
Third, there is a combined network and social effect. Site owners are influenced by their competitors’ adoptions of HTTPS. Site owners are also influenced by their visitors' preferences. Web users are learning that HTTPS sites are more secure, therefore more worthy of their trust. Site owners are taking this into account when looking to generate credibility.
Google Chrome will penalize HTTP sites beginning January 2017
Finally, beginning January 2017, Google’s Chrome browser will start to explicitly label HTTP sites as “not secure.” Data containing email addresses, passwords and credit card information is all considered sensitive. If your site collects sensitive information, even just from a login form, you will want to have HTTPS enabled to avoid being explicitly labeled as "not secure" in users’ browser address bars.
Update: Google has announced that all pages with forms will be getting the NOT SECURE warning starting in October 2017. Learn more about how Chrome is leading the switch to HTTPS for WordPress forms.
Read part 2: How to switch to HTTPS for secure WordPress forms