What is HTTPS - Why Use a Secure a Web Site

Using HTTPS for Storefronts, Ecommerce Web Sites, and More

Key in Lock
Tom Grill/Photographer's Choice RF/Getty Images

Online security is a critically important, and yet often underappreciated, aspect of a website's success.

If you're going to run an online store or an Ecommerce web site, you will obviously want to ensure customers that the information they give you on that site, including their credit card number, is handled securely. Website security is not just for online stores, however. While Ecommerce sites and any others that deal with sensitive information (credit cards, social security numbers, financial data, etc.) are obvious candidates for secure transmissions, the truth is that ALL websites can benefit from being secured.

To secure a site's transmission (both from the site to visitors and from the visitors back to your web server), that site will need to use HTTPS - or HyperText Transfer Protocol with Secure Sockets Layer, or SSL. HTTPS is a protocol to transfer encrypted data over the Web. When someone sends you data of any kind, sensitive other otherwise, HTTPS keeps that transmission secure.

There are two primary differences between an HTTPS and an HTTP connection work:

  • HTTPS connects on port 443, while HTTP is on port 80
  • HTTPS encrypts the data sent and received with SSL, while HTTP sends it all as plain text

Most customers of online stores know that they should look for the "https" in the URL and to seek out the lock icon in their browser when they are making a transaction. If your storefront is not using HTTPS, you will lose customers and you will also possibly open yourself and your company up to serious liability should your lack of security compromise someone's private data.

This is why pretty much any online store today is using HTTPS and SSL - but as we have just stated, using a secure website is not only for Ecommerce sites any more.

On today's Web, all sites can benefit from SSL usage. Google actually recommends this for sites today as a way to authenticate that the information on that site is, indeed, coming from that company and is not someone trying to spoof the site somehow.

As such, Google is now rewarding sites that do use an SSL, which is yet another reason, on top of improved security, to add this to your website.

Sending Encrypted Data

As mentioned above, HTTP sends the data collected over the Internet in plain text. This means that if you have a form asking for a credit card number, that credit card number can be intercepted by anyone with a packet sniffer. Since there are many free sniffer software tools available, this could be done anyone at all with very little experience or training. By collecting  information over an HTTP (not HTTPS) connection, you are taking a risk that this data could be intercepted and, since it is not encrypted, used by a thief. 

What You Need to Host Secure Pages

There are only a couple things you need in order to host secure pages on your web site:

  • A Web server such as Apache with mod_ssl that supports SSL encryption
  • A Unique IP address - this is what the certificate providers use to validate the secure certificate
  • An SSL Certificate from an SSL certificate provider

If you aren't sure about the first two items, you should contact your Web hosting provider. They will be able to tell you if you can use HTTPS on your Web site.

In some cases, if you are using a very low cost hosting provider, you may need to switch hosting companies or upgrade the service you use at your current company in order to get the SSL protection you need. If this is the case - make the change!  The benefits of using SSL are worth the added expense of an improved hosting environment!

Once You've Got Your HTTPS Certificate

Once you have purchased an SSL certificate from a reputable provider, your hosting provider will need to set up the certificate in your web server so that every time a page is accessed via the https:// protocol, it hits the secure server. Once that is set up, you can start building your Web pages that need to be secure. These pages can be built the same way that other pages are, you just need to make sure you link to https instead of http if you are using any absolute link paths on your site to other pages.

If you already have a website that was built for HTTP and you have now changed to HTTPS, you should be all set as well.  Just check the links to make sure any absolute paths are updated, including paths to image files or other external resources like CSS sheets, JS files, or other documents.

Here are some more tips for using HTTPS:

  • Point to all Web forms on the https:// server. Whenever you link to Web forms on your Web site, get in the habit of linking to them with the full server URL including the https:// designation. This will insure that they always are secured.
  • Use relative paths to images on secured pages. If you use a full path (http://www...) for your images, and those images are not on the secure server, your customers will get error messages that say things like: "Insecure data found. Continue?" This can be disconcerting, and many people will stop the purchase process when they see that. If you use relative paths, your images will be loaded from the same secure server as the rest of the page.

Original article by Jennifer Krynin. Edited by Jeremy Girard on 9/7/17