Date Published: 24-Jan-2014 | By: Lynda S White
Are you a small business owner confused whether to go with regular HTTP website or opt for HTTPS website? Here are some common questions that may be arising in your mind while setting up a website – What is the difference between HTTP and HTTPS website? Will HTTPS hurt/help my business website? Does my entire site needs it or some specific web-pages do? This article clarifies all your doubts.
HTTPS in URL signifies the assurance of security to the website owners and their customers. It stops cyber criminals from stealing sensitive information from the website transaction.
Difference between HTTP and HTTPS
HTTP stands for Hypertext Transfer Protocol used to deliver information over the web. But the information/message that is sent over the web is not in encrypted form that is, it is in readable form. Any third party (office administrators, hackers, cyber criminals – anybody who comes between the web browser and web server) can secretly listen to the conversation or read the messages/information sent over the web such as your account numbers, user names, passwords and other sensitive information.
- An example of a HTTP website is the homepage of Amazon http://www.amazon.com/
- HTTPS stands for Hypertext Transfer Protocol Secure. Here, SSL protocol acts as a sub layer over HTTP to add security capabilities. The difference here is – when a user connects to a website via HTTPS – it encrypts an HTTP message prior to transmitting and decrypts the message upon arrival. Therefore, third parties will not be able to read the encrypted message. Therefore, your or your customer information is secure.
- A HTTPS site can be identified as secure in two ways
- Web browsers like Firefox and Internet Explorer display a “padlock icon” at the bottom area of navigator or “green address bar” at the URL area
- They display “https://” in the address bar
- An example is the Log-in page of Amazon website https://www.amazon.com/gp/css/homepage.html/ref=topnav_ya
Who needs HTTPS and why
In General, HTTPS is used by those websites where users/customers need to enter confidential or personal information. Some examples include banks, online stores and social media websites.
- Secures sensitive information: HTTPS encrypts the sensitive information (such as credit card details, account numbers, Log-in details, social security numbers, etc.) sent over computer networks so that the information becomes unreadable for others except for the user and the server.
- Protects from phishing: Hackers send phishing emails with links to a website that mimic your website and steal your customers’ confidential information. It is not easy to mimic your site if it has HTTPS as it is difficult for hackers to get the proper SSL certificate. Your customers won’t fall into phishing attacks because they can differentiate it by security visual cues – padlock icon or green address bar.
Why your website doesn’t need HTTPS
If your site is not collecting any confidential information, then having HTTPS doesn’t make sense. Because there is nothing to protect. Having HTTPS is actually problematic. Here are some reasons why.
- Cost: It is costly compared to a regular HTTP website as you need to pay to the commercial Certificate Authorities (CAs) for issuing the SSL certificate which validates your identity.
- Effort: You need to renew the certificate each year. You have to keep monitoring it so that it doesn’t get expired. Once this certification is expired, a warning error will be displayed to the web users. In Google Chrome it says, “The site’s security certificate has expired… Chrome cannot guarantee that you are communicating with (your website) and not an attacker…” In Mozilla Firefox it says, “This connection is untrusted…” and in Internet Explorer it says, “There is a problem with this website’s security certificate… We recommend you to close this webpage and do not continue to this site…” Many users don’t visit the website after seeing the warning message.
- Performance: Communication over an HTTPS website is slower than that on an HTTP website. This is because an HTTPS website uses more resources from the server for encrypting and decrypting the information. Therefore, it slows down the web-page speed and leads to bad user experience.
Note: You can implement HTTPS for only the web pages where required (like Log-in, Checkout/payment pages) and for the rest of the web pages use HTTP. Sites like Amazon.com themselves are not using HTTPS for the entire site.