Ever wondered why the heck some sites stick an extra “S” on the end of the “HTTP” part of their web address? Believe it or not, that extra little character plays a vital role in keeping you – and your customers – safe online.

Hacks like the Ashley Madison debacle (which just keeps getting worse) are rightfully getting the public concerned as to whether their info is safe online, and HTTPS is a great security point (which some politicians have had trouble with) to touch on.

What exactly is HTTPS?

Technically, it stands for Hypertext Transfer Protocol Secure (HTTPS) and it has do with using either Transport Layer Security (TLS) or Secure Sockets Layer (SSL). But like most acronym-heavy tech terminology, that really doesn’t mean much to the average joe.

Phil Hagen, a SANS instructor on Advanced Network Forensics and Analysis and evangelist at Red Canary, said that HTTPS secures communication through encryption.

The use of encryption minimizes the opportunity for a third party to eavesdrop on or modify those communications. To establish the secured connection, the web browser and web server software first negotiate the security parameters then mathematically establish a set of values (“key material”) required to properly encrypt the traffic,” he said.

A (very) simplified way to think about HTTPS is this: picture two countries that trade goods and are connected by a road. In order to protect the goods and prevent crime, police are stationed along the roads to prevent theft and general lawlessness. In this example, the goods are your data and HTTPS is the police along the highway.

It’s important to be clear on this: HTTPS encrypts the transmission of your data, but Ondrej Krehel, founder and CEO of the cybersecurity intelligence firm LIFARS, makes it clear that it does not mean that your computer is protected against dangerous software.

HTTPS will not help prevent that your website will not be hacked. It will also not protect you from malware or DDoS (Denial of Service) attacks. It will, however, ensure that you are securely transmitting information to and from a website – typically used when entering sensitive information and when shopping online,” Krehel said.

So although the trip your truck makes is secure, it could be carrying smuggled or dangerous items.

What’s the story with the little green lock?

While cruising around online, you may have noticed a padlock icon to the left of the URL. It can be bright green and locked, bright green, locked, and have a bit of text (usually a name) in a green box next to it, or a lock with a red x over it and a red slash through the letters that say “https.”

Those locks all have to do with the verification of the certificates used for the site. Those certificates are given by (and paid to) the Certificate authority and they’ll verify the site you’re visiting.

Here are the most important points (with examples using Google Chrome) to take away from this:

 

https1 getapp

Little green lock: The site’s certificate has been been checked, verified, and paid for. You’re good to go.

 

Highlighting that washington post has a extended certificate

Little green lock and a name in a green box: This means the site has an Extended Validation Certificate. To make a long story short, the site has gone through more vetting, more criteria, and paid more to earn this certificate. An example of this would be Paypal.com.

 

A screenshot of a site with an invalid certificate

Red x over lock, https with a red slash through it, or warnings: This is when you should find an alternative site or proceed with extreme caution. Don’t panic (but also don’t hand over sensitive info) if you see this warning. It could be due to a number of reasons including an expired certificate, malware or something dodgy going on with the site, or something as simple as your computer having the date/time wrong (certifications need to sync with your date/time).

Should the sites you visit and your own site use HTTPS?

Yes.

Although common misconceptions can paint HTTPS as some sort of magic safeguard that will protect users/customers/whoever from attacks, it has many essential uses where it’s critical for it to be adopted.

“Using HTTPS on your website builds trust with your visitors and especially if you are running an online store or accepting credit cards and/or collecting personal information, you should always use HTTPS, otherwise you are risking not just your data, but your visitors’ data as well,” Krehel said.

Credit card numbers being set over a layer of encryption isn’t just good sense, it’s also a requirement for certain web certifications.

“The use of HTTPS is mandated by a number of regulations such as PCI/DSS for credit cards, HIPAA for healthcare information, and others. Another common reason to use HTTPS is to protect sensitive information such as usernames and passwords,” Hagen said.

Whether a company uses HTTPS–along with a variety of other factors on their website– is one of the data points that’s considered in GetApp’s ranking, GetRank.

You want me to use HTTPS, but this site isn’t even using it!

Yep! And although GetApp Lab isn’t using HTTPS*, you should definitely still be aware of it. This is especially true if you are planning on purchasing anything through the site or if you are filling out forms with sensitive information.

In general, if you are putting credit card info into a site, see if it’s PCI/DSS compliant. If you’re entering health information, check that the site is HIPAA compliant.

*I spoke with our devs, and they assured me that the lab is using HTTPS, but due to some WordPress issues while we’re switching themes, it’s not appearing.

Where do I get started with HTTPS?

There’s lots of information out there, but here are a few links to get you started with adopting HTTPS for your site: