2018 is the year of encryption. I am not sure if you had noticed or not, but browsers began pushing the web towards encrypted HTTPS connections last year. In January of 2017, Google and Mozilla updating their browsers’ UI and beginning to mark HTTP sites with password fields, “Not Secure.” and during the Fall, the warnings were submitted again and the browsers now issue a warning for any HTTP page with a text field.
And that’s all building up to this Spring’s needs, when the browsers will begin actively marking ANY HTTP website as “Not Secure.” With that being said, and a little warning, if you head into the Summer without installing an SSL certificate on your website and migrating to HTTPS, then your website WILL be marked “Not Secure.”
Of course, this information has been out in the news for a while but there are still millions of websites, some quite large, that have yet to address this issue.
Why do I need SSL now?
The short answer is that the web browsers are beginning to require it as a basic standard. The internet, as we know it, is built on HTTP or Hypertext Transfer Protocol. And while HTTP has performed admirably over the past two decades, it has one glaring flaw: it’s not secure. Any information transmitted via an HTTP connection is out in the open. When I say that, I mean that it’s easy to eavesdrop on the connection. From there you can steal information, or position yourself between the user and the server, allowing you to perform what is called a Man-in-the-Middle attack.
When you install an SSL certificate, you can begin using HTTPS instead of HTTP. HTTPS is the secured version of HTTP. It uses encryption to both authenticate the server and to protect any information being transmitted. You can understand why the browsers would want this to be standard, after all, information security is more important than ever these days.
Why do the browsers get to decide?
All of the browsers are in a position, somewhat literally, that allows them to dictate their terms. People need browsers to surf the internet, and businesses need browsers to display their websites properly when people decide to visit them. If the browsers tell websites, “do this or we’re going to penalize you” – there’s going to be quite a bit of incentive to comply. The browsers have quite a bit of power.
Search engines are acting in the interest of their users and there’s a certain utility to that, which is worth commending. Secure connections mean greater user safety which, in turn, creates a safer internet.
What if I don’t need SSL?
At this point, it’s not about who does and doesn’t need SSL. At this point, it’s about the fact that the browsers want to shift the internet to HTTPS. Beyond the simple fact that secure connections are safer, there’s a technical reason for wanting to make this shift, too.
HTTP/2 is the successor to HTTP. It’s faster, it performs better. It also requires secure connections. HTTP/2 rollout out has been gradual thus far, but eventually, it’s the standard the internet wants to adopt universally. So requiring SSL also helps to facilitate the shift to HTTP/2 as well.
How Does SSL Work?
An SSL certificate is basically a piece of software that you install on a server that allows you to both authenticate said server and enforce secure connections with it. You start by acquiring the SSL certificate you’d like to use on your website, installing it on your server and then configuring your domain so that it points to HTTPS addresses instead of HTTP ones. Once it’s live, and visitors begin arriving at your website, they will be sent a copy of the certificate itself, as well as a public key when they first connect. The user’s browser and the server then use the certificate and its underlying Public Key Infrastructure to authenticate the server (ensuring that it is the rightful owner of the certificate) before exchanging symmetric session keys and forming an encrypted connection.