What is HTTPS and how does it work?

HTTPS

Nowadays, most of us share a whole bunch of information to everyone mostly through social media.

But do we take privacy seriously when we are finally signed out?

More and more of us use online services that handle a lot of sensitive personal data; we check our bank account balance online, we use our credit card online to buy stuff, we complete all kinds of forms to subscribe to newsletters, offers or even at a new website we found to be worthy of our time.

But how can you be sure that the information you handed over so easily is kept safe?

What if someone could alter the communication between you and the server (the so-called man-in-the-middle attack)?

Well, before you start worrying that someone stole your identity and used your credit card to buy a ticket to New York, take a step back.

There are ways to keep you safe and we will introduce you to the most common one, HTTPS and the differences between HTTPS and another common one, HTTP.

How can I tell if the website I am visiting uses HTTP or HTTPS?

Have you ever noticed that most of the websites that interact with you in some way, have a small word written next to the website's URL (that's on the top of your browser usually), slightly different than the usual?

Well, this small word should be https:// while the usual one is http:// and we are now going to talk about the fundamental differences between those two and which one helps you keep your information safe.

HTTPS VPNCompare

Address bar signals HTTPS usage

On some modern browsers you may see just a padlock and need to click on the address bar for HTTPS to be revealed.

HTTP vs HTTPS

While HTTP is the foundation of data communication for the web, it does not actually provide any security protocol (it only allows authentication in some cases) thus it is easy for someone with the appropriate knowledge to steal your information if the website has not yet migrated from HTTP to HTTPS.

HTTPS on the other hand, uses the SSL/TLS protocol to encrypt the data exchanged between you and the server, it secures the data so no one can modify it and authenticates (proves) that you are actually communicating with the intended server.

Is HTTPS widely used or not?

Well, that really depends on your internet surfing habits but let's assume, for example, that you use a search engine almost every day (as most of us do).

All three major search engines (Google, Bing and Yahoo) have already implemented the HTTPS protocol and you should be thrilled since it does not only help you to stay safe, but also keeps your searches partly private!

To make it simple if you are using a computer/smartphone connected to your workspace's network (which is most likely being monitored), the person that monitors your internet activity can see that you are using Google for example, but he/she can't see what you are searching for!

Isn't that great?!

Further Reading

The University of Michigan, US, says “The percentage of websites protected with HTTPS secure encryption… has jumped from just over 40% in 2016 to 80% today.” (Source)

Apart from search engines, Facebook, Twitter, eBay, Amazon, Gmail, Yahoo Mail, YouTube, VPNCompare and a vast majority of other websites and e-shops are currently using it.

Why does HTTP change automatically to HTTPS?

While the change is not automatic in 100% of cases, it is automatic often enough so it might seem like it always just happens.

Regardless, the answer is that HTTP changes to HTTPS because websites were set that way in order to ensure users' safety.

The security of a site has a lot to do with its ranking on search engines, so those websites and businesses that are serious about their position did all they could to remain relevant, including obliging with Google when it started pushing for HTTPS.

What does it mean when a website says “not secure”?

If you try to access a website that doesn't use HTTPS, you will usually get a message that the website you are trying to access is not secure.

This is a website that only uses HTTP, which is somewhat frowned upon by browsers, search engines, and other tools used for navigating the internet these days.

It doesn't make them inherently bad, it's just HTTPS is recommended these days.

As you may know, HTTPS is a secure version of HTTP, which basically means that it uses a security protocol that protects your online traffic from view.

HTTP doesn't protect your traffic, which is why people tend to avoid it these days, especially those who worry about online surveillance.

With HTTPS, you get a secure tunnel for your traffic to flow through, and be invisible for everyone.

This is important, because otherwise, your sensitive data, such as credit card numbers, passwords and usernames, and more, could be compromised. In essence, you should always ensure that HTTPS is activated on a website you are using.

Can I enable HTTPS on websites that are only using HTTP?

Unfortunately, no.

Unless a website has been expressly set up to use HTTPS, then you're unable to force it.

Can I force HTTPS?

If a website has the ability to use HTTPS but is being displayed using regular HTTP, then yes, you can!

The easiest way is by adding an add-on at your browser (supported by either Chrome, Firefox, Opera or IE). “HTTPS everywhere” is the most popular one and it has improved dramatically over the years.

Occasionally it may cause issues for the website you're visiting so you may need to disable it sometimes.

What is HTTPS Everywhere?

HTTPS Everywhere is a handy little plugin for all of the most popular browsers, which forces your browser only to use HTTPS versions of websites.

As a result, it will ensure that your browser always takes the safe route and have your traffic flow through secure channels.

HTTPS Everywhere was created as a result of a partnership between the Electronic Frontier Foundation and the Tor Project.

These days, HTTPS Everywhere is still used, even though most websites have already switched to HTTPS. Back when the plugin was created, this was not the case, and even the sites that did have HTTPS only had limited support for it.

For example, their default pages were still HTTP, and those that were protected with HTTPS held links that led to HTTP pages. HTTPS Everywhere fixes this even now, forcing the browser to use a secure version if possible, regardless of where the links lead to.

Why do I need a VPN if HTTPS connections are secure?

You may have heard that everyone should use a VPN, even though HTTPS is now used by most websites that we visit on an everyday basis, and this is true for several reasons.

For example, not every website uses HTTPS, as mentioned.

Most of the time, you will get a ‘Website not secure' message, and you will know that HTTPS is not being used.

By using a VPN, you can ensure part of your connection is secure. While it won't secure the VPN server to the website, it will secure everything from yourself to the VPN server first.

Also, let's not forget that the modern internet relies heavily on the use of apps, and apps don't always use a secure connection.

The only way to guarantee your safety is to enforce security via a VPN.

Also, speaking of the lack of security, email is one of the most commonly used systems that is not secure. If you use some kind of mail app on your desktop or mobile device, there is no security between yourself and the mail server.

How can I make my own website HTTPS?

Making your own website use HTTPS is rather easy, and all it takes is to add a security certificate.

In the past this was usually something you had to pay for, although you don't have to install them on your own. Your web host can help you set it all up, just in case you are not tech-savvy.

Usually this will involve buying the certificate via your webhost. It can often cost a little more but there is no hassle installing it and often it's an automated process.

In essence, securing your website revolves around adding an SSL (Secure Socket Layers) certificate.

This is a must for every website that collects sensitive details, but even if you run a simple blog, you should still get it. Otherwise, your visitors might get a warning of an unsafe website, and your visitors may be put off.

It used to be common that you would need to pay for this service but a somewhat recent service called Let's Encrypt now allows you to enable HTTPS on your site for free.

What's Let's Encrypt?

Let's Encrypt is an automated, open Certificate Authority (CA) that is entirely free, and fully dedicated to the benefit of the public.

Basically, the service provides people with digital certificates necessary for enabling HTTPS for websites. However, the interesting part is that they do it entirely for free.

Not only that but Let's Encrypt also ensured that it does what it does in the most user-friendly way it can.

The whole point of the project is to create a more secure, privacy-respecting Internet. Let's Encrypt achieves this by following several fundamental principles, including being:

  • Free
  • Automatic
  • Secure
  • Transparent
  • Open
  • Cooperative

In other words, if you need help making your website HTTPS-protected, this is the service to turn to.

Let's Encrypt relies on donations to keep functioning and it's a service we at VPN Compare can proudly say we've financially supported.

Why should a Web Designer use HTTPS?

If you find yourself in the position of creating a website, you may want to consider to implement HTTPS, even if no sensitive personal data are required by the users, to increase your traffic.

You might find this strange, but you should know that Google has announced that the websites using HTTPS are pushed up in the rankings.

It's a win-win scenario as you both keep your users happy and safe and you get more traffic!

Conclusion

While not all websites really need HTTPS, it will help you achieve greater security online.

So whenever you visit a website next, be sure to look out for the padlock icon, especially if you are entering personal details or private information.

It's also worth installing HTTPS Everywhere to ensure where possible that you're using the secure version of any website you visit.

While you're learning, discover what Two-Factor Authentication is, what the best secure free email services are and how to keep your kids safe online.

Got any other related questions? Feel free to use the comment section below!

Ali Raza

Author: Ali Raza

Ali is a journalist with a keen interest in VPN usage. He is an expert in the field and has been covering VPN related topics for VPNCompare and numerous well-respected publications for many years.

Comments

  1. Avatar Tom

    Can I enable HTTPS on websites that are only using HTTP? No you can’t. Https Everywhere is for websites that implement both.

    • Avatar VPNCompare

      Hi Tom, thanks for clarifying that! The author meant to imply that but your comment actually makes it clear.

      Really appreciate you taking the time to post and help out other users.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.