10 Reasons To Use HTTPS

Guy Podjarny's avatar Guy Podjarny

HTTPS, HTTP over TLS, has been around since 1994, and has been well adopted by the security sensitive web — online banking, shopping, taxes and more. However, the vast majority of websites (est. 81% to 97%) continue to communicate using clear (unencrypted) HTTP — no matter how insecure that is.

A graph showing websites that are using SSL by default.
BuiltWith stats showing small but growing HTTPS adoption

Today, however, there are more reasons than ever to switch to HTTPS — even for a news site, corporate site, or any site that doesn’t consider itself at the top of the security food chain. HTTPS adoption grew 80% last year alone, much faster than previous years, but we’re still very far from encryption being the norm. If you’re not convinced HTTPS is right for you, or need ammo to convince your peers and bosses, here are 10 good reasons to go HTTPS.

1. Protect Your Users’ Privacy

First and foremost, HTTPS protects your users. Posting a news update on a user forum may cost a dissident his life in an oppressive regime ; A strict workplace may terminate employment based on an employee’s browsing activity; And of course, the Snowden affairs have clearly shown governments simply can’t get enough of this data. Using HTTPS makes it dramatically harder for these players to know what users are doing, and helps you maintain your most important responsibility — your users trust.

2. Search Engine Ranking (SEO)

Last year (2014), Google announced HTTPS will be a factor in its ranking. Google, like other search engines, aims to promote the links that are best for the user, and a website protecting the user’s privacy using HTTPS is better (for the user) than one that isn’t. Whether you see this as a carrot (use HTTPS and be rewarded) or stick (use HTTPS or be downgraded), few things mobilize businesses as well as SEO. For more detailed advice on how to tune HTTPS for SEO purposes, check out this Moz article.

3. Protect Your Brand

Unencrypted content can easily be tampered. A user browsing a news site on a malicious wifi may read reported facts that never took place. A corporate web may show an apology for an embezzling CEO that never really existed. And any insecure website can be made to show porn (or worse). In addition, unencrypted pages are often in the path to secure ones. For instance, consider a shopping site where a product page is unencrypted, but the actual purchase flow uses HTTPS. A man-in-the-middle can change the unprotected product page, making the “Add to Cart” button go to their evil copy of the website, and the browser (and user) will see no difference. If you only want your users to see the content you actually posted, and want their actions to always reach you, use HTTPS.

4. Browsers to mark HTTP as Insecure

Today, browsers mark HTTPS by painting the URL green or adding a lock only if the site is properly encrypted. These markers actually convey a false sense of security, stating HTTPS websites are secure when they may be woefully insecure once you reach the server. What is accurate is that unencrypted HTTP connections are insecure. Browsers are now poised to update their indicators accordingly. Both Google & Firefox have stated they’ll mark HTTP sites first as dubious and then as insecure, possibly as early as this year. If you remain on HTTP, your users may be explicitly told you are insecure, reducing their trust in you. Note: The effectiveness of passive markers, positive or negative, is minimal, and browsers may evolve those warnings to actual click through warnings.

5. HTTP 2

Introduction to HTTP2 Video, a part of the Akamai Web Performance Videos Series

Roughly 18 years after its inception, HTTP/1.1 is finally getting refreshed. It’s successor, HTTP/2, has been officially completed in May (2015). HTTP/2 further evolves Google’s SPDY, and includes many significant improvements over HTTP/1.1, ranging from request multiplexing to header compression to server-side push. For compatibility reasons, as well as a desire to make the web secure, browsers will only support HTTP/2 over HTTPS (the spec states encryption is optional). If you want to benefit from this evolution of the web — you need to switch to HTTPS.

6. Service Worker & Powerful Features

Another exciting browser advancement, similar in impact to HTTP/2 (if less well known), is ServiceWorker. ServiceWorker’s main claim to fame is enabling web apps to act like native apps, allowing them to work offline, receive push notifications and more. It’s a new and improved replacement to AppCache, built with the principles of the Extensible Web Manifesto. Technically, ServiceWorker works as a JavaScript proxy, seamlessly installed when a user visits a site. This proxy is extremely powerful, and can extend the page in ways much broader than offline support. If a malicious ServiceWorker is installed, it can cause extreme and persistent damage, far greater than regular tampering of HTTP. To mitigate this risk, ServiceWorker, with all its glorious new capabilities, is only supported over HTTPS. Browsers are pushing for a secure web, and you can expect more powerful features, such as geolocation and full screen, to work only on HTTPS.

Introduction Video to ServiceWorker, by Jake Archibald

7. Protect Your Revenue (From Proxies)

Criminals are not the only ones looking to make money of your site — Internet and WiFi providers want in on it too. As many as 38% of WiFi proxies, ranging from giants like Comcast to smaller providers, inject their own ads on unencrypted pages. If ads are how you make money, know those ads may be hijacked, and your users will be none the wiser. If your website is not using ads… Your users may see some anyway, and blame you for it. Use HTTPS to prevent such tampering and protect your revenue & brand.

A screenshot of an ad overlaid on a website
An H&R Block ad on the Apple Store page, injected by CMA in 2013" (And yet, Apple Store homepage is still not using HTTPS )

8. Better Analytics: HTTPS Referrers

HTTPS aims to protect your privacy, including not sharing with others what you’re browsing. Imagine you browse https://secret.com/HelloKitty/ and click a link to the unencrypted http://other.com/. If the request to other.com included the URL in a Referer (sic) header, anyone listening (as well as other.com) would know of your love for the little not-a-cat. To avoid such a violation, browsers do not send a Referer header when navigating from HTTPS to HTTP (unless explicitly overridden using a Referrer Policy). As more websites switch to HTTPS, staying on HTTP would hurt your insight into where your visitors are coming from.

9. iOS 9+/Android 5+ API Compatibility

The push for TLS doesn’t end in the browser. In their last developer conference, Apple announced that iOS 9 will require all connections to use TLS. Quoting from the iOS 9 documentation:

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn’t follow this requirement, an error is thrown.

Android M has will have a similar (a bit less strict) requirement, implying this will be the default behavior on native. This change in defaults matters not only to native app developers, but to anyone creating content that may be consumed by native iOS apps. If you don’t support HTTPS, the bar to have iOS developers adopt your API will be that much higher.

10. Third Party Inclusion

To maintain the secure page content, an HTTPS page cannot load an insecure HTTP resource. Doing so will usually fail with a Mixed Content Warning, with a few small exceptions such as sandboxed iframes. Websites attempting to switch to HTTPS often find that many of the third party components they use do not support HTTPS. As a result, they need to either stay on HTTP, or remove the third party in question. While most websites have historically opted to stay on HTTP, the balance may shift as the motivation to go secure grows. If you produce content other sites may embed, you should quickly add support for HTTPS. It may give you a competitive advantage today, and soon enough you won’t be able to survive without it.

Start Your HTTPS Plan Today!

This post enumerated some of the reasons to go HTTPS, but not the challenges involved in doing so. It’s quite likely that insecure third parties, costs or other legacy reasons (but not performance!) make the switch hard. Still, it’s important to understand HTTPS is not going anywhere. The longer you wait before you start switching, the deeper the hole you’re digging yourself into. New initiatives offer free and easy certificates, CDN, testing and more, and can help you overcome some of the obstacles you meet. So start now: put a plan in place, get it approved, and get on the path to being secure.

Launching Snyk

December 03, 2015

I'm excited to announce Snyk is now live! Snyk helps you find and fix known vulnerabilities in your Node.js dependencies. These are publicly documented security holes, making them easy for attackers to track and exploit.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications