Anyone involved in website management must properly understand the difference between http and https. However, there may be some people who do not know the difference between them, or who are not sure which one is correct to use.
Therefore, in this article, we will explain in detail the difference between http and https. We will also explain the impact on SEO, how to convert from http to https, how to identify a safe website, etc., so please refer to it.
What is http?
First, let’s look at “http”. http is an abbreviation for Hyper Text Transfer Protocol, which is one of the means of communication on the web. http is known as a very simple means of communication.
Normally, when viewing a website, a web browser sends a request to a server and receives a response from the server.
In the case of http, only one response is returned for each request. Additionally, if the preconditions are similar, as long as the request content is the same, the same requests will be returned.
http is sometimes compared to a “postcard”. Since postcards can be viewed by third parties, there is a risk that the contents may be tampered with. http is said to have weak security because it uses a postcard-like format for web communication, and there is a risk that it may be tampered with by a third party.
What is https?
https
stands for Hypertext Transfer Protocol Secure, which is also one of the means of communication on the web. Also called encrypted communication, http is likened to a postcard, while https is likened to a sealed letter.
Since it is a sealed letter, a third party cannot see the contents, and it is not easy to tamper with the contents. Therefore, compared to http, there is a lower risk of information leaking to a third party, making it a recommended communication method from a security perspective.
Difference between http and https
Both http and https are still a means of web communication. The biggest difference is whether or not it’s encrypted.
As mentioned above, http is a very simple means of communication. All you have to do is send a request from your web browser to the server and receive the response.
However, in the case of https, in addition to http communication, connections such as SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are used. With these connections, the contents of http communications are encrypted, so even if a third party looks at the http information, the contents cannot be seen.
There is no need to memorize all the complicated mechanisms mentioned above. First of all, be sure to remember that https is encrypted communication.
why is http not secure
One type of cyber attack is a “man-in-the-middle attack.” This is a cyber attack that interrupts communications between two parties and falsifies or eavesdrops on data. Hackers cleverly impersonate both senders and receivers and exploit information over time.
It is characterized by being carried out skillfully over a long period of time, making it difficult for people to notice that they have been harmed. This “man-in-the-middle attack” is easily possible with unencrypted http. For these reasons, http is said to be insecure.
Is https really safe?
In fact, just because https is “more secure than http” does not necessarily mean it is secure. Although it is effective against the “man-in-the-middle attack” explained in the section “Why http is not secure” above, what happens if the website you are accessing is a website set up by a hacker in the first place? It becomes meaningless.
In other words, even if the information is encrypted on the source website or transmission route, if the information is decrypted on the destination fraudulent or malicious website, it is the same as if the information was sent unchanged. Because it becomes. For these reasons, https is not necessarily secure, and you should check the security of the website you are sending your information to yourself.
Relationship between security and https
As mentioned above, https is a recommended communication method from a security perspective. Here, we will explain why http is not recommended in terms of security and the usefulness of https in attracting customers.
Google deprecates http
Google has published guidelines for those involved in SEO. Google’s guidelines deprecate http. This is because, as already explained, the information is not encrypted. Since it is not encrypted, there is a risk that personal information may be leaked.
Most SEO measures are centered around Google, the leading search engine. Please understand that if you run your website using http, which is not recommended by Google, your website may not be evaluated by search engines.
“Unsecured communication” is also displayed on the user’s screen
When a user visits an http website, the browser displays a message saying “Unsecured communication.” This makes users feel worried that their communications are not protected, and they are more likely to leave the website sooner.
If you want to earn money from your website, it is important to first get users to read your page thoroughly. It is still advisable to switch to https, as unsecured communication can cause users to leave your site prematurely.
How to easily determine whether the user is encrypted
If the website is encrypted (https), a lock mark will be displayed in the URL part of the browser. The lock mark on your browser is proof that the communication is encrypted.
On the other hand, if the website is not encrypted, you will not see the padlock symbol and will see a warning that your connection is not secure.
How https protects your data
https uses a protocol called “SSL = Secure Sockets Layer” to encrypt data on the Internet. This is a system that protects data by encrypting it so that third parties cannot intercept the information. The following transmissions and receptions mainly take place between the client and server.
1. Client requests SSL communication to server
2. In response, the server sends the public key and SSL certificate
3. After confirmation, the client creates a common key, encrypts the common key with the received public key, and returns it to the server.
4. The server decrypts the encrypted common key with the private key
Through this mechanism, encrypted data cannot be decrypted unless the private key is held.
What is an SSL server certificate?
In order to further understand how https works, it is a good idea to have some knowledge about “SSL server certificates”. An SSL server certificate is an electronic document that proves the existence of an operator. This certificate also certifies the encryption of communication data between the web browser and server.
SSL server certificates have a mechanism called a “key.” This key ensures that communications between your web browser and the server are encrypted. And since encrypted communications can only be viewed by those who have the key, the risk of unauthorized access by a third party is reduced.
Please note that the key can only be unlocked by the recipient of the information. Therefore, if you want to further ensure the security of your information after using https, you may want to consider issuing an SSL server certificate. When you issue an SSL server certificate, a lock mark will be displayed, allowing you to show users the safety and reliability of your site.
How to check SSL server certificate
From here, we will explain how to check the SSL server certificate.
domain authentication
There are three main ways to check SSL server certificates: “domain authentication,” “EV authentication,” and “corporate authentication.” You can easily check using any method, but let’s take domain authentication as an example.
1. Click on the “lock” icon at the top left of the browser
2. Select the certificate window
3. The string below “CV=” will be displayed at the bottom of the subject. If the domain that obtained the SSL server certificate is displayed there, the confirmation is complete.
Hacking and unauthorized access that is difficult to protect with SSL alone
If your website is hacked or accessed by unauthorized persons, SSL alone will not protect you. This is because SSL protects communications with users through encryption.
To protect your website from the threat of cyber attacks, you need other security measures like WAF (Web Application Firewall).
Background to the advancement of always-on SSL
The spread of free Wi-Fi is one of the reasons behind the advancement of always-on SSL. Free Wi-Fi has weak security and users tend to be easy targets for hackers. Due to these problems, the use of always-on SSL has progressed.
Free Wi-Fi has weak security
Free Wi-Fi is available in various places such as airports, shopping malls, and fast food restaurants. In places where free Wi-Fi is installed, you can use the Internet without worrying about communication traffic.
Although the Internet is free and easy to use, security is often weak and hackers may intentionally set up traps. For example, acts such as “setting up spoofed access points pretending to be free Wi-Fi provided by companies” are rampant.
Additionally, if you use malicious tools, you can easily steal the cookie information of other users connected to the same Wi-Fi. The problem with free Wi-Fi is that it is extremely vulnerable in terms of security.
Spoofing becomes rampant when cookie information is stolen.
In the fraudulent activities described above, if cookie information is stolen, a third party can impersonate the user and log into various websites. The risk of unauthorized login to shopping sites, credit card company websites, and various financial institution websites that you normally use is extremely high.
Once you are logged in, your personal information can be easily stolen, and you can be logged in to other websites one after another, causing more damage. Fraudulent tools that can steal other people’s cookie information are easily available on the Internet, so you need to keep these risks in mind when using free Wi-Fi.
Cookie information cannot be protected by installing SSL on some web pages.
Simply installing SSL on web pages that require security, such as web pages where you enter personal information, will not protect your visitors’ cookies.
Web pages that do not have SSL installed are unprotected, so there is a possibility that these places can become holes that allow cookie information to be stolen. In any case, there is a security limit to only partially implementing SSL.
Constant SSL is an effective way to prevent cookie information leaks.
Due to the above-mentioned background, always-on SSL has been promoted. By always using SSL, the entire website is protected, eliminating security loopholes.
Once the entire website is encrypted, it will no longer be possible to steal a portion of the information, reducing the possibility of cookie information being leaked.
Advantages of making your website https and effects/impact on SEO
There are many benefits to moving your website from http to https. It also has a considerable effect on SEO. Below, we will explain the benefits of using https and the effects and effects on SEO.
Ensures website reliability
As already explained, https uses encrypted communication. For example, if you enter personal information such as a credit card number in a form and send it, it will be automatically encrypted and sent via https. Even if information is stolen in some process, a third party who cannot decrypt it will not be able to read the contents.
On the other hand, with http, communications are sent and received without being encrypted. Therefore, if personal information such as credit card numbers is stolen, there is a risk that the information will be disclosed to a third party. Because of this difference in structure, it can be said that https makes it easier to ensure the reliability of a website compared to http.
Warnings from Google will no longer be displayed
Starting in October 2017, Chrome will display the message “Not secure” when you enter text in a form on an http page. Also, in incognito mode, a similar warning message will be displayed just by accessing the http page.
Websites that display warning messages like this can be extremely alarming to users. Users will not only stop filling out forms, but they will also be reluctant to visit your website. We recommend switching to https as much as possible in order to avoid lowering user abandonment rates, re-visit rates, and length of stay.
Compatible with Chrome 68
In July 2018, a new version of Chrome, “Chrome 68,” was released, and the measures against https were further strengthened. As a result, all websites that have not switched to https will now be displayed as “not secure.”
In this way, Google recommends switching to https in an almost semi-mandatory measure. By firmly switching to https, you can make it compatible with Chrome 68.
Become more easily evaluated by search engines
Switching your website to https will make it easier for search engines to evaluate your website. As mentioned above, switching to https is recommended by Google, so it will greatly affect your ranking in search engines.
Google has officially announced that it has added https to its ranking signals, suggesting that websites that remain http will have a harder time ranking higher.
Reference:
HTTPS as a ranking signal (Google Search Central Blog)
Disadvantages of making your website https
The disadvantages of making your website https include the following:
expensive
There is an annual fee to switch to https for SSL. There is also free SSL, but this does not provide proof of existence. For websites run by companies, paid SSL is preferable as it is highly secure and provides proof of existence.
Paid SSL prices vary greatly depending on the authentication method, ranging from several thousand yen to several hundred thousand yen per year, but they are generally as follows.
If you want to ensure the reliability of a website run by a company, you should consider “extended proof of existence (EV),” which costs hundreds of thousands of yen per year.
You need to configure the web server settings yourself.
If you built your website in-house without relying on outsourcing, you will also need to switch to https yourself. Issue and configure the SSL server certificate on the settings screen of the rental server you are using.
In addition to configuring SSL settings, you will also need to configure redirect settings yourself. A website with SSL settings will be recognized by Google as a new site. If you don’t take any action, the SEO rating you’ve built up so far will drop to zero.
In order to avoid such a situation, it is necessary to properly set up redirects and carry over the previous SEO evaluation to the new website after switching to https.
SNS share buttons are reset
After switching to https, the SNS share button will be reset and the count will return to zero. Although it may not have a direct impact on SEO, there are differences in the reactions and actions of users when they see the content between articles that have gained a lot of shares on SNS and those that have not. There is a possibility that it will come.
Search rankings may become temporarily unstable
After switching to https, search rankings that were previously stable may become temporarily unstable. Search rankings may change frequently, or may even drop and never return to the original position.
This is believed to be because it takes time for Google to index new websites after switching to https. Normally, over time, your site will gradually return to its original search ranking, but keep in mind that the number of accesses and search traffic may drop temporarily.
How to make your website https
There are several ways to make your website https, and the methods differ depending on the server you are using. Here, we will only introduce the general method of establishing https. The steps are as follows:
If you are using a rental server, you can easily configure https on that rental server. Even if you are not an engineer, you can switch to https, so if you do not have a rental server contract, you may want to consider using a rental server.
WordPress also supports plugins
If you are running a website using WordPress, you can also use SSL using a plugin called “Really Simple SSL”.
Really Simple SSL is very simple to use; after installing it for free, click the enable button and your entire website will be permanently SSL-enabled.
Please note that after enabling Really Simple SSL, you will be automatically logged out of WordPress, so please log in again. From then on, the website will always be https.
How to redirect from http to https using “.htaccess” file
So far, we have introduced the general https conversion method and the https conversion method using WordPress plugins, but below we will explain how to redirect from http to https using the “.htaccess” file. I will. If you set up redirects using this method, you will be using 301 redirects.
There are also 302 redirects that are temporary redirects, so be sure to check them using a redirect check tool after setting them up. We recommend ”
ohotuku.jp
” as a simple redirect check tool.
There are two ways to configure settings using the .htaccess file: redirecting the entire website and redirecting part of the website.
How to redirect the entire website
To redirect the entire website from http to https, write the following in the “.htaccess” file.
| For site-wide redirects |
|
Rewrite Engine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] |
The above statement will redirect all pages of your website from http to https.
How to redirect part of a website
To redirect part of your website from http to https, write the following in your .htaccess file.
| If you want to redirect part of your site |
How to identify a safe website
In the first part of this article, we introduced a simple method to determine whether a website is encrypted, but here we will explain how to determine if a website is even more secure.
Let’s look at each in turn.
Is your email address a free email address?
Websites with a clear origin usually use email addresses that use their own domains. Therefore, although it is impossible to say for certain, it is important to understand that websites that use free email addresses such as @gmail and @yahoo.co.jp may be less secure.
Check the name of the recipient
You should also be careful if the name of the recipient of the transfer is not the company name. This is because fraudulent sites often specify a remittance address under an individual’s name. Also, if you have specified a bank account that you are not familiar with, be sure to search for the bank name on the web and check the actual situation in advance.
Check reviews
It is also important to check the reviews of the website name and operator name. If there are more negative reviews, the quality of the product or website may be low. Also, there are cases where you can find posts saying that you have been a victim of fraud, so be sure to check beforehand.
Is the phone number not a personal number?
If the operator is a proper company, the phone number will always be the one used by the company. However, if your personal number is listed, make sure to search for that number on the web to see if the operator is reliable.
http status code when unable to connect to page
The main http status codes when you cannot connect to a page are as follows.
400 Bad Request
“400 Bad Request” is an HTTP status code returned when a URL is misspelled, has invalid syntax, or has a corrupted cache. It mainly appears when there is a problem with the client-side request. To prevent this, you can try requesting the correct URL again, clearing your browser’s cache and cookies, and clearing your DNS cache.
401 Unauthorized
401 Unauthorized is an HTTP status code returned when login authentication to a website fails or when you do not have access authority. A similar error will also be returned if the access token is invalid.
It mainly appears when there is a problem with the client-side request. You can work around this by entering the correct login information or trying to access the site again after a few hours.
403 Forbidden
403 Forbidden is an HTTP status code that is returned when you do not have access rights to the request destination, or when the link is broken or the website you are accessing is inaccessible for some reason.
It may also be displayed when accessing a page for which access privileges have been set. In this case, you may be able to resolve the issue by asking your administrator to grant you access rights.
404 Not Found
404 Not Found is an HTTP status code returned when the requested page does not exist. Many of the causes are errors in the spelling of the URL, as well as errors returned when accessing a deleted page or a simple broken link.
This error is not very good for SEO or usability, so site administrators can take measures by redirecting.
500 Internal Server Error
500 Internal Server Error is an HTTP status code returned when something goes wrong with the server. The client may not be able to handle the error because it is an error within the server.
However, this error may occur due to a temporary problem, and in such cases it may be resolved by clearing the browser cache on the client side.
If the problem cannot be resolved by clearing the browser cache, etc., it is most likely an issue with the administrator, so wait a while and try accessing again.
503 Service Unavailable
503 Service Unavailable is an HTTP status code returned when requests cannot be processed due to heavy access. Like 404 Not Found, this is a commonly encountered error.
If the client uses a plan with a low data transfer rate, a 503 Service Unavailable error will frequently occur. In such cases, you may be able to resolve the issue by choosing a higher-end plan with a higher amount of data transfer.
summary
In this article, we have explained the differences between http and https. Although http and https are both methods of web communication, there is a big difference in security. Because https is encrypted, there is less risk of information being leaked to a third party or tampered with.
Google, a major search engine, also recommends HTTPS. First of all, make sure that your website is HTTPS communication, and if not, promptly promote HTTPS.