In general, it is a good idea to use HTTPS at all times. Why? It increases your visitors’ confidence on your brand, improves security / privacy and makes the internet a better place. You wouldn’t want your customer to see the “This site is not secure” warning right? That would scare your users away! 😱
Certificate Authority (CA) — An organisation that issue SSL certificates.
Domain — This is the address to your website. Eg. medium.com
Secure Socket Layer (SSL) — A way to transfer data securely to another machine. Imagine SSL as a secure tunnel. The data is encrypted upon entering and decrypted upon exit, so even if malicious users tried to intercept your connection, they won’t be able to read the data in transmission.
HTTPS vs HTTP?
Let’s briefly take a look at HTTP (Hypertext Transfer Protocol). In simple terms, this fancy term is simply a way for computer to talk to each other. There are a lot of different ways for computers to communicate with one another, and HTTP is just one of them, just like how human can phone / text / email / yell at each other.
HTTP is the primary way for your browser to send / receive data from the internet. As an example, your browser sent a HTTP request to Medium.com to download this article.
HTTP is transparent by its own. Data transmitted in a HTTP request can be viewed by anyone who is in the same network i.e under the same WIFI connection. However, with HTTPS, all the data in the HTTP requests is encrypted since we are now transferring the data via SSL.
To enable HTTPS connection, you will need to install a SSL certificate in your website. A SSL certificate is a proof of identity and also a mandatory requirement for HTTPS connection. It is generally issued / signed by a Certificate Authority (CA) but it can also be self-signed. The only difference between these 2 is that a self-signed certificate will have a
Not Secure warning.
Self-signed certificate is fine in testing, but when we are running a live website, we should always use a certificate issued by a CA like LetsEncrypt.
So when do I need a SSL certificate?
Technically you only need to worry about SSL certificates when your customer is entering sensitive data or privacy related matter. But a general rule of thumb is to always enable HTTPS. Why? Because your customers will feel safer when browsing your website and it also helps to improve your brand’s credibility.
You should check with your website’s hosting provider to see if they provide you a certificate. If not you would need to purchase one from an external party or get one free from LetsEncrypt.
Does that mean I’m safe from phishing attack as long as I see a SSL Cert?
Short answer: no.
A phishing attack happens when a malicious website tries to pretend to be some other legitimate website, eg Facebook or a bank. It usually has an interface that looks exactly the same as its legitimate counterpart, and it will try to prompt the visitors to enter their credentials. If the visitor unknowingly enters his/her credential in this fake login page, then the credentials will be sent to the attacker’s server and … you know the rest of the story.
SSL certificate simply enables encryption and proves that the website that you are visiting does indeed belong to the domain that it claimed to be. It doesn’t protect you from phishing attack.
So if you see a Facebook landing page with proper SSL cert but the domain is different from Facebook.com, it is still a phishing site.
And that is pretty much HTTP and HTTPS in a nutshell!