/ HTTPs

HTTPs does not secure your website from hackers

In 2014, Google published on its Webmaster Central blog that HTTPs was factored, to an extent, as a ranking signal.

Overnight, moving sites onto HTTPs for SEO benefits became the flavour of the month for SEOs world over.

Google has reaffirmed its commitment to keeping user’s safe online by promoting HTTPs adoption over the years since, and earlier this year announced its own foray into cyber security, Chronicle.

Recent high profile cyber-crimes and attacks (Dyn DDos, WannaCry ransomware, and the PyeongChan Winter Olympics to name but a few), have increased public awareness surrounding online data security, and high-street brands like Barclays have even lead national TV campaigns, again focusing around HTTPs:

Why?

I’m not against HTTPs, I think it’s a vital piece in the cyber security jigsaw, but by giving it such intense public focus and without caveat, is sending out a misleading message that a site on HTTPs is secure – and therefore, HTTPs secures your website.

HTTPs is often associated with security, and a "secure web", but on its own, it does not protect your site against thousands of potential vulnerabilities or exploits.

How HTTPs protects you

When a user's web browser connects to your website over HTTPs, the connection from your webpage to the user is encrypted, meaning that any data exchanged is not readable by others without an encryption key.

Without encryption, hackers can read the data being exchanged and use it for their own purposes.

HTTPs is a method of securing data and information in transit between the user, and your server, thus preventing what’s known as “Man in the Middle Attacks” (MITM).

It also provides authentication that you’re sending data to the right server (of the company you’re dealing with) and not to a third-party server, as well as offering some protection from phishing.

How HTTPs doesn’t protect you

HTTPs-Protection

Securing a website is a very complex process, and due to the fact that every website is built differently (regardless of platform), there is often no one size fits all solution.

HTTPs will not prevent people from hacking your website, exploiting third-party plugin exploits, exploiting software vulnerabilities, brute force attacks, or mitigating DDoS attacks.

If a hacker also gains control of the network, it will not mitigate against MITM attacks.

SSL certificates themselves can be vulnerable and exploited if not maintained or installed correctly. SSL certificates can also be spoofed, increasing the risk of MITM attacks.

HTTPs is still a critical component

This does not diminish the value that a strong and valid SSL certificate brings, but remember that it is a single component in what is a wider mix of preventative measures that need to be taken in order to secure your web application, server, and data.

It’s also important to steer conversations away from talking about HTTPs and encrypting data while it’s in transit, but also start talking about encryption at rest.

“At rest” being on the server, not in transit.

In the race to go HTTPs and secure your data in transit, a lot of webmasters, data owners etc. all store the data at rest in an unencrypted state.

Many organisations have seen big data breaches from storing unencrypted data at rest.

HTTPs itself is only a solution to one potential issue out of thousands, and that must be made known.