Rest In Peace HTTP

Internet is now undergoing a transition from being mostly insecure to becoming entirely encrypted. You should be part of this evolution and always protect all of your websites with HTTPS (even if they don’t handle sensitive communications). HTTPS provides critical security and data integrity both for your websites and for the people browsing it.

Internet deserves HTTPS

1458072949_capacitorThe common mistake is to think that security/safety for Web browsing is only needed for login pages or forms requesting personal information. This is true, but it’s not enough; In fact, the whole Internet deserves HTTPS. It helps prevent intruders from tampering communications between your websites and your users browsers. Intruders can be intentionally malicious attackers, but also intrusive companies, such as ISPs, hotels or open Wi-Fi’s that inject ads into pages. HTTPS doesn’t just encrypt the information passing between a server and your computer; It also ensures that the content you’re downloading is coming from the people you expect it to be coming from. Using HTTPS everywhere prevents your HTML code to be replaced by malicious links (redirecting users to a fake secured web zone or phishing websites). An other good example is online press. In this case, HTTPS is critical since it will prevent specific content to be filtered or modified. In case of censorship, security layer will reveal it as any content change will break instantly original certificate.

The future is HTTPS

1458070831_delorean-03In 2014, Google encouraged all webmasters to switch from HTTP to HTTPS by giving a minor ranking boost to secured Websites. In December 2015, they announced that they would start prefering the HTTPS version by default and adjust indexing systems to look for more secured pages. Users security should be top priority for every Web compagnies because this layer is the foundation for delivering the contents and services. For example, new web features such as taking pictures, recording audio or geolocation requires explicit permissions directly from the user before executing. Security becomes a key component to making this possible, because it assumes communication are trusted from end to end (between browsers and web servers).

Yes, you can now encrypt for free !

1458072878_docOne of the biggest issue that prevented the full Internet to use HTTPS by default was the cost of the certificates (for each websites and domains). This point is still valid — when you want to secure your website you would have to buy TLS certificates [1], prove your identity and also justify your domain ownership. This is very important in some cases (like online shopping), but unfortunately this process has slowed down mass HTTPS adoption for everything else.

The challenge is therefore about “how to get encryption by default” and prevent any HTTP websites to be alterable on public networks. The EFF (Electronic Frontier Foundation) announced “Let’s Encrypt” [2], a new certificate authority (CA) initiative that has put together Mozilla, Cisco, Akamai and others together to finally move the Web from HTTP to HTTPS. It’s a pretty awesome piece of software that provides free TLS certificates and makes it easy to secure websites. As those people are very smart, they made sure that it supports automatic configuration and installation for Apache and Nginx. “Let’s Encrypt” certificate authority is trusted on most recent operating systems and browsers; Users experience will NOT be affected : Certificates will be valid on any websites with no warning or errors for users (on PC and mobile devices).

Switching to TLS

As usual in IT security, good setup has to bring together Security, Performance and UX (user experience). When using strong configuration, you will avoid slow pages load and also ensure not to loose previous work related to SEO (search engine optimization). When working as a freelance, I configure servers, websites and applications to use TLS, therefore get the many benefits from this security layer.

[1] TLS (Transport Layer Security)

[2] Let’s Encrypt :


I have been working as an IT engineer (mostly in Web hosting industry) for more than 15 years, with specific interest in Linux internals, TCP/IP networks and software security. I have lived in Montreal (Canada), since 2013.

Leave a Reply