What is website encryption?
Webscape encryption makes sure that messages sent between your website and the people using it can’t be read by anyone (or anything) else.
If you enter any data on a website, like your name or email address, that sends a message to the server. When the website responds, it’s sending a message back, which may also include information intended only for you. Website encryption ensures that those messages aren’t intercepted or changed.
Websites that use encryption (also known as HTTPS, ‘HTTP via TLS/SSL’ or ‘HTTP Secure’) are displayed slightly differently to other web pages. They have a URL starting with “HTTPS” instead of “HTTP” and a locked padlock symbol in the address bar to show that the page is secure. You can see this by looking at the address bar for this website, which is encrypted.
Why is it important?
When you enter information on an unencrypted site, it’s a bit like sending a postcard. In most cases, it’ll get to its destination safely and without anyone reading it, but you can’t be 100% sure.
An encrypted website is more like a letter sent by a (very reliable) courier: As soon as you hand it over, you know it’ll get to the right person safely – and without being read by anyone else!
Sometimes this doesn’t matter. But if you’re sharing personal or financial details, it can be a very big deal indeed.
One of the most common use of HTTPS is, unsurprisingly, for online shops. Website encryption means that customers can be confident no-one can see their password, address or credit card details. For obvious reasons, it’s a very bad idea to enter financial information on a webpage that doesn’t use encryption!
HTTPS is used for other kinds of sites too, such as social media, webmail, membership sites and blogs. It’s also used for websites (like this one) where the site owner or editor has to log in to edit it. This makes sure that their password can’t be intercepted and used maliciously.
Increasingly, encryption is becoming common practice for any website, even those where people don’t have to enter any personal information at all.
How does website encryption work?
When someone visits a standard HTTP website, the browser asks for information (e.g. a web page) and the server provides it. If the user enters information, it’s sent straight to the server, in plain text. Normally this process is seamless, but there is a chance that someone could intercept the information being sent.
When someone visits a website with HTTPS, the browser and server establish a connection known as a digital handshake, before any information is exchanged. They send a series of messages to one another, first to agree on their shared code, then to establish a secure channel of communisation using that code. Once this is set up, all messages are encoded before being sent, then decoded at the other end. To anyone without the keys to the code, they will appear as gibberish.
Of course, this all takes place in fractions of a second. HTTPS won’t slow your site down, it’ll just make it safer.
Why is it such a big deal now?
In a word, Google.
Currently, HTTP sites appear in Chrome with a relatively inobtrusive ‘i’ (for ‘information’) icon. Clicking on this gives further information about the privacy status of the page, such as “Your connection to this site is not private”.
From January 2017, these discreet messages will start to become much more conspicuous.
Initially unencrypted pages with forms or other requests for information will show a “Not secure” message and the ‘i’ icon.
From July 2018, this message will be shown on all unencrypted pages, whether they’re asking for information or not. Whatever the nature of your website, that’s probably not something you want your visitors to see!
OK, so how do I secure my site?
There are two main types of TLS (or SSL) certificates:
- A Standard certificate, which makes sure that communications between the website and the user are secure.
- An Extended Validation (or EV) Certificate, which is more rigorously controlled. To use an EV Certificate, the website operator must also prove that the domain belongs to the organisation it claims to.
Until recently, certificates had to be purchased and renewed each year, usually at a cost of £50 or more for a Standard certificate and £200 or more for EV Certificates. However, there’s now a new type of Standard certificate provided by Let’s Encrypt. It’s just as safe as a paid-for Standard certificate, but free! This means that now anyone can secure their website without ongoing costs, which is a great step forward for increasing security on the web.
Not all website hosting companies support Let’s Encrypt yet, but an increasing number do, including the hosting company I use, SiteGround. (Just one of the many reasons I love SiteGround!)
How to set up a certificate depends on the type of certificate you want to use, and your hosting company.
To get that all-important padlock symbol, you’ll also need to make sure that every part of every page of your website is delivered securely. That means that all images, CSS (style) files and other included elements of your website need to be served via HTTPS not HTTP. This will make sure that, for example, images from elsewhere aren’t being displayed on your site to mislead visitors.
If you’re encrypting the site yourself, there are tools like Why No Padlock? which help you check your pages and, if necessary, track down what’s causing any problems.
If you want to know more, do get in touch.
- March 2018 – Added the date from which Chrome will start to show ‘not secure’ warnings on all unencrypted pages.
- 5 June 2018 – Updated to reflect the change from SSL to TLS.