Basics of using HTTPS
Developers who consider creating an online store or ecommerce Web site should remember the HTTPS – HyperText Transfer Protocol with Secure Sockets Layer, communication protocol used to transfer encrypted data over the Web.
March 24, 2015
When comparing HTTPS against a regular HTTP connection, two major differences stand out:
- HTTPS connects on port 443, while HTTP is on port 80
- HTTPS encrypts the data sent and received with SSL, while HTTP sends it all as plain text
Web visitors are fully aware that sites expected to offer secure transfer of data should start with the https in the URL and feature the lock icon in the browser when making a transaction. If the expected secure site is not using HTTPS, potential customers of the ecommerce site will simply leave. Even with this fact available, many web site that collect money including credit card data use the plain HTTP connection. This is a serious problem.
The standard, simple HTTP protocol sends data over the Internet in plain text. In other words, if a page containing a form asking for a credit card number, that credit card number is easily available for interception to anyone with a packet sniffer – a relatively easy tool to possess, given the extensive number of free sniffer software tools. As owner of the site containing the form where the credit card information was entered, you are in fact broadcasting the information to the world. Customers will let you know of the problem when their credit card was maxed out, but the conversation will likely get ugly.
To host secure pages on a web site, you need only several of things:
- A Web server such as Apache with mod_ssl that supports SSL encryption
- A Unique IP address - this is what the certificate providers use to validate the secure certificate
- An SSL Certificate from an SSL certificate provider
By contacting your hosting provider, you will find out whether you can use HTTPS on your web site.
After getting your HTTPS CertificateThe hosting provider will have to set up the certificate in your web server so that each time a pages is accessed via the https:// protocol, it is redirected to the secure server. After this is accomplished, you can build your web pages requiring secure transfer.
Here are some tips for using HTTPS:
- Point to all Web forms on the https:// server -- when you link to web forms on your web site, link them with the full server URL including the https:// designation. This will insure that they always are secured.
- Use relative paths to images on secured pages -- if you use a full path (http://www...) for your images, and those images are not on the secure server, your customers will get error messages and will get discouraged to return to the site.
- Secure only the pages that request and collect data. -- it is possible to run your entire Web site on https://, but it slows down the connection and some SSL providers charge you on the bandwidth secured. You should only secure those pages that collect data.