Vulnerability Management

What is HTTPS

everywhere?

What is HTTPS Everywhere?

HTTPS Everywhere is a best practice security measure for websites that ensures the entire user experience is safe from online threats. The term simply refers to using HTTPS—the secure web protocol enabled by TLS/SSL—across your entire website instead of selectively. That means every page of your site is secured by TLS/SSL encryption and is not displaying as unsafe in web browsers.

HTTPS provides authentication of the website’s identity, connection, and data integrity, and encrypts all information shared between the website and a user (including any cookies exchanged), protecting the data from unauthorized viewing, tampering, or misuse. Maintaining a secure connection across an entire browsing session is vital to ensuring users are safe from advanced spoofing, injection, and man-in-the-middle attacks.

Browsers and the Push for HTTPS

It’s no longer acceptable to secure only part of your users’ connections. When you intermittently use HTTPS on your website, only some pages are protected by the encryption and security of TLS/SSL, and others are therefore vulnerable to data theft, content injection/modification, and the privacy-invasion of internet surveillance. Intermittent deployment of TLS/SSL not only fails to meet user’s security expectations and rights, but also fails to meet the expectations of browsers and OS platforms.

As part of a multi-year effort to encourage the adoption of HTTPS Everywhere, major browsers, including Google, Mozilla, and Apple, used negative warning labels on any websites only using HTTP to discourage the use of it, and to positively reinforce secure HTTPS.

Why You Should Care About Securing Your Website With HTTPS Everywhere

Trust is the foundation of the internet economy. To earn that trust, you need end-to-end security to help protect every webpage your users visit—not just the log-in pages and shopping carts. New changes in internet standards and web browsers are also giving websites that use of HTTPS a leg up and are actively punishing unsecure sites that remain on HTTP. For example, Google has given a search results ranking boost to pages served over HTTPS since 2014. They also once displayed a “Secure” label in the address bar for HTTPS pages. And in July 2018, Google Chrome began serving up warning labels for any pages only using HTTP.

Chrome was the first major browser to warn users on all HTTP pages, and other browsers followed as the internet moved to a "secure by default" standard. Additionally, many new web technologies and browser features require HTTPS. This includes HTTP/2, a foundational improvement to the web communication protocol that can greatly improve website performance, as well as browser features including geolocation, notifications, Service Workers, Google’s AMP mobile standard, new compression methods, and more. Simply put, without HTTPS, your website will be effectively trapped in the past.

The Top 3 Tips for Moving to HTTPS Everywhere

1. Make sure any third-party services you rely on, such as advertising or analytics services running on your site, are available over HTTPS to avoid "mixed content" issues.

2. Purchase additional TLS/SSL certificates if different parts of your website run on different servers or domains.

3. Redirect all your web pages to their new HTTPS counterparts and update your Google Webmaster tools. When you switch to HTTPS Everywhere, there are SEO implications. Google and other search engines view this as a website move, similar to moving to a new domain name.