Security has been a hot topic for many years and when talking with customers about a multi-layer security design we are often recommending TLS (Transport Layer Security) as one of the basic components. This is often followed by more detailed questions about the benefits, costs and implementation compared with other, more discussed components which are front of mind for CSOs/CTOs. Below are some of the most common reasons for and myths against deploying TLS for your environments.
Pro: Performance and SEO benefits
Google has long said that speed is a ranking factor but did you know they are now using HTTPS as a ranking signal? As part of your Search Engine Optimisation strategy, why not add an easy additional boost to your environment using HTTPS, which gives the two fold benefit of ranking increase for simply using HTTPS but also a potentially significant increase for performance and reduce the time needed to load your pages via the use of HTTP/2. You can compare this using various tools.
Pros: Encryption and Authentication of your site
HTTPS when used correctly allows all website content to be securely encrypted in transit, meaning any malicious network devices between the user and the secure hosting environment supporting the website or application cannot access your data “on the wire”, helping to keep information such as Usernames/Passwords/Emails secure and private. In addition it allows authentication of the website/application to the end user, allowing them to identify that the site they are visiting is not being spoofed or maliciously edited (such as by rogue Wi-Fi network hotspots inserting advertising or malicious redirection).
Pro: Increased perception of trust
The World Wide Web has for a long time been (and probably for a long time still will remain) a “virtual” wild west, where distinguishing between good and bad can be difficult to the average user, however as more organisations publish contact details, create a professional design and thorough content, the average user is now becoming more educated on signs to look for when browsing sites. One recent and less adopted recommendation is to look for “encryption”. By enabling even a basic SSL certificate, your end customers may feel more trusting and engaged with your site, improving your brand reputation and potentially allowing you to make more sales or expand readership.
Pro: Compliance with industry frameworks
If you need to achieve any kind of compliance framework in relation to your application environment, you’re going to be needing HTTPS. Consumers may not know the framework, but the organisations assessing you will and eventually consumers will start comparing you with your competitors on trust as above.
Myth: Cost is prohibitive
HTTPS doesn’t have to cost you much, or indeed anything, depending on how it is implemented. With Content Distribution Networks (CDNs) providing free SSL certificate protection and initiatives such as Let’s Encrypt issuing over 1 million free certificates, budget should not now be a sticking point for using a trusted certificate.
Myth: Performance will be negatively impacted
In the past, it was a commonly cited concern that implementing HTTPS was an unnecessary burden on compute power and website performance. In the modern age, this has simply changed. Performance overheads on compute are in the region of single digit percentages (when implemented efficiently) and the benefits achieved by using HTTP2 (which is only supported by the major browsers when using HTTPS). Also if you’re using a CDN (which almost everyone should be) then the majority of the compute overhead will never be within your environment.
Myth: IP usage means it will be expensive and impossible to get from your host
With IP resources dwindling, efficient usage of IP resources is critical for all providers and as such, the technology world has addressed the most common usage requirement for additional IPs, allowing Server Name Indication (SNI) to have multiple certificates to reside on the same IP address. In the past, push back used to be based upon Windows XP and IE not supporting it, however with this major combination now unsupported and only minor other usages not supporting SNI, it shouldn’t be a major impediment to maintaining security (either by using SNI and limiting access to a very small percentage of users or a dedicated IP address and allowing access to all).
Myth: Caching will affect performance and implementation
Caching with TLS is reduced on the network layer, but that doesn’t mean a full removal of caching for the application. Client side caching will still be used and if you are using a CDN, then the content can still be cached on the provider’s edge content servers (dependant on your provider and usage).
Myth: Difficulty of implementing prevents usage
Far too frequently sites will include non-HTTPS resources on their HTTPS sites or incorrectly implement their configuration giving ugly warnings to end users, but it doesn’t have to be that way. Automatic HTTPS deployment tools such as from Let’s Encrypt or common CDN providers allows the infrastructure deployment of HTTPS to be completed easily. Then ensuring that all site content is using HTTPS can be slightly more difficult and time consuming, but thankfully new headers such as “upgrade-insecure-requests” Content Security Policy directive allows developers to ease the implementation pain.
To conclude (and a final warning)
Overall, the security and technology landscape along with consumer/end user perceptions means having HTTPS sites is becoming as normal as having your own, short and accurate domain name. It can make your site more secure, faster and therefore better for your customer, all with potentially minimal cost and impact to you, so why not? (Yes, there are a few, niche reasons why not, but in general, the question should be “Why shouldn’t I use/provide HTTPS?” not the opposite approach.)
Although HTTPS improves the security of data in transit and provides authentication, it shouldn’t be your only way to secure an environment and isn’t going to protect data at rest in your application, nor stop application level attacks by malicious parties. Additionally consumers should not put full trust assurance that an application is trust worthy simply based upon having HTTPS, as the issuance process does not necessarily examine the whole picture. Using HTTPS should be one part of your security strategy, but one of the easier, cheaper and beneficial to complete right now, so go forth and HTTPS!
Article image credit Fabio Lanari