How to improve security and performance with HTTPS and HTTP/2
This is a Part 1 of a series of blog articles discussing new standards and technologies our company has been implementing.
Standard Beagle strives to keep on the forefront of technology on the web – it helps us consistently provide the best possible service to our clients. We wanted to explain some of the steps we have recently taken with our clients’ sites that will aid in providing that service.
Over a small series of posts, we will review what Standard Beagle has done to increase speed, enhance security, and improved stability of the servers and the sites we host on them. In this post, we will take a dive into the upgrade to HTTPS – the why, a little bit of the how, and the benefits that come doing so.
We’ll touch on two main points here that go hand-in-hand: the security gained from HTTPS, and the added benefit of speed increase we get from HTTP/2.
Security
Firstly, what is HTTPS? Before discussing HTTPS, let’s first briefly define plain ‘ol HTTP.
HTTP stands for Hypertext Transfer Protocol. It’s the foundation for communication on the web. Hypertext refers to the ability to use links (hyperlinks) between nodes of text. When you’re cruisin’ the web, that’s the road you’re cruisin’ on.
There are other protocols besides just HTTP. File Transfer Protocol (FTP) is used for — as you would guess — transferring files between a server and a client (between where the site is hosted and your computer, for instance).
There is also SSH File Transfer Protocol (SFTP), which is FTP with a secure connection. It uses SSH, which is beyond the scope of this article but is something we actually do use a lot to keep our connections with client servers secure when passing files back and forth. Because of SSH, SFTP works faster than FTP. SSH itself is worth taking a deeper look into.
Bringing up the difference between FTP and SFTP makes it easy to comprehend what the ‘s’ gives us in ‘HTTPS’. Wikipedia gives us a proper definition:
HTTPS … is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data. (https://en.wikipedia.org/wiki/HTTPS).
So just like SFTP gives FTP a secure channel to discuss for file transfers, HTTPS gives HTTP a secure channel for Hypertext to do its thing. Underneath the layer of SSL/TLS, the HTTP part is the same as HTTPS. It simply provides the connections a secure route through a “handshake” between the client and the server. You obtain the ability to complete this handshake with a certificate and key.
The certificate allows the connection, and the public/private key pair is what the server sees to confirm the encryption. Thawtte.com has a great real-world comparison: “When a web browser contacts your secured web site, the SSL certificate enables an encrypted connection. It’s kind of like sealing a letter in an envelope before sending it through the mail.”
The why of HTTPS
The first initial “Why” of HTTPS then becomes pretty clear: we have websites we build and/or host, and we want to keep these sites secure! One big way of doing this is to obtain those SSL certificates and then configure those sites to use HTTPS. But why is there so much being put into securing the web overall? Does every site need to be secured? YES. We can think of a few (out of many) scenarios that HTTPS helps us come to that conclusion:
Public WiFi
Say you are on your laptop (or even phone) at a coffee shop, using the public WiFi they let you use for free. Super convenient, right? It is pretty commonly known, however, that many hackers are able to tactics like content injection to insert malicious content, or even setting up a fake Wireless Access Points (WAP) and disguise it as a free wireless service near the local Airport. This can compromise who can see your information and data, and what they can do with it. Using something like HTTPS, along side other security best practices, could help make sure information you’re sending to websites gets there in a secure manner.
E-commerce site
Say you’re at home instead of a coffee shop, on your secure home wireless network (remembering to put an incredibly difficult password on it, of course). You shop on a site, give your credit card information and purchase an item. That credit card information is sent over to the site, connected to your username and password for that site.
Without HTTPS talking back and forth with your computer, someone could try to steal that information along the way through a multitude of methods. Securing that connection allows for your credit card info to only go to its intended destination.
Spoiling the bunch
Something that may not be as apparent is that securing your site can help secure other sites you don’t even know about. For instance, you have a username and password. You securely send that information upon registering to a site. Because that site was secured using HTTPS, no one else can get your login info (a lot of times, not even the site owners themselves). If the connection is not secured, your username and password could be compromised.
But it may not even stop there – maybe the hacker that obtained this info is able to find out other sites you have used the same login and password for. This allows them access to other sites, and from there they can obtain logins and passwords from other people you have no real connection to. This is one security benefit that takes a broader look at the process as a whole. The decision to secure your sites is essentially a decision to aid in securing other sites you connect with as well.
Speed
HTTPS is what allowed us to utilize the increase in page load speed by way of HTTP/2. It’s one of the biggest changes to come to the web in recent memory. HTTP/2 builds on the foundation provided by HTTP, and actually doesn’t change at all how HTTP works, but simply changes the way the information is submitted.
One key difference is that you could only send requests one at a time using HTTP, whereas HTTP/2 allows you to send multiple requests without having to wait for a response through mulitple streams but still only needing just the one open connection to the server. HTTP2 then benefits from the usage of HTTPS to secure that channel, and is a reason why a lot of providers will require HTTPS alongside the inclusion of HTTP/2.
Why is speed important? The answer you commonly hear – and is definitely one of the most important points – is that is provides a better user experience. A great user experience for a website is critical (we have even written about it fairly recent). Many different articles have been written about the drop-off from visitors a website can get if page load exceeds 2-3 seconds. Here is another that discusses both mobile and desktop load times. The fact that can be most jarring from that article is the fact that “40% of people abandon a website that takes more than 3 seconds to load”. For affiliate sites or e-commerce sites, that can have large repercussions to the bottom line.
Google’s recommendation
As far as SEO is concerned, Google has been giving a ranking boost to sites using HTTPS since 2014. On top of that, as recent as November 2015 they advised that GoogleBot will start supporting HTTP/2 by early 2016 at the latest. This actually makes a lot of sense. Google wants the top results for their searches to be pages that load quickly. Therefore, supporting and seeking out those sites using HTTP/2 is in their best interests – and those sites using HTTP/2 have the opportunity for higher SEO rankings.
We have recently upgraded our server to utilize HTTP2 when we transfer our clients to SSL. The results have been pretty remarkable – we are seeing seconds being chipped away at load times for a number of our sites. At the time of writing this post, standardbeagle.com itself is down to 1.90 seconds. Similar numbers are showing up on our client sites (some are even better).
Further research into other methods of optimization could get these sites closer to 1 second or lower. This puts companies like Standard Beagle in a great position to offer the quality websites we have been building already, but that are loading fast.
Wrap up
This is pretty exciting time to be in the web game. Talk of things, such as HTTP2 and the broader use of SSL through HTTPS, has seemed far off until recently. The Web is always pushing forward, and recently has shown evidence of doing so at a breakneck pace. Security and speed are top priorities to keep in mind when building great websites.
