How to use HTTPS to improve web security

httpseverywhere

HTTP over Transport Layer Security, also know as https, can go a long way to improving the security and privacy on a website. When you see a site's URL with https://, that site exercises good care on its internal security to protect user data and against break-ins

Here are several approaches you can take to improve web security in the way you browse, share links, and configure your own sites, using https.

Install HTTPS Everywhere in Firefox and Chrome. HTTPS Everywhere from the Electronic Frontier Foundation (in conjunction with the Tor Project) automatically redirects from an insecure to a secure site wherever possible. The browser plug-in is available for Chrome, Firefox, and Opera, and Firefox for Android. Safari (and Internet Explorer) aren’t supported because of design choices in the extension architecture in those browsers.

Use https whenever you can. If you see a link that starts http:// instead of https:// drop that s in. Most sites that are kept up to date fully support connections over https, even if they don’t default to that or redirect you to them. Some sites use a technique I’ll describe below, which tells a browser on the first time you visit the secure version of a site to only use the https version in the future, no matter what kind of link is clicked on to visit the site.

Only pass along https links. You can help others by passing along secure links as available, and because of the mechanism above that many sites employ, sending someone an https link quasi-immunizes them for the site linked to in the future to use only secure connections.

Complain to sites that lack https. Not every webmaster or small organization wants to hear about why they should use https, but when visitors and customers explain that they’re concerned about privacy overall, a site’s operator may realize they need to make the effort. (While the vast majority of small-business and individual sites are hosted by larger firms, there are still likely millions out there set up long ago by consultants or by someone using a set of instructions provided, and they may be unable to upgrade or don’t know how. Be nice to them—unless they’re jeopardizing the safety of your personal data, in which case maybe be not quite as nice.)

Upgrade your hosted sites. If you’re using a service that lets you host a blog, a webite, a store, or something else, and it’s been more than a couple years before you’ve jiggled around the configuration options, check and see if the site has switched to https, added it as something you can click a box for, or requires that you perform a little internet magic to add. I have several sites hosted at Squarespace, and that service last November added comprehensive support for web certificates across all its subscribers’ accounts. However, it might require some action on your part with domain settings or other under-the-hood wiggling to enable.

If employed, make sure your company is secured. Some firms may see it as a low priority, especially if they don’t offer ecommerce. But https no longer adds a performance penalty to sites, true in the past, and basic TLS certificates used for https connections can be obtained at little or no cost. Upgrading security at your company protects the privacy of all its customers.

Tweak your site settings if you run your own server. Let me confess: I self-host a number of sites on a virtual private server (VPS). Despite knowing the importance of https, I only a few days ago went through the pain to revise fairly ancient configuration files and setups for https on my sites that didn’t already. And I turned on that trick—called HTTP Strict Transport Authority (HSTS)—that for all browsers updates released in the last few years automatically “locks” a user into the secure site after visiting it once.

Some of the reason for widespread adoption of https by small sites, like mine, is Let’s Encrypt, a project started by the EFF, and now run by the Internet Security Research Group with the help of a number of corporate and non-profit backers. Let’s Encrypt makes web (and email and other) TLS certificates available at no cost, while automating the renewal. Every few months, I receive an email ahead of the certificates’ expiration and can enter a single Terminal command to update all my certificates. When I’m confident it works without error, I can even make that an automated operation.

A rockslide isn’t all boulders; little pebbles add up. So, too, can be solve the “pollution” of insecure connections by making a slight effort on our part towards a fully secure web.

To comment on this article and other Macworld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon