Whilst having a website is good, having a secure, trustworthy website is now mandatory. You cannot just have a website in 2017 without thinking hard about the security of your users data, whether that is simply a name and email address when they download something or their full credit car details.
Hackers build profiles over time and small data snippets can build a customer profile so they can then clone those identities and use them to get goods and services from other merchants. If marketers are able to track people and see what they are getting up to, hackers are doing it to.
So this is part 2 of our five part series into the 5 Fundamentals.
The 5 Fundamentals are:
With these five items optimised your website has a firm technical basis to support all your efforts online. Failing to pay attention to these elements could cause everything you do to be wasted effort, costing you more for PPC and SEO and lowering your return on investment.
We’ve discussed HTTPS security before and the implications for Chrome Browser users here.
What we will look at in this post is how HTTPS affects load speed and what you can do about it.
So what happens when you use HTTPS?
When your computer, laptop, phone or other browsing session connects with another server unless there is a TLS/SSL certificate being used that data being transmitted is open to anyone who cares to look at it. So if you transmit bank details, personal details, password or other “sensitive” data (and sensitive can be a relative term) over an unencrypted connection it is vulnerable. Without an encrypted connection you are relying on trust that no one will look at the connection other than who your intended recipient was.
Of course hackers, and ne’er-do-wells are not likely to appreciate that trust and will be actively on the look-out for weak, unencrpyted connections handing over useful bits of info. Remember, this is not someone staring at a computer screen, this is a piece of software or code that is being used to monitor hundreds of millions of connections every second around the planet. Not to make you paranoid, but the hackers of today are no longer lone guys in bedrooms, they’re government agencies trying to destabilised each other’s economies. Think I am making that up? Here is a map that shows live cyber attacks in operation hosted at http://map.norsecorp.com.
Therefore it is more important than ever for you to protect not only your website, but your visitors connection to your website, otherwise it could make it much easier for hackers to monitor the connection, discover the logins and then effectively take over your website.
So, we have established that we HTTPS connection is now required in 2017 for your website, what is going on when the user connects to your website?
The VERY Simplified Guide to HTTPS Connection.
Who is that? Browser says “Hello” – The security breaks the connection down into seperate elements and first it says “hello” and offers the server a choice of encryption algorithms to use.
Who is it back-atcha? Server says “Hello” – The website server replies with a handshake and agrees use the encryption algorithm and the certificate message so that the browswer can verify the certificate used is genuine.
You for real? The browser checks out the TLS Certificate – Your browser then has to decide can it trust this server? The browser reviews the certificate is correct and checks the certificate’s public key is authorised for exchanging secret keys. Then the browser verifies the signatures on the certificate using some very complex but elegant maths. Then a final check is to verify host name on the certificate is what we expected as it it prevents “man-in-the-middle” attacks.
Next you verify your sources – Having made the initial connection and have verified the server and know what encryption we are using we have to set up the secure connection using a pre-master secret. To do this we need a random “secret key” that a “man in the middle” can’t work out. Once we have that all sorted, we then need to get it all to the sever we are connected to and finally your browser transmits a final unencrypted message “Change Cipher Spec” record, which is your browser’s way of telling the server it’s going to use the agreed secret to encrypt its next message.
Has all been done right? – If so, then both sides will know the secret and will set up the encrypted connection. Both ends of the connection now have a “master secrets” and now set up a “session key” to ensure the connection is truly encrypted. A final handshake message your browser sends is known as the “Finished message.” this proves no one tampered with the message and proves we know the secret key.
Time to get secure – Now all that’s left is to encrypt the traffic using RC4 Encryption. Ron Rivest developed the RC4 algorithm, a very simple algorithm, it generates random bytes based on a 256 byte key.
The server does the same – something similar happens at the server end and it sends a “Change Cipher Spec” and “Finished Message”, and cleverly it also includes the decrypted version of the “Finished Message” from your browser priving the server successfully decrypted your original message.
The HTTPS connection happens almost ALMOST instantaneously, inside 0.3 seconds and this all sets up the “Application Layer” so you can send normal HTTP traffic that’ll be encrypted by the TLS connection.
And finaly – The connection stays open as your browser and the server communicate until either side sends a “closure alert” message and closes the connection. Your browser can reconnect quickly if diconnected by re-using negotiated keys if the server still has them cached without using public key operations, otherwise completely new full handshake has to be started.
And all of that happens inside 0.5 of a second, usually faster.
Won’t this slow down my site?
Yes, if your website is slow to start with adding HTTPS to it will simply slow things down and can impact the load time massively as each of the slow items also will be slower to encrypt/unencrypt and thus can reduce your browsing experience to a crawl.
Whilst HTTPS used on its own will not improve your security on your website it forms part of an overall approach that can greatly improve the robust and secure nature of your website. Along with server firewall, website security software and good management that keeps the site up to date. A decent commercial site now needs to be monitored and checked, secure and safe and most small businesses are not fully equipped to deal with this, which is why Mister Metric exists to offer support where it is needed.
We hope this has underlined the importance of the second Fundamental and that you are now keen to ensure your website is using HTTPS. We offer a FREE testing service that allows you to test and track your results. Claim your FREE account on MisterMetric.com and monitor, track your load speed and take this issue seriously to improve how effective your website is.
Claim Your Free MistrMetric.com Account Here