Hypertext Transfer Protocol (HTTP) is an application layer protocol web browsers and web services use to communicate and transmit information over the internet.
Hypertext Transfer Protocol Secure (HTTPS) is a secure communication method that encrypts data in transit between web servers and browsers. Obtaining a security certificate is the most common way to implement HTTPS.
Why do you care?
Despite being foundational to internet browsing, HTTP is unencrypted and attackers can exploit this to “listen in” to the flow of information being exchanged between your server and a web browser. HTTP has other negative business impacts:
- Websites using HTTP will display a red broken lock and a message that the site is insecure.
- HTTP may raise suspicion with customers that your website is insecure or potentially a fraudulent domain, a common phishing tactic.
- Usernames and passwords can be harvested due to the lack of encryption, potentially exposing personally identifiable information (PII) or personal health information (PHI) to attackers.
HTTPS is considered the standard for modern websites, and helps establish authority for your business's website.
How to solve the problem
Upgrade to HTTPS to create a more secure experience for your business. We recommend obtaining a security certificate from a commercial or free source.
We estimate that 94% of organizations scanned in the last year have at least one unencrypted service exposed to the internet. Prioritize upgrading Apache Server, IIS 10, and Nginx — these three web server technologies are most often identified as using HTTP in our scans.
Consult with the following resources for each web server.
1) Setting up TLS on Apache Server
- https://www.ssl.com/how-to/install-ssl-apache-mod-ssl/
- https://www.ssl.com/how-to/redirect-http-to-https-with-apache/
2) Setting up TLS on IIS 10
- https://www.ssl.com/how-to/install-an-ssl-tls-certificate-in-iis-10/
- https://www.ssl.com/how-to/redirect-http-to-https-with-windows-iis-10/
3) Setting up TLS on Nginx
- https://www.ssl.com/how-to/install-ssl-certificate-on-nginx/
- https://www.ssl.com/how-to/acme-ssl-tls-automation-with-apache-and-nginx/
SSL vs. TLS certificates
Some components still refer to Secure Socket Layers (SSL), rather than Transport Layer Security (TLS).
-
-
- This is a historical artifact of the evolution of SSL into TLS.
- The last version of SSL, 3.0, was deprecated in 2015.
- Additionally, TLS version 1.0 and 1.1 were both deprecated in 2021.
- When configuring TLS, enable only versions 1.2 and above unless there is a specific business reason to support deprecated protocols.
-