Blog post

Serve websites over HTTPS (always)

Created:  06 Jun 2018
Updated:  06 Jun 2018
Author:  Jamie H
https locks

Securing websites, so they keep user data private, is an essential element of the modern web. There are many aspects to this, but a couple of the most important are: ensuring that users see the site they are expecting, and that their data is protected when they send it to the site. Fortunately, both of these are easily achieved using HTTPS.

HTTPS (which uses encryption provided by TLS, the Transport Layer Security protocol) is a security technology used to protect website content while it's being delivered to the user. It both encrypts the content to ensure privacy and authenticates it, so that it can't be modified in transit.

As we state in our HTTPS guidance, all websites should use HTTPS, even if they don't include private content, sign-in pages, or credit card details. And this approach is starting to be enforced by modern browsers - in July this year, Google Chrome will start to mark websites not using HTTPS as insecure.

We anticipate other browser vendors adopting a similar stance to Chrome's on sites not using HTTPS exclusively. There are signs that this is coming, Mozilla Firefox and Apple Safari already have similar features for sites which do not serve sign-in pages over HTTPS, and Firefox will also be restricting its new features to sites which are using HTTPS.

If you are responsible for a website, and you want to test whether it's being served over HTTPS, all you need to do is visit the site. If you see the padlock icon in the status bar with no errors, everything is as it should be. Ideally you should test this on all the browsers that visit your site. If you're having problems, the NCSC has some useful reading on the use of TLS.

If you're in the UK public sector you can sign up to NCSC's Web Check service, which will now alert you if any of your sites are not using HTTPS. It will even tell you if your site looks misconfigured. You can then set about remedying the problem.

Jamie H
Senior Security Researcher

3 comments

Dave Aitken - 11 Jun 2018
Some of the advice is out-of-date:
"If you are responsible for a website, and you want to test whether it's being served over HTTPS, all you need to do is visit the site. If you see the padlock icon in the status bar with no errors, everything is as it should be. Ideally you should test this on all the browsers that visit your site."
At least one browser has or soon will discontinue presenting a padlock symbol, on the basis that it will present a (strident?) 'Not Secure!!' alarm to the user visiting non-HTTPS
URL: https://www.cnet.com/news/say-good-bye-to-that-green-secure-lock-on-google-chrome/
Jamie H - 12 Jun 2018
Dave,

Thanks for your comment.

The removal of the padlock icon and replacement with negative indicators like "NOT SECURE" will have a positive impact on the web. The "NOT SECURE" text is a good example of the sort of error we suggest people look for when checking their site, as we mentioned in the blog.
SN Prasadd Dodla - 11 Jun 2018
Best informatie

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No