Home » Blog » Why should I have https on my website?

Why should I have https on my website?

27/07/2018

In the last week, panic has spread a bit with the arrival of Google Chrome 68, the new version of the Google browser that Mark as insecure all the pages that do not have the https protocol implemented. But exactly, what does it mean to not have https:// at the beginning of the URL of our website?

Technically speaking, SSL/TSL encryption is not performed on the data that visitors to our website send through it.

So that we all understand each other, what the https protocol does is that when a user sends some data through a form, the data that is sent is obfuscated and is very difficult to read and that guarantees that the data will be safe.

Contents

1 How can hackers read our data?
- 1.1 What do you send when you have https
- 1.2 What you send without having https
2 The importance of having https on our website

How can hackers read our data?

There are different techniques, but the most relaxed is the sniffing. It's basically listening to network traffic with a program like WireShark. With today's router security systems and protocols, it's not as easy as it used to be, but there are still plenty of ways to get that data. For this reason it is important to have SSL/TSL encryption activated on our site. To be more illustrative, I have made some captures of the data that is sent between our website and the server when you access from /wp-admin if you have https on your website or not.

What do you send when you have https

I have created a user called "TestUser" with a password "testpassword", in a test installation. In this first screenshot we see what the login details look like when we access our WordPress.

Screenshot where the data is shown when we log in to a WordPress with an active SSL certificate

As we see in the 5th column, the protocol is TLS, this being the sending of some data from the web to the server. If we inspect them from the inside, we can see that we can't understand anything, except for the occasional url that I have hidden with a security filter, as shown in the following screenshot.

Specific data of the request for access to WordPress with https on our website

between that unreadable code data is found that is encrypted. Like our username and password or any data that we pass through a form on our website.

What you send without having https

By not having our SSL/TSL implemented on our website when we make a call to the database and provide it with data to perform an operation, we use the traditional http protocol and in this case what we find when we take a look to the data is something very different from the above.

Sample of the data of our users sent through POST without ssl activated on our website

In this screenshot we find quite interesting things such as, that it tells us which file is being called with the POST method, which is the wp-login.php through HTTP/1.1, we can also see that later it does a GET to the profile.php file found inside wp-admin. These data were not shown so clearly before, but that's not all, if we click on the request that is marked in blue, we can clearly see the user data that we have put in our form, that is, username and password.

User data where the username and password are clearly shown by the request

Here we clearly see log=testuser who is our user and pwd=password%C3%B1oftest that if you look closely it has some strange characters involved, but it is nothing more than a "ñ" in UTF-8 format if you search on a page like UTF-8 encoding you can check which character it is specifically. So we would already have the username and password of the person who had logged into your WordPress. It is not an example that can commonly happen in real life but it is quite illustrative of what having https activated on our website does.

Just imagine that these data were those of our bank card or something like that. For this reason, I always recommend being very careful in open public networks that are suspicious, since you never know who may be listening.

The importance of having https on our website

In conclusion, after what has been shown, I can only say that if you don't care if Google shows you as an insecure web, at least implement https for your clients/users who browse your website and trust that everything is safe and nothing will happen to them to your data.

If you don't know how to implement an SSL certificate on your website, you can ask us for a budget and we will install it without problems in your WordPress.

Until next week, greetings! 😀

Twitter Facebook LinkedIn WhatsApp

Tags: Safety Certificate, https, SSL

¡Subscribe to our newsletter and receive our offers, news and discounts directly to your email!

We work with

How customers rate us

For us the success of our partners is very important. Your success is our success and we take care of each project as if it were ours.

Mowomo is 120% recommended.
If you have a website or online store and want to always have it operational, updated and include improvements, you are in good hands.s. It is a peace of mind to work with them. in a world as changing as this one.
After years working with them you realize that there are no problems, only solutions.
If you value the service, do not hesitate to contact them because you will put yourself in the best hands.

Leticia Yanguas

beclementine.com

Finding mowomo was a blessing. We had our media outlet running on WordPress and that looked like a Frankenstein.
They took care of put everything in order, lighten it, make a functional tool for our daily lives that has saved us time, money and trouble. Not only with the WordPress backend part, they also redesigned the entire front end which looked spectacular, both for Esports Bureau and Esports Professional.

Good treatment, commitment, reasonable price, compliance with deadlines, advice, support in ideas. We are delighted and everything is working as it should. From here, many thanks to mowomo for being those travel companions that we needed. We will continue to grow and we will do it by your side.