This website uses cookies to better the user experience of its visitors. Where applicable, this website uses a cookie control system, allowing users to allow or disallow the use of cookies on their computer/device on their first visit to the website. This complies with recent legislative requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user’s computer/device. To learn more click Cookie Policy.

Privacy preference center

Cookies are small files saved to a user’s computer/device hard drive that track, save, and store information about the user’s interactions and website use. They allow a website, through its server, to provide users with a tailored experience within the site. Users are advised to take necessary steps within their web browser security settings to block all cookies from this website and its external serving vendors if they wish to deny the use and saving of cookies from this website to their computer’s/device’s hard drive. To learn more click Cookie Policy.

Manage consent preferences

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Cookies list
Name _rg_session
Provider rubygarage.org
Retention period 2 days
Type First party
Category Necessary
Description The website session cookie is set by the server to maintain the user's session state across different pages of the website. This cookie is essential for functionalities such as login persistence, ensuring a seamless and consistent user experience. The session cookie does not store personal data and is typically deleted when the browser is closed, enhancing privacy and security.
Name m
Provider m.stripe.com
Retention period 1 year 1 month
Type Third party
Category Necessary
Description The m cookie is set by Stripe and is used to help assess the risk associated with attempted transactions on the website. This cookie plays a critical role in fraud detection by identifying and analyzing patterns of behavior to distinguish between legitimate users and potentially fraudulent activity. It enhances the security of online transactions, ensuring that only authorized payments are processed while minimizing the risk of fraud.
Name __cf_bm
Provider .pipedrive.com
Retention period 1 hour
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to support Cloudflare Bot Management. This cookie helps to identify and filter requests from bots, enhancing the security and performance of the website. By distinguishing between legitimate users and automated traffic, it ensures that the site remains protected from malicious bots and potential attacks. This functionality is crucial for maintaining the integrity and reliability of the site's operations.
Name _GRECAPTCHA
Provider .recaptcha.net
Retention period 6 months
Type Third party
Category Necessary
Description The _GRECAPTCHA cookie is set by Google reCAPTCHA to ensure that interactions with the website are from legitimate human users and not automated bots. This cookie helps protect forms, login pages, and other interactive elements from spam and abuse by analyzing user behavior. It is essential for the proper functioning of reCAPTCHA, providing a critical layer of security to maintain the integrity and reliability of the site's interactive features.
Name __cf_bm
Provider .calendly.com
Retention period 30 minutes
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to distinguish between humans and bots. This cookie is beneficial for the website as it helps in making valid reports on the use of the website. By identifying and managing automated traffic, it ensures that analytics and performance metrics accurately reflect human user interactions, thereby enhancing site security and performance.
Name __cfruid
Provider .calendly.com
Retention period During session
Type Third party
Category Necessary
Description The __cfruid cookie is associated with websites using Cloudflare services. This cookie is used to identify trusted web traffic and enhance security. It helps Cloudflare manage and filter legitimate traffic from potentially harmful requests, thereby protecting the website from malicious activities such as DDoS attacks and ensuring reliable performance for genuine users.
Name OptanonConsent
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonConsent cookie determines whether the visitor has accepted the cookie consent box, ensuring that the consent box will not be presented again upon re-entry to the site. This cookie helps maintain the user's consent preferences and compliance with privacy regulations by storing information about the categories of cookies the user has consented to and preventing unnecessary repetition of consent requests.
Name OptanonAlertBoxClosed
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonAlertBoxClosed cookie is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It ensures that the cookie consent message is not shown again to the user, enhancing the user experience by preventing repetitive notifications. This cookie helps manage user preferences and ensures compliance with privacy regulations by recording when the notice has been acknowledged.
Name referrer_user_id
Provider .calendly.com
Retention period 14 days
Type Third party
Category Necessary
Description The referrer_user_id cookie is set by Calendly to support the booking functionality on the website. This cookie helps track the source of referrals to the booking page, enabling Calendly to attribute bookings accurately and enhance the user experience by streamlining the scheduling process. It assists in managing user sessions and preferences during the booking workflow, ensuring efficient and reliable operation.
Name _calendly_session
Provider .calendly.com
Retention period 21 days
Type Third party
Category Necessary
Description The _calendly_session cookie is set by Calendly, a meeting scheduling tool, to enable the meeting scheduler to function within the website. This cookie facilitates the scheduling process by maintaining session information, allowing visitors to book meetings and add events to their calendars seamlessly. It ensures that the scheduling workflow operates smoothly, providing a consistent and reliable user experience.
Name _gat_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _gat_UA-* cookie is a pattern type cookie set by Google Analytics, where the pattern element in the name contains the unique identity number of the Google Analytics account or website it relates to. This cookie is a variation of the _gat cookie and is used to throttle the request rate, limiting the amount of data collected by Google Analytics on high traffic websites. It helps manage the volume of data recorded, ensuring efficient performance and accurate analytics reporting.
Name _ga
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga cookie is set by Google Analytics to calculate visitor, session, and campaign data for the site's analytics reports. It helps track how users interact with the website, providing insights into site usage and performance.
Name _ga_*
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga_* cookie is set by Google Analytics to store and count page views on the website. This cookie helps track the number of visits and interactions with the website, providing valuable data for performance and user behavior analysis. It belongs to the analytics category and plays a crucial role in generating detailed usage reports for site optimization.
Name _gid
Provider rubygarage.org
Retention period 1 day
Type First party
Category Analytics
Description The _gid cookie is set by Google Analytics to store information about how visitors use a website and to create an analytics report on the website's performance. This cookie collects data on visitor behavior, including pages visited, duration of the visit, and interactions with the website, helping site owners understand and improve user experience. It is part of the analytics category and typically expires after 24 hours.
Name _dc_gtm_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _dc_gtm_UA-* cookie is set by Google Analytics to help load the Google Analytics script tag via Google Tag Manager. This cookie facilitates the efficient loading of analytics tools, ensuring that data on user behavior and website performance is accurately collected and reported. It is categorized under analytics and assists in the seamless integration and functioning of Google Analytics on the website.

HTTP vs HTTPS: How to Secure Your Site With SSL

  • 48229 views
  • 9 minutes
Viktoria K.

Viktoria K.

Copywriter

Dmytro H.

Dmytro H.

Backend Development Lead

Tags:

Web

Share

Back in August of 2014, Google officially announced it would use HTTPS as a ranking signal due to security issues.

Google Requires SSL

Google’s move means that migrating your website from HTTP to HTTPS can give you a minor boost in search results. So the short answer to why your website should use HTTPS over HTTP is because Google favors it.

For most companies, Google’s recommending HTTPS is reason enough to make the switch, but all the same we believe that it’s important to know what both protocols mean, what the difference between HTTP and HTTPS is, and what the advantages and disadvantages are of each option. We’d like to begin with an overview of the HTTP protocol and then take a look at why Google wants websites to move away from it.

What is HTTP, how does it work, and why isn’t it secure?

HTTP, which stands for HyperText Transfer Protocol, is a 15-year-old method for transmitting information across the internet. HTTP is the protocol on which the world wide web was built. This protocol works according to a client–server model, as do many other internet protocols. A web browser initiating an HTTP request is called as the client, and the web server that responds to that request is called the server.

Let’s say you’re sitting in a cafe and trying to log in to your lovely Facebook profile over the local network, e.g. the cafe’s Wi-Fi (for this example, we’ll assume that Facebook is still using HTTP). The cafe’s Wi-Fi network is public, and anyone who connects to it can access the data being transferred across it. Now let’s take a look at what’s happening with your data when a website is using HTTP. By data, we mean everything including your login and password for your Facebook account.

How HTTP works

To log in to a website (like Facebook), you need to enter your login credentials (generally your email or phone number and your password). As soon as you click the login button, your data is sent to the server. When the server received your data, it validates it. If everything is correct, the server sends an HTTP status of “OK,” and you are logged in to your account. Easy breezy. Everything seems okay.

But here’s the problem – if your data was transferred over HTTP, then it was sent unencrypted via an insecure connection (HTTP doesn’t use encryption), and so any data transferred with the HTTP protocol is out in the open and can be intercepted or even manipulated by third parties. You’ve probably never heard about a network sniffing attack, but such kinds of traps do exist.

Sniffing attack

Sniffing is a type of attack that hackers use to capture your sensitive network information such as passwords, account information, credit card numbers, users IDs, etc. To accomplish this, hackers usually use sniffer, an application that can capture network packets. Sniffers are also known as network protocol analyzers, but while network analyzers are essentially network troubleshooting tools, hackers can skillfully use them for nefarious purposes.

If network packets aren’t encrypted (in our example, a packet includes your login ID and password for your Facebook account), the data within this network packet can be read using a sniffer. Sniffing is about capturing network packets, and once a packet has been captured using a sniffer tool, the contents of the packet can be analyzed. In this way, hackers can steal your sensitive and private information.

As we can see, the HTTP protocol has one big weakness – the information transferred via HTTP between your device and a web server isn’t encrypted, and theoretically can be intercepted by a hacker at any time. This disadvantage of HTTP may not seem like a big deal for people visiting purely informational websites. But it creates obvious troubles when dealing with personal information used in online shopping and banking. The security concerns with HTTP, however, can be easily solved by using a secure communications channel known as HTTPS.

HTTPS can also protect you from such hacker attacks as man-in-the-middle attacks, DNS rebinding, and replay attacks – but so as not to confuse you, we’ll continue by describing how HTTPS works and how it can protect you from the sniffing attacks we described earlier.

What’s HTTPS and how can it secure your website?

HTTPS is an internet communication protocol that keeps any kind of data, including your passwords, text messages, and credit card details, safe while in transit between your computer and the server(s) you’re sending this data to. In short, HTTPS is just a secure version of HTTP: the “S” at the end literally stands for “Secure.” HTTPS keeps your data confidential by using the Transport Layer Security protocol (TSL), frequently referred to as SSL (Security Sockets Layer). But what is an SSL certificate?

SSL is secure certificate that offers three layers of protection: encryption, which means that all data sent between a browser (client) and a website (server) are encrypted so that even if data are stolen or intercepted a hacker won’t be able to decrypt them; data integrity, which guarantees that your data cannot be modified or corrupted during transfer without being detected; and authentication, which verifies whether you are actually communicating with the intended website. To make sure your communications are safe, you can look for a special green padlock in your browser’s URL bar that indicates whether or not a website is secure.

Secured with SSL

Let’s look now at how SSL encryption works and how it can protect your data from sniffers. We’ll continue with the same scenario as before, where you’re trying to log in to your Facebook account with your email and password. Remember that this time you’re logging in to Facebook over an HTTPS connection that is secured by an SSL certificate.

SSL certificates use what is known as asymmetric Public Key Cryptography, or a Public Key Infrastructure (PKI) system. A PKI system uses two different keys to encrypt communications: a public key and a private key. Anything that is encrypted with the public key can only be decrypted by the corresponding private key and vice-versa.

Note that the private key, as its name suggests, should be kept strictly protected and should only be accessible to the owner of the private key. With a website, the private key must be kept secure on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was initially encrypted with the private key. Now that we understand how public–private key pairs work, we can move on to describing how SSL certificates work. We’ll split this process up into several steps to make it easier to follow.

How does the SSL certificate work?

Step 1. Establish a secure communication between the server and the browser by means of a handshake. The handshake process starts when the browser makes a URL request (for instance, when you enter "https://www.facebook.com/" into your address bar). By sending this URL request, the client initiates a secure SSL connection between the client’s browser and the server transmitting communication options such as version and type of encryption. The client’s sending a request to initiate an SSL connection is called a client hello.

Step 2. The next step is called a server hello. Having received the client’s request, the server responds by sending a copy of its SSL certificate along with its public_key, thus completing the client hello process.

Step 3. As soon as the client receives this data back from the server, the browser verifies whether it implicitly trusts the certificate or whether the certificate can be verified by one of several Certificate Authorities (CAs) that the browser does implicitly trust. This method works because each browser has a pre-installed list of trusted SSL certificates from Certificate Authorities (CAs) that you can view, add, and remove. These certificates are controlled by a centralized group of security organisations including Symantec, Comodo, and GoDaddy. If a server presents a certificate from the browser’s list, then it knows that the website can be trusted. While verifying an SSL certificate, the browser also creates a unique symmetric public_key using the public_key sent by the server. At this point our data are finally encrypted.

Step 4. Then server sends back a signed acknowledgement. Upon receiving this acknowledgement, the server and client initiate an SSL encrypted session. This is how SSL provides authentication.

Step 5. Now that an SSL session has been established, the client and the server can share previously encrypted data safely. The symmetric key that was created during this process is unique to the particular SSL session, and can be used to encrypt/decrypt data exchanged between the client and server during that session.

How HTTPS works

Using an HTTPS connection secured with an SSL certificate gives you all the protections we mentioned earlier. You get authentication, so you can know that you’re communicating safely with the intended server. You get data encryption, so that even if a sniffer intercepts and steals a network package that includes the public_key, they’ll never be able to decrypt it. And of course you get data integrity, so you can transfer your confidential data without worrying about their been corrupted or modified without your detecting it.

Does my website need an SSL certificate?

Before you make the decision whether to use HTTPS instead of HTTP, we’d like to sum up the major benefits for your website of HTTPS (along with SSL protocol) instead of HTTP:

  • Security. All the information that you and your customers transfer to and from your website are encrypted and verified (ensuring data integrity). This saves you from a number of potential hacking attacks such as sniffing, man-in-the-middle, etc. and provides your business with a baseline of security.
  • Trust. While more about physical factors, people feel better doing business with a website that cares about the security of their confidential information. HTTPS and SSL help websites to build trust in their business relationships.
  • SEO. Even a minor search engine ranking boost will help users find your website.

At RubyGarage, we recommend that all new websites use HTTPS. If your website is already built, you can migrate from HTTP to HTTPS, but you don’t necessarily have to right this moment. If you’re interested in getting a new or current website working with HTTPS, we can assist you with the whole process from buying a certificate to ensuring that incoming HTTP links continue working properly.

CONTENTS

Tags:

Web

Authors:

Viktoria K.

Viktoria K.

Copywriter

Dmytro H.

Dmytro H.

Backend Development Lead

Rate this article!

Nay
So-so
Not bad
Good
Wow
12 rating, average 4.5 out of 5

Share article with

Comments (0)

There are no comments yet

Leave a comment

Subscribe via email and know it all first!