HTTP vs HTTPS: Risks of not using an SSL certificate on your website

HTTP vs HTTPS and SSL certificates can be a confusing topic. You probably know that you need to use “https” because your web browser has marked your website as insecure. But why is it insecure, what are the risks of not using an SSL certificate?

What is http vs https and SSL certificates?

SSL stands for “Secure Sockets Layer” and it is exactly that – an extra layer of security. It securely encrypts any data that is sent between your visitor’s web browser and the web hosting server. This means any information you submit (including payment details and passwords) will be encrypted during transit, and therefore cannot be intercepted and stolen.

How can my data be intercepted?

Any information transmitted to and from the internet can be intercepted by other users on the same network. When you transmit data from your computer, it travels along a series of “hops” – these are servers and routers that sit between you and the final destination server. Your data could be intercepted at any point along this chain.

So how can an SSL certificate help?

When using “http” the data is not encrypted, it is sent in plain text. This means your login details, passwords, or even credit card information can be read by anyone that can access it. When you use “https” it encrypts your data, so while it can still be intercepted, it is scrambled and only decipherable by the web server at the destination.

The same applies for secure email settings. We recommend using the secure ports for email over the standard insecure ones. When you use 465 or 587 for your outgoing SMTP server it is fully encrypted, while the default port 25 will be sent in plain text. The equivalent secure port for IMAP is 993, instead of the default 143. Using the insecure ports for your email means that your login details and your emails themselves are sent in plain text and can be intercepted and read. This is a common way that your email can get compromised – usually resulting in their account being hijacked to send spam.

Where am I vulnerable when using non-secure websites and email?

The biggest risk areas when using non-SSL websites and insecure email ports are when you use public WiFi at coffee shops, airports or hotels. Anyone on the same public WiFi network can potentially intercept data transmitted by other users.

Mobile connections are reportedly just as bad – because your data is literally transmitted through the air and vulnerable to being intercepted by a bad actor in the vicinity. If you’re on a wired network or private WiFi network at home then you’re at less risk, as there’s no one else connected to intercept the data locally. The data is still transferred over various other networks before it reaches the destination, but these aren’t generally publicly accessible. It’s still not advisable to ever use non-encrypted connections, but if you must then it’s safest to do so at home on your private connection.

A common example is a WordPress admin area. If your WordPress website isn’t using https and you log into your admin panel from a public WiFi then anyone that is looking can see that password and keep it for later use. This risk can be vastly reduced with the encryption offered by an SSL certificate.

How can I tell if a website is using http vs https, is it secure or not?

Any website that uses “http” in the address is not using a SSL certificate, and any that have “https” in the address is using a SSL certificate. These days the insecure “http” site will often be labelled insecure or have a grey appearance in the browser address bar, while a website using a SSL certificate will show a padlock icon, often in a reassuring green colour.

How can I check if my email settings are secure?

This depends on your email client, so will be different if you use Outlook, Thunderbird, the Apple Mail app, or any other email software. The first place to check is your account settings, look for where the incoming (POP3 or IMAP) and outgoing (SMTP) servers are set and look for the options labelled “Security Type” and “Port”. The port should be one of the secure ones – 995 for POP, 993 for IMAP, 465 or 587 for SMTP. While “Security Type” should be set to an option like “SSL” or “SSL/TLS”, never “None”. Send a screenshot to our support team if you’re not sure.

You can check our recommended email settings on our knowledgebase article here, or look here for screenshots of the settings on iOS and Android mobile devices.

If you use our webmail service (at https://yourdomain.com:2096) then it will always be secure – we don’t allow insecure non-https logins to our cPanel and webmail services.

SSL to improve SEO rankings

SEOs have discussed http vs https and the importance of SSL certificates since Google said in a 2014 blog post that SSL was a ranking factor. So another risk of not using a SSL certificate is that your website may not rank so well in Google search results. Your website may even be penalised if you have no SSL certificate, or a misconfigured one. This one is more a risk to your potential sales than your security.

We offer free automatic SSL certificates with all our cPanel web hosting accounts. If you have any questions about SSL certificates, or general website and email security then please don’t hesitate to contact us.