As you know, Chicory loves food bloggers. This means that a lot of our content here aims at helping food bloggers in any way that we can. When I think about how I can help food bloggers as an engineer, SEO looms large in my mind. You might have noticed we've already made a couple of posts on the topic already this year.

One component of SEO we didn't mention is an emergent one: going HTTPS. Google has already indicated that it's using  HTTPS as a ranking signal in its search algorithm. And while it's currently only a relatively minor signal in page ranking, Google has clearly implied that it would like to nudge the world in the direction of HTTPS everywhere, and my guess is that HTTPS is going to get more important before it gets less.

But if you're anything like me, there's nothing you hate more than being told what to do without being told why (which is probably why I always hated math in high school). Now I'm sure you've heard the buzzwords: HTTPS makes your website more secure; HTTPS encrypts your traffic. That sounds a little too abstract to be helpful for me, so we're going to explore what HTTPS really is, how it works, and why it's important.

The Man in the Middle

What does HTTPS mean - Chicory Blog

You've probably noticed the little green lock next to your web browser's address bar when you log into your bank account online or buy something on Etsy. That's there to let you know that you're up and running on HTTPS. Why does that little lock matter? In short, HTTPS protects you from a kind of online attack called a Man in the Middle Attack.

You might know that your web browser and a website's server speak to each other through a kind of structured conversation (or protocol) called hyperlink transfer protocol, or HTTP. HTTP is simply a series of messages between your browser and a server that go something like this:

YOUR BROWSER: Hey "amazon.com," get me the HTML for the page "/confirm-order/"
AMAZON SERVER: Sure, Browser. Go nuts. "<html>...</html>

In this instance, Amazon's HTML might include a form where you have to enter your credit card information, name, etc. If you were to make a transaction like this in a coffee shop with a poorly-secured WiFi network, anyone there with some education in computer networking could look at everything your browser and Amazon's server say to each other, including your credit card number. They could even intercept the form you sent and change the delivery address to the middle of Siberia. Now you'll never get that sweet air pressure wine opener--you chilled the rosé for nothing! 

That hacker who grabbed your message to Amazon, inspected it, maybe changed it, and then ultimately forwarded it to Amazon? That was the "Man in the Middle." The amazing thing about the man in the middle is that he* might not have a computer science degree. He might not even be wearing a black hoodie and whispering into an ear piece, "I'm in." Pretty much anybody could pull this off; the hardest thing about executing this kind of attack is knowing what it's called, just so that you know what to Google! The top search result presents a pretty easy to follow how-to.

And this is exactly why Google wants to cut down on connections that are not secure. A conversation in HTTPS looks just like a conversion in HTTP, except that all the messages going back and forth are encrypted with a key that only you and Amazon know about. The Man in the Middle can sit and watch all your traffic go by, but it won't be very interesting for him--all he'll see is a stream of garbled text.

So, how does this pertain to a food blogger? You might not be taking people's credit card numbers (right now), but there are other risks. For example, a WiFi provider can actually act as a Man in the Middle and swap out the approved ads on your site with their own malicious ads. And if you start collecting sensitive data in the future (emails, passwords, etc.), you'll be glad you don't have to do the extra work of going HTTPS at the same time. Oh, and in the meantime, you can enjoy a little bump from Google. There are approximately one million guides to help you get started, so you can take your pick.

So how does key-based encryption work? How do you know you're really talking to Amazon (and not some Man in the Middle) at the time that you decide what decryption key to use? These topics are immensely interesting to me, but they might not be to everybody. At any rate, they warrant a post of their own. If there's any interest in another part in this series, I'll be happy oblige; please let me know what you thought of this post in the comments. Until then, happy blogging!

*Please excuse my gendered pronoun. I didn't name the attack, but I thought it less confusing to be consistent.

Comment