One of my visitors, after reading my article on How to Convert Your Website from HTTP to HTTPS, wondered if it was possible to simply change all the URLs (ie, web addresses) on his website to HTTPS without actually obtaining an SSL certificate.
(For those not familiar with this topic at all, getting an SSL certificate is always the first thing you do when you convert a site to use HTTPS. See the aforementioned article for more information on what an SSL certificate means and does.)
No, you cannot. It won't work.
You can easily test this without editing your existing web pages. Just enter the domain name of your website into a browser's address bar, but instead of typing "http://", enter "https://". For example, if your site is normally accessed via "http://www.example.com/", type "https://www.example.com/" instead. If the site is not specifically set up to receive SSL connections, with an SSL certificate installed, the browser will appear to hang for a short time, since it's waiting for the web server to respond, and will eventually give up and issue an error message.
This section provides a slightly more detailed reason. If you are content with the practical answer given above, just skip it. It is meant for those who like to have a bit more explanation than a terse "it won't work".
Note that although this section provides more detail, it is not meant to be a technically-complete answer. It's intended for a webmaster (or webmaster-to-be) who just wants a simple explanation in plain English. If you are a programmer, and need an exhaustive answer written in precise technical language, look up a network programming reference.
When you ask the browser to connect to a website, it sends a packet of information to the web server (ie, computer) on which the site is located.
This packet contains, among other things, something known as a destination port number, to which the packet is meant to be delivered. The port number is just some number that has been agreed beforehand by all the software running on the internet so that different computers running different software can interact with each other. It's not a physical port like a shipping port on a country's coast or a port on a computer where you can plug cables in. It's more like a sorting number to simplify the task of matching software that need to communicate with each other (like a browser and a web server).
When you try to connect to an address starting with "http", the browser (by default) will insert "80" into the port number field, since that is the pre-agreed standard number for such things. The web server software will wait for and receive all packets of information that has this port number embedded in it. Once it obtains such a packet, it will respond appropriately, following a set procedure that has been programmed into all web servers and browsers. The procedure is fixed, so that even if you use a Mac or a Windows computer, you can still connect to a server running Linux (or something else). Since everything is standardized, any software can actually communicate with any web server regardless of brand, so long as everyone follows the same procedure. In computer lingo, these standardized procedures are called "protocols", just like the diplomatic protocols followed by, say, politicians from different countries when interacting with each other. For our example here, this sequence of events culminates in the web server sending the requested page to your browser.
However, if you ask the browser to connect to a site that has an address starting with "https", the browser (by default) will instead insert a port number of 443 (in contrast with the "80" used for HTTP) into the packet. A web server that has been configured for HTTPS will listen to port 443 (where "listen to port 443" means that it is set up to receive packets containing the port number 443), and respond using a different protocol, one suitable for HTTPS. This includes, among other things, negotiating which encryption algorithm to use with the browser. It needs to do this because it has to match the encryption it knows, with what the browser knows. It can't just willy-nilly encrypt using whatever system it wants, because the browser needs to know how to decrypt the page, to display it to the user.
Even from this brief description above (which barely scratches the surface), you can already see why simply changing your URLs from "http" to "https" isn't going to work. If your site is not set up for HTTPS, your web server will not even be listening to port 443 for requests.
In truth, even if it did listen to port 443 for your site, it still won't work, since your site needs an SSL certificate for HTTPS connections. The certificate contains something known as a "key" (which, loosely speaking, is like a password) that is needed to encrypt the connection.
If the reason you are hoping to avoid getting an SSL certificate is because you don't want to incur additional costs, the good news is that these days, many commercial web hosts provide them for free. As such, if you are worried about the cost, just use one of the web hosts that do this. If you are not sure which of them provide such services, see my list of web hosts, where I note such things in the description.
In addition, there are many websites around that provide free SSL certificates, not to mention that you can also generate one yourself, on your own computer. If you take this route, your web host must provide a way for you to install the certs.
For those who think that converting to HTTPS is an onerous task, one where you're not entirely sure what to do and are afraid you'll miss something, follow my article on How to Move Your Website to SSL/TLS. It includes a step-by-step guide for the things that need to be done. It's true that the task isn't entirely trivial, but with the help of a checklist, it's probably easier than you think.
If you are planning to create a new website, as opposed to already having one that you need to convert, I strongly recommend that you start with an HTTPS address from the very beginning. That way, you won't need to worry about all the things you need to do when you change your URL from HTTP to HTTPS since your site will be built from the ground up to use an HTTPS address.
If you don't, thinking that you don't need one now, you will probably end up converting to HTTPS later anyway, since it's what the entire Internet is moving towards.
Copyright © 2020-2023 Christopher Heng. All rights reserved.
Get more free tips and articles like this,
on web design, promotion, revenue and scripting, from https://www.thesitewizard.com/.
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.
It will appear on your page as:
Can I Change My Website's Address to HTTPS Without Getting an SSL Certificate?
