HyperText Transfer Protocol (HTTP) is what the World Wide Web has been using for over 20 years to transfer the HTML (HyperText Markup Language) used to build web pages back and forth from the web browser on your computer to the server that hosts the web pages that you are viewing. More recently, in an attempt to make the Internet more secure, Google began penalizing sites that are not HTTPS and warning visitors that the site is "Not Secure".
HTTPS stands for HyperText Transfer Protocol Secure. HTTPS provides a layer of security on top of HTTP through a technology called SSL (Secure Sockets Layer) or TLS (Transport Layer Security). This security layer encrypts all of the data being transferred between the client’s browser and the server which safeguards it against potential threats, like hackers. If hackers can steal or copy the data being transferred, then they can gain access to a user’s personal information or financial data, potentially allowing them to steal the identity of the user.
You'll know the website you are on is secure if you see a green lock or the word, "Secure."
Now that we know what HTTPS security does, let’s talk about how you can use it on your website.
To make your site run with HTTPS, follow these basic steps.
- Buy an SSL certificate from one of many Internet vendors. Certificates can cost anywhere from $50 to $2,000 per year depending on the type of certificate you want to purchase and the length of time you want it to be valid for. However, if you are savvy enough, cPanel provides free Comodo certificates and LetsEncrypt also provides free certificates.
- When purchasing your certificate, you will have to answer some questions about your site and validate your domain. For example, you will have to declare if your site is a Single Domain site that only has one domain name, a Wildcard domain that could have subfolders in the same domain or a Multiple Domain site that could have more than one domain name associated with the certificate.
- You will also have to decide on your level of validation. An Extended Validation Certificate (EV) will require you to verify the identity of the organization that controls the domain with a valid Certificate Authority (CA) so that your users will know your organization is legitimate and can be trusted with their information.
- Install the SSL certificate for your site. After you answer all of the questions associated with your domain, you can download your certificate to the web server that will be hosting your site. You will need to change the names of some files and modify some configuration information for your site to let the server know that all traffic to and from your domain should be encrypted.
- Modify your site for https. If you have a sitemap for your website or use hard coded links for the internal navigation of your site, you will need to change their addresses to use https instead of regular http. You might also need to create 301 redirects and change any analytics code in your pages to work with https.
HTTPS Benefits
The biggest benefit to switching to HTTPS is the added security for your data. If your website has the slightest possibility of receiving sensitive security credentials or personal data of any kind, then you need to make sure that data transmission is encrypted.
Most Internet consumers are much savvier now than they were in the past. Before they enter any credit card or personal information, they look to make sure the site address has “https://: at the beginning. This increases trust when your customers see that your site is secured with HTTPS and lets them know that their data will be protected. Studies performed by GlobalSign have shown that 80% of customers are likely to abandon a purchase if they don’t see HTTPS is in use.
Securing your site with HTTPS will also add to your Search Engine Optimization strategy. Google actually considers HTTPS in their ranking factors and gives precedence in their search results to sites that incorporate security. This will help with lead generation since your site should appear higher than other competitor’s sites in most search results.
Most likely, future rules and regulations, like Google’s inclusion of security in their ranking factors, will force you to migrate to HTTPS. This is especially a concern for businesses who store customer data. If you go ahead and make the change now, then you can guard against future stipulations. Even if your site doesn’t directly request customer information directly, you can still benefit from using HTTPS on your website. By encrypting all communications between the browser and server, you ensure that your customers don’t inadvertently include personal information in communications like service requests and inquiries.
If you also intend for your web pages to be mobile friendly, then you definitely need to consider securing your site. AMP (Accelerated Mobile Pages) was invented by Google to increase the loading speed of web pages being viewed on mobile devices. Google also puts sites that are AMP compatible at the top of their search results for mobile users.
Are There any Disadvantages of Using HTTPS?
Probably the most obvious disadvantage is that pages will be slightly slower because there is an extra step involved in the communication to the server while the initial secure connection is established and data gets encrypted. However, this is not really noticeable to the naked eye. Most sites that you currently visit already use HTTPS, and most people can’t tell the difference. You can use things like OCSP stapling to help speed up the time it takes to establish a secure connection, but these performance tweaks are most likely way beyond what you'll need if you are just getting started with HTTPS.
It’s worth noting that some browsers might be slower than others because not all browsers employ the same algorithm to process HTTPS requests and responses. You should test all of the major browsers to make sure your site behaves the same across each of them. You may also want to go back and test older versions of browsers since some users are averse to upgrades and may still be using a browser that doesn’t handle HTTPS as well.
Earlier versions of SSL did not support virtual website hosting where multiple websites could be hosted from the same IP address. Make sure you keep your certificates up to date so that your site will work with the latest versions of all the major web browsers.
Performance
If you are worried about performance issues with using SSL, you can do a few things to mitigate that overhead.
- Move from HTTP to HTTP2
- Enable OCSP Stapling
- Enable AES as your preferred cipher
The speed at which the connection is negotiated and certificates validated will likely not be your issue. Most performance issues are caused by how the website was built.
So Now What?
There are advantages and disadvantages to every technology, but the advantages of using HTTPS far outweigh the disadvantages. The liability of leaking a customer’s private information to a malicious source can be dangerous. It not only opens your business up to potential lawsuits but it could result in substantial penalties especially if your industry has compliance requirements such as HIPAA.
Converting your website to HTTPS is fairly easy and inexpensive. You will just need to spend some time updating your website to work smoothly during the transition. In the long run, it is much better to be safe than sorry. A little bit of work and testing now could prevent much larger problems in the future.
If you have questions on how you can migrate your web pages to HTTPS, we are here to help. Contact us today to discover how we can guide you through the process.