What is HTTPS?
Hyper Text Transfer Protocol Secure (HTTPS) is the secure protocol which data is sent over between the website you are on and your browser. In short, this means that the communication between the website and your browser is encrypted. This functionality is used to protect sensitive user information such as emails, phone numbers, and payment information.
HTTPS was created by Netscape Communications in 1994 for the Netscape Navigator web browser. Since then, HTTPS has evolved to become the standard for online security across the internet. With online shopping becoming more and more common in the past decade, the need for a secure connection has grown exponentially.
Why should you care?
When you connect to an HTTP website (nonsecure), to show you the web page you are requesting, your browser looks up the IP address correlated with the site, connects to that IP address and assumes it’s connected to the proper web server.
All of the data from your session gets sent over the connection in clear text. This means that anyone, including hackers, government agencies, or eavesdroppers on a Wi-Fi network can see all the data that gets transferred back and forth.
If you were to fill out a contact form on an unsecured (HTTP) website, all of your contact information could get compromised. What’s worse is that if you were to make an online purchase on an unsecured web page, all of your credit card information could also be jeopardized.
As a consumer or a webmaster, you should care about having a secure connection. For consumers, the benefits are obvious. For the website owner, you want to make sure your potential clients feel safe visiting your site and transferring information. If they don’t, you stand to lose a good chunk of business.
What does HTTPS provide?
Until somewhat recently, only banks and online payment processors were using HTTPS. Now it is getting to be more common. HTTPS is much more secure than HTTP. When using HTTPS, your browser verifies that a legitimate certificate authority issued the website’s security certificate. This ensures that when you see https://www.website.com in your address bar, that is actually the website you’re on.
The entire web is slowly making the switch to HTTPS. In the US, internet service providers are allowed to spy on your browsing history and sell it to advertisers. If the web makes the switch to HTTPS entirely, your ISP won’t be able to see as much data.
When you are using an HTTPS connection, nobody can eavesdrop on your activity. HTTPS is what makes online shopping (hooray!) and online banking possible.
How browsers are encouraging websites to switch to HTTPS
Due to the desire to move the web to HTTPS, all the new standard tools for speeding up the web require HTTPS to function. HTTP/2 is a major new version of the HTTP protocol. HTTP/2 is not only secure but also adds compression, pipelining, among other various features that are designed to speed up a web page. All websites that want to utilize the benefits of HTTP/2 must be HTTPS encrypted. This means that in theory, HTTPS should be faster than HTTP.
While browsers are pushing the benefits of HTTPS, they are also pushing the drawback of HTTP. Google has announced that starting October 2017, their popular web browser, Google Chrome, will start flagging websites that are not secure.
The goal of this is not to harm sites that haven’t made the switch to HTTPS, but rather to help users be able to identify a site that is not secure. According to Google’s Chris Palmer “The goal of this proposal is to more clearly display to users that HTTP provides no data security.” So while this may hurt unsecured websites, Google is simply putting their best foot forward to call out unsecured websites for what they are.
Types of Certificates
There are three different types of SSL certificates you can get. It is important to know which one is the best for your situation.
- Domain Validation: This is the cheapest and most basic. Domain Validation covers encryption, but not authentication. This means in the event your data is intercepted, it is useless. Unless the attacker has the key to decode the encrypted data, they have no use for the coded data.
- Organization Validation: This is the middle-ground regarding price. It includes encryption and authentication. This type of certification prevents “man in the middle” sort of attacks. This means that it is not possible for someone to trick your customers into thinking they are providing information to you, rather than to a scammer.
- Extended Validation: This is the top of the line certificate. It provides the best security possible with HTTPS. This is mainly for large e-commerce sites that collect a significant amount of private information.
Making the switch to HTTPS
Despite the obvious benefits that switching to HTTPS provides, some website owners are still hesitant to make the switch for a variety of reasons. First off, there is a lot that can go wrong! Especially if you are running any SEO campaign, switching to HTTPS can be scary.
Common problems after HTTPS implementation:
- Preventing Google from crawling the HTTPS version of a site. After you make the switch, you still have to tell Google to start crawling the new version of your website. Switching to HTTPS is seen similarly to changing domain names. Redirects have to be put in place, and you have to make sure the “new” site indexes correctly.
- Content duplication. This happens when you enable the HTTPS version of your site, but don’t disable the HTTP version. This causes two instances of your website to be indexed at the same time.
- Different site versions. This occurs when redirects are not implemented properly. This leads to two versions of your site that may show different information.
Steps to a proper HTTPS switch
If your hosting provider does not provide SSL/HTTPS implementation for you, you could be on your own. Most reputable hosting companies will charge a fee to implement your HTTPS. However, if you find yourself in a situation where you don’t have that option, here are the steps needed to implement your own HTTPS successfully.
- Crawl the current site: This is so that you know the current state of your website. Make sure to make any notes of specific items you know will have to be changed later
- Read up on how your particular server handles HTTPS switches: Even if you are with a hosting provider who will not help you with HTTPS integration, hopefully, you can still talk to them regarding their server setup. A lot of the times they will have server-specific articles for you to follow to implement the certificate yourself.
- Install your security certificate: This process varies depending on your server. However, as mentioned previously, most hosting companies will have documentation regarding how to go about doing this.
- Update links in your content: You can either do this manually by going through each page and updating links to point to the HTTPS, or by doing a search and replace on the database. If you are not comfortable with technical website edits, the more time-consuming page by page approach may be best.
- Update plugins: If your website uses plugins, make sure to update them after the switch has been made. This will ensure nothing is misconfigured, and if it is, you can fix it.
- Update canonical tags: Most website platforms take care of this during the upgrade, but double check just to be sure.
- Check CMS specific settings: For the most common CMS platforms, this process is well documented.
- Set up redirects: This is the most important, and often overlooked part of the migration.
- Update existing redirects: All of your current redirects will still be pointing to the HTTP version of your site. Make sure all of your current redirects are pointing to the HTTPS version.
HTTPS and secure web browsing are not going away anytime soon. In fact, Google may continue to put more and more emphasis on secure browsing as global internet usage continues to grow. It’s better to jump on the bandwagon and make the switch before you’re left behind. Technical changes may not be your favorite part of owning a website, but they are essential to staying competitive online.