Two questions I see a lot are “Is it worth using HTTPS on my website?” and “I already have HTTPS on my login pages, do I need it everywhere else?“, The short answer to both of these is yes. You might think you don’t need to use HTTPS if your website is just a small business site or a single landing page and never asks for any sensitive information, but you could be putting both your site and your users at risk by not doing so.
What is HTTPS?
HTTPS is the acronym for Hypertext Transfer Protocol Secure. It is a protocol used for secure communications over networks, like the internet. Data sent over an HTTPS connection is encrypted between the client, and the server so bad people and bots can’t tamper with, read or steal the data.
What about TLS and SSL?
TLS is the acronym for Transport Layer Security and SSL for Secure Socket Layer. SSL is the predecessor to TLS and shouldn’t be used anymore. The last version of the SSL protocol, version 3.0 has been considered insecure for a few years now because of its vulnerability to man-in-the-middle attacks such as POODLE (Padding Oracle On Downgraded Legacy Encryption).
The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL). Both are cryptographic protocols that help encrypt communications over a network, but with the vulnerabilities present in the SSL protocol, it should no longer be accepted by your server or network as a valid protocol. Even if you have everything for your website being sent over HTTPS if your web server is not configured correctly and still accepts SSLv3 as a valid protocol, then you, your business and your users are at risk and most of the benefits of having HTTPS in place are therefore negated.
What are the pros to using HTTPS Everywhere?
When it comes to the pros of HTTPS there are many reasons you should be using it. Here are some of the main reasons you should be, especially if you’re a business.
- Security. The main reason and hopefully the most obvious by now is for security, not just for your users on your website, but also for you and your business. HTTPS helps the servers involved in any data transfer prove who they say they are, so it’s a good defence against man-in-the-middle attacks, ad injection malware and even traffic diversion code as well as a bunch of other nasties. According to a survey from GlobalSign, 77% of European websites visitors are concerned about their data being intercepted or misused online.
- Privacy. Did you know that pretty much every activity you do online is recorded? That might not seem like too much of a problem to you if all you do is visit YouTube to see the latest cute cat videos. But even just knowing that data can be valuable to bad people, for example, they could use that information to target you with a cat video that contains embedded malware, that could install all kinds of nasties on your computer, mobile and could also, in turn, spread to any device using your internet connection. Okay, maybe the chances of that actually happening are slim, but it is easily doable.
- Not only do you have malicious people snooping on your data but you have government agencies and even your ISP (Internet Service Provider), both of which are happy enough to sell your browsing data. HTTPS helps make this much harder, when you connect to a website that’s using HTTPS all your ISP will know is that you’ve gone to that web address, they won’t know what you’ve done while you’ve been on there.
- Privacy is a basic human right and in a digital age, it’s in short supply. It’s like having someone stood outside your living room window recording everything you’re doing, its a breach of your privacy and surprisingly there are people who would buy that data of you sat in your food stained PJs while you eat your dinner and watch Game of Thrones, like a shadier version of Channel 4’s Gogglebox.
- Better Referral Data. HTTPs to HTTP referral data is blocked in Google Analytics, so as more of the web moves over to HTTPS by default, any referral data you receive from those sites on HTTPS will no longer show as such and will be recorded as direct traffic. So for those of you running any sort of marketing campaigns, this should be an important one for you.
- Brand Trust and Credibility. Customers won’t buy from you if they don’t trust you, it’s as simple as that. Building brand trust is an important part of running a business, especially for any new businesses just starting out. Having the little green secure notice and padlock in the browser bar when they visit your site works wonders for brand trust. According to the same survey linked above by GlobalSign, 28.9% of users look for the green address bar and a huge 84% would abandon a purchase if data was sent over an unsecured connection.
- Then you also have newer versions of browsers like Google Chrome that will soon show “Not secure” in the address bar where the green padlock and “Secure” notice usually shows for sites not running over HTTPS. There is also talk of Google making it more obvious which sites are secure and which are not in search results, this is something that a lot of security software suites already add into the search results.
- Site Performance. It’s funny, one of the main arguments against utilising HTTPS on a website especially everywhere used to be its impact on site performance. Now, however, this is no longer a valid argument (and hasn’t been for quite some time now). Running HTTPS everywhere will in most cases (unless you’re on extremely outdated hardware/software) have such a small amount of overhead that it would be crazy not to utilise it due to a small amount of additional CPU power being needed.
- Another important reason here is HTTP/2. Websites that are delivered over HTTP/2 perform on average between 50-70% better than sites sent over the older protocol version HTTP/1.1. You won’t be able to take advantage of the HTTP/2 performance benefits though unless you are running your site over HTTPS.
- You’re Making The Web a Safer Place. By making your own website more secure and removing it as an easy target for would-be hackers, you make malicious activities less lucrative. This, in turn, makes the web a much safer place for your business and users alike.
- Leading by Example. With over 500 new websites being created every minute and most looking at similar sites for inspiration it’s important that they see that the security of users is something that you’ve taken seriously. Hopefully, this will lead them to do the same.
- Easier To Configure. For new websites, it’s much easier to setup HTTPS everywhere rather than just on pages that you’d traditionally expect to be over HTTPS (i.e. login, basket, checkout, payment pages etc).
- Reduces The Chance of Running Into Issues. By utilising HTTPS everywhere on your website, there is less chance you’ll run into common issues with internal links between HTTP and HTTPS pages, session crossover issues and mixed content issues.
- It Doesn’t Have To Cost The World. With plenty of reputable places now offering SSL certificates as cheap as a new PC/console game or a couple of trips to the cinema and even places like LetsEncrypt that offer you shorter term certificates for free, the price should not be an excuse.
- Ranking Boost. Back in 2014, Matt Cutts announced that HTTPS is now a lightweight ranking signal and that over time Google may strengthen this signal. While the effects on your SERPs may only be small, to begin with, it’s still something that helps and I’m sure as Google continues to push for a more secure web this will be something that has a greater impact in the future. There are also a bunch of examples online that show switching to HTTPS has helped some sites rank much better than before they migrated over to HTTPS.
- Data Protection Regulations. Using HTTPS everywhere on your website will ensure you meet existing data protection regulations and new ones like the European & UK General Data Protection Regulation (GDPR) which come into effect early 2018 and which I’ll cover in a separate post.
Are there any cons to using HTTPS Everywhere?
As with most things in life, there are usually going to be at least one potential con. Here are the main ones for using HTTPS everywhere.
- Potential SEO Nightmare. For existing websites looking at moving to HTTPS everywhere, there is a potential risk that if the migration is not done correctly with the correct redirects in place that you could negatively affect your SEO efforts. You could end up with duplicate content issues with the website being accessible over both HTTP and HTTPS. HTTP and HTTPS are treated as different URLs, so if you forget to implement the correct 301 redirects you could also see your SERPs take a hit.
- If you do already have an existing website you’re looking at migrating over to HTTPS I’d always recommend doing it in stages, with at least two week gaps in between each stage, especially if you’re running an e-commerce website or any other site that contains a lot of pages, this will help combat any potential negative SEO impact.
- Harder To Configure. If you have an existing site with a lot of pages you’ll want to do the HTTP to HTTPS migration in stages, this can sometimes make it harder to get setup and running, depending on what platform your website is built on; but trust me when I say, it’s worth the effort and as long as you know what you’re doing then it shouldn’t be too much hassle to get in place.
- It Can Cost The World. There are many types of SSL certificates that you can get cheap enough, however, there are still a select few that do cost a greater amount, these primarily being “Extended Validation” certificates. EV certificates are essentially the top of the line option in terms of certificates, these are mainly meant for very large e-commerce sites, government sites, banks, social media giants and any site that collects really important private information.
- In most cases, e-commerce sites can opt for the cheaper option of “Organisation Validation” certificates. OV Certificates still go through the business verification process that EV certificates do but are slightly easier to get and require much less paperwork, they don’t however, show the full green bar in that EV certificates do in some browsers.
Secure further with HSTS
Once you have completed migrating your website over to HTTPS and are 100% sure that nothing is still loading over HTTP you should make use of the HSTS (HTTP Strict Transport Security) tag in your websites response headers.
This will force browsers and bots (Like Google’s bot) to only load pages on your website over HTTPS and refuse anything not sent over HTTPS, further securing the data sent between your website and its users.
What do I do now?
As you can see, the pros far outweigh the cons, moving your whole website over to HTTPS is definitely something that if you haven’t got on your business plan already, should be added and looked into sooner, rather than later. Once you’ve completed the migration you should also look at enabling HSTS for your server.
What can Eira Studios do to help?
Every new website project I take on will include HTTPS and SSL in the contract. I strongly believe that we should do everything we can to make the web a safer place and prevent many of the recent malicious cyber attacks becoming the norm in the future. The creator of the WordPress project shares the same principles and is heavily advocating that all WordPress websites be hosted on HTTPS as more and more features in WordPress will require it.
Not sure you can migrate to HTTPS yourself or need some guidance? Get in touch, with years of experience in migrating sites of all sizes including large e-commerce and business websites over to HTTPS you’re in safe hands.