Is your website secured by HTTPS with SSL/TLS and certificates yet?
Yes: Well done, good on you! Feel free to be smug, while the rest play catch up.
No: Tut, tut. No cookies for you then! Read on to learn why you need HTTPS.
Your website needs HTTPS
Web giants like Google are encouraging the web to become more secure because quite frankly, there is a real need for better online security. A secure website is no longer just for sites (eCommerce stores as an example) that handle sensitive information. Your website should now be secure by default.
Serving your website over an insecure HTTP connection means you’re potentially missing out on better search engine ranking opportunities. It also means that your website will soon appear to be rather suspicious with the new up-and-coming browser changes that are about to happen.
It is because of this security change that 2017 is being touted as the year of HTTPS.
More on that in a moment…
Let us first explain the basics of what HTTPS is and how it works.
HTTP VS HTTPS: The difference and why you should care
HTTP: HyperText Transfer Protocol
HTTP is the ‘old default’ insecure way to serve your website to your users.
The HTTP/1.1 protocol is over 15 years old now and it’s successor is ready to take to the floor. Welcome HTTP/2, the upgrade with web performance as it’s key goal from the off.
HTTP/2 requires a secure connection. With optimisation HTTP/2 is significantly faster than HTTP/1.1 and is another hidden benefit of serving your website over TLS.
HTTPS: Secure HyperText Transfer Protocol
HTTPS is a secure way to serve your website. HTTPS is essentially HTTP, only the data transfer is encrypted.
Note the ‘S’, this stands for ‘Secure’.
HTTPS is essentially a secure tunnel to transfer encrypted data from the server to the client/users machine. Making it safe from MitM (Man-in-the-Middle) attacks.
A 'man in the middle' attack is a technique used by hackers to get between you and the data you are looking at and then using said connection to monitor/control what you are doing and seeing.
HTTPS requires adding a SSL 2048-bit key certificate on your site to secure it via TLS.
SSL: Secure Sockets Layer
SSL is the encryption that makes HTTPS secure and over the years SSL has evolved into TLS.
TLS: Transport Layer Security
When acquiring a SSL Certificate, you are in fact getting a TLS certificate because TLS is simply an evolution of SSL.
TLS incorporates three key layers of security:
- Encryption – Encrypting the exchanged data to keep it secure
- Data Integrity – Data cannot be modified or corrupted during transfer without being detected
- Authentication – Ensuring site users are communicating with the correct server/website.
HTTP/2
HTTP/2 is the new and improved protocol, with the aim to make the web safer and faster. SPDY is the basis of HTTP/2.
Why is HTTP/2 good?
HTTP/2 protocol has many benefits: its main advantages though are it’s faster and reduces server load because it requires only a single connection per origin, which means fewer sockets, memory buffers, TLS handshakes, and so on.
SPDY vs HTTP/2: What’s the difference?
HTTP/2 uses SPDY as its base to improve speed of the web.
Essentially SPDY was developed by Google, which is where most of the performance improvements were made in upgrading the HTTP network protocol. HTTP/2 uses these upgrades along with community feedback to further evolve.
How Chrome is changing to highlight unsecure websites
In the not so distant future, Google Chrome will begin shaming websites that aren’t secure by default. Yes, you heard it right, you'll be shamed if your website is not secure! This clear and obvious show of distrust can have a huge and detrimental effect on not only your users, but your search engine rankings as a whole.
Let’s look at how Google intend on rolling these changes out…
Currently Google Chrome’s address bar looks like this:
From January 2017 when Google release Chrome 56 it will look like this:
In the near future, as Google continues to roll this out, it will end up looking like this:
So, with this red triangle icon it’s safe to say, websites' still using HTTP after the change will look unsafe to customers. Trust is an important aspect to running a business online, especially when handling any personal & financial data, like e-commerce stores.
No more red purses.
Google Chrome security team, headed up by Parisa Tabriz, ran some research to discover that Chrome’s security symbology was failing to inform users when a website isn’t secure.
During these user feedback sessions, Google tested their green padlock icon to represent a secure connection and red padlock for standard non-secure HTTP.
Previous attempts struggled to get the message across, only 20% of users ‘got’ that the connection wasn’t safe.
In fact, many users didn’t know what the ‘padlock’ symbol represented, some even thought it was a purse. Surprisingly the colour being red or green made no difference.
When users were shown a black circle with an exclamation mark in it, along with “HTTP”, 38% regarded the site to be unsafe and would leave immediately. Change the icon to a red triangle with the exclamation mark and “HTTP” to “not safe”, then 66% of users will leave.
SEO Benefits of HTTPS
In this section, we will look at the many SEO benefits of HTTPS:
- Ranking boost
- Trust increase (Can improve conversions and in turn sales)
- Preserves & improves business reputation
- Faster user experience (Websites served by HTTPS are faster to load)
- Opens the door for HTTP/2
- Better security for your business - Less chance of you or your users being hacked
- Greater referrer data (improves data insights)
Can HTTPS increase your website’s ranking?
Yes, for sure, HTTPS can improve your website’s search engine ranking.
Google confirmed HTTPS as a ranking signal back in August 2014.
At the time of writing it is clear that only a very small boost will be achieved, however, think long term. In the future it will certainly be dialed up as Google increase the pressure on website owners to make the switch.
Why is Google doing this?
Google initially only recommended migrating to HTTPS whenever a website was handling sensitive information, especially personal & financial data.
Now the consensus is that all data online is potentially harmful in the wrong hands. So, in today's world, there is no such thing as insensitive data, which is why HTTPS everywhere by default is today's best advice.
Improving security, increases Trust
Trust is a big thing with customers and your online presence. Without trust you will find it very hard persuading customers to engage or buy from you.
As the general public become more aware of the importance of securing the web, you will struggle in obtaining and retaining visitors on your website, even with only an informative page that has no sensitive data.
HTTPS also helps you maintain your business's hard earned reputation in your customer's eyes, whereas HTTP has the adverse effect.
Increasing trust can improve conversions, which is great news for your business’s bottom line.
Performance enhancement
With optimisation HTTPS is faster than HTTP, so your users will thank you for adopting HTTPS.
**Why is HTTPS faster than HTTP?
Once you have HTTPS installed correctly, it enables you to make use of SPDY/HTTP2, which is around 70% faster than HTTP.
You can test the performance difference between HTTP/2 over TLS and HTTP here.
Remember: Pagespeed (how quickly your page loads) is also a ranking factor. So the faster your website, the better chance you’ll have of ranking above your competitors with slower loading web pages.
Not to mention the correlation between pagespeed and conversions. In other words, the better your user experience is, the more chance you have of making money online.
*1 Second delay in pagespeed = 7% drop in conversions
Protect your revenue
When a user visits your website on a public WiFi signal, there is no way of guaranteeing that your website is all they will see, without a secure connection.
Criminals are not the only ones looking to make money off your site, Internet and WiFi providers have joined in on it too. Injecting scripts to alter the content of your website, adding their own adverts without you ever knowing.
Next time you connect to an open connection, an airport WiFi for example, you may notice more/different adverts on sites you know. This is because the service provider injects their own advertising, sometimes in place of your own ads.
5and3 doesn’t use ads because it’s not how we make money and it cheapens our website. Yet if you view our website on an open proxy, there’s a high chance you will see adverts on our precious website. This is very annoying for us, because we take a lot of pride in how we make websites and anyone can come along and graffiti it just as a potential future client could be about to discover us.
Oh no, I rely on income from my website, what can I do?
HTTPS to the rescue. When serving your website with HTTPS most of these ‘attacks’ will be eliminated.
Why Adopt HTTPS now?
Some folk in the SEO community are already touting “2017 as the year of HTTPS”.
HTTPS adoption has more than doubled in 2016.
In 2016, more businesses migrated to HTTPS, than in the last 20 years. Next year this is expected to grow even more.
Back in 2014, only 1.9% of the top 1 million websites served via HTTPS, whereas today, around 10% serve their websites securely.
HTTPS site adoption rate has grown from 16,056 in 2014 to 96,413 in 2016. That’s 6 times more than two years ago.
With Google behind the movement, pressure will build to upgrade your method of serving your website. The previously mentioned changes to Google Chrome, will also aid in the “education” of the general public to the importance of security online.
Why isn’t 5and3.co.uk HTTPS enabled yet?
Update: HTTPS is now fully installed on 5and3 as promised.
Good question!
Because we were monitoring the situation. We wanted to make an informed decision, and there were many variables to consider.
Now most of these hurdles have been removed/reduced, we are now happy to recommend HTTPS to our clients and all other sites. It is categorically where the web is heading and will become more important as general awareness improves, forcing more businesses adopt HTTPS.
As we, at 5and3, are now actively recommending HTTPS, we need to practice what we preach, so we have plans to implement TLS to 5and3 early in 2017.
Once we have a small break from client work, we will start migrating 5and3.co.uk to https://5and3.co.uk.
We are currently in the similar boat to Google, recommending something that we aren’t implementing ourselves yet, but the plans are there.
Google are a bit ahead of us, in that some of their sites do already support https, yet because they are enormous, I think we will have our website secured before Google does.
Reasons not to adopt HTTPS yet - What are the cons?
Over the years there has been many reasons why businesses have put off by adopting HTTPS.
A lot of these hurdles have been lowered or removed altogether. For example:
Costs: Thanks to let’s encrypt and it’s partners, the costs of certificates have dramatically come down. Also thanks to the work from Google in developing SPDY, the burden on server resources has been greatly lifted. Meaning up front costs are now minimal and ongoing costs like hosting, are now more inline with HTTP/1.1, some websites may even benefit.
Understanding: It takes time to educate everyone. The general public will become more aware of the importance of security online and once they do, businesses will have to adapt or fall behind competitors that do react now.
Some of these hurdles still remain:
Technically challenging: All website migrations can be technically challenging but HTTPS make it way more complicated, making it easier to break things that already work well. Saying that, quite a bit of work is being done behind the scenes, in making it easier.
3rd party software: Some 3rd party software might not work yet with HTTPS. This may be a deal breaker for some businesses. Either waiting for support from 3rd party software or finding alternatives can be time consuming and costly.
Anti-patterns: Certain best practices with HTTP/1.1 can become anti-patterns with HTTPS. This is because HTTPS opens a connection which is the heavy processing part for HTTPS but all subsequent requests after are faster than HTTP/1.1. This essentially means, you optimise an HTTPS site slightly differently compared to good old HTTP/1.1.
Caching: Getting cache to work well with HTTPS can be tricky. Most of the supposed issue with caching is a myth, but there is a slight caveat. Firefox will only cache HTTPS resources in memory by default. If you want persistent caching to disk you’ll need to add the Cache-Control: Public response header.
WHAT ABOUT INSTALLING HTTPS?
Implementing HTTPS has it’s complications. It’s not something you’ll want to tackle yourself, unless of course you are technically minded.
If you are interested in implementing HTTPS by yourself, there is many guides online but this guide from (Chrome security team) Chris Palmer is a good place to start.
Not technically minded? Excellent, we can handle your site migration for you.
Either give us a call on 01342 837821 or start your migration project with us today
Conclusion
Google has been behind this drive to making the web safer for some time now. They are learning how best to educate web users about the importance of security.
January 2017 is their next step in this education. At some point in the future, consumers are going to wise up and when they do, anyone still serving their site via HTTP/1.1, will have a nasty shock when they suddenly lose customers.
There will be a tipping point where all other brands will feel pressured into it because they won’t be able to compete. The question is, do you want to be an early adopter and reap the benefits now, or play catch up, when the carrots are less ripe or worse, gone all together?
Act now when there are benefits, or wait until it becomes minimum requirement, losing many sales in the process?
Only you can decide... but you can't say we didn't warn you.
Further reading?
External resources
Why HTTPS?
TLS Certificates
HTTPS Guide
