Google wants HTTPS everywhere and has decided that website owners who make the change and encrypt communications to all pages – regardless of whether or not their site collects sensitive information from its visitors – will be favoured in the Google search index over those sites who continue to serve their pages over non-encrypted connections (HTTP).
Security & privacy issues always in the news
Online security and privacy issues appear with alarming regularity in today’s top news stories. Little wonder then that such concerns are having an ever greater impact on our behaviour as consumers of technology.
Increasingly, the choices we make – the websites we visit, the information we are comfortable in providing and the products we buy – are now, more than ever before, influenced by an awareness of security and privacy.
In this article, I want to look at the concept of ‘HTTPS everywhere’ and what it means for the business website owner and reasons for adopting it even if the website does not necessarily need to conduct secure exchanges of information with its users.
But first a short primer on some of the frequently used terminology.
HTTP vs HTTPS – what’s the difference?
Hypertext Transfer Protocol (HTTP) is the means by which web-based content is delivered across the Internet to a users browser software. It’s been with us since the very early days and consequently has no built-in security.
Using encryption, Secure Socket Layer (SSL) is technology that can protect information ‘in transit’ across the Internet, effectively meaning that it cannot be intercepted or eavesdropped.
HTTP + SSL = HTTPS
The combination of HTTP and SSL protocols produces ‘Hypertext Transfer Protocol Secure’ or HTTPS for short. This protocol effectively encrypts information sent between the web-server and the users browser and is used extensively (but not exclusively) in online banking, eCommerce and whenever exchanges of sensitive information need to take place securely over the public Internet.
SSL Labs is web-based tool that assesses and reports on the implementation of HTTPS/SSL on any given website. You can view the report for pcaWeb.io here (it gets an ‘A’ rating!) or why not run it on your favourite banking website just for fun 🙂
How to know if a website uses HTTPS
There are two visible signs that HTTPS is present on a website:-
- a URL in the browser’s address bar that begins with https://
- a green ‘lock’ icon in the browser’s address bar
We all use HTTPS every day when we browse common websites like Facebook, YouTube, Twitter and online stores. These major brands all recognise the importance of making their users feel safe, secure and that their privacy is important.
Not only does HTTPS prevent those with malicious intent from intercepting transactions as innocent as search engine queries or as important as credit card information, but the all-important ‘green padlock’ is fast becoming the trust icon desired by website owners regardless of whether the site actually requires it.
Why should you switch your site to HTTPS?
Here are the 3 compelling reasons for switching to HTTPS everywhere on your website and staying one step ahead of the competition.
1. Because Google Says So
The drive for encouraging website owners to adopt the ‘green padlock’ (HTTPS) on all their website pages, whether or not they deal with sensitive data, is being spearheaded by Google.
Put simply, Google wants ‘HTTPS everywhere’:
“we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web”
(Source: HTTPS as a ranking signal – Google Webmaster Central Blog 6/8/14)
The drive towards secure online communication
In a previous article which discussed the role of Google in the drive towards a mobile-friendly Web, I wrote:
“when Google speaks, we’d all better listen”
Well now they’re at it again, this time placing themselves at the forefront of the drive towards secure online communication. Anyone who uses Google products such as Search, GMail and Google Drive already benefits from secured access to those applications.
In addition, Facebook and Twitter have also changed their apps to offer the same secure experience to their users and everyone else is set to follow suit.
2. Your website visitors will expect secure communications
Google wants secure communications on the Web to become the norm. So much so that visitors to any website (not just an eCommerce site) will come to expect a secure connection to the entire website (i.e. all pages).
In short, website visitors will expect to see the ‘green padlock’ and HTTPS in the browser address bar instead of just plain old HTTP.
It’s all about trust
There’s an old adage which says that for successful online interaction (i.e. via a website) the visitor should come to know, like and trust you. Everything that appears on the website from the design, the menu to the content should be contributing positively to one or all of those factors.
People do not necessarily understand the underlying technologies associated with encryption and SSL. They just look for the green padlock. It’s a powerful trust signal. If it’s there, they feel safer and, crucially, they conclude that the website owner actually cares about their privacy and security. If it’s there on every page the feeling of trust is strengthened even further.
The web is often an impersonal place. Savvy website owners recognise the importance of building trust with their visitors as one of the cornerstones of running a successful website, regardless of whether or not the site offers products or services.
Displaying the green padlock is a trust signal which demonstrates to the visitor that you are aware of issues surrounding secure communications and care about their privacy.
3. HTTPS boosts your website’s performance in search results
Google is already incentivising the take-up of HTTPS by rewarding website owners who adopt it, with a more favourable search ranking compared to those who do not.
So, the presence of HTTPS is now a ‘ranking signal’ which could boost performance in search relative to your competitors.
In future updates to its algorithm, Google expects the influence of that signal to grow even stronger.
How to get the green padlock (HTTPS)
Traditionally, implementing HTTPS on an entire website has been a somewhat costly and complex undertaking.
Purchasing an ‘SSL Certificate’ from a Certification Authority requires an initial fee followed by annual renewals thereafter and a paper trail of ID submissions and documentary proofs.
Then, having purchased the certificate, it has to be installed on the website hosting server and the various pages secured. This is seldom a straightforward process as all websites are structured in different ways and contain different content.
So, the take up of HTTPS among non-eCommerce website owners has been low, principally because it’s just not worth the effort.
That is, until now…
Making HTTPS implementation easier – the ‘Let’s Encrypt’ project
The Let’s Encrypt project is relatively new. Its stated aim is to “make encrypted connections to World Wide Web servers ubiquitous” by significantly lowering the complexity associated with implementing HTTPS.
It allows the website administrator to obtain a free website ‘certificate’ which validates the website’s domain name without the associated proof of ID paper trail which is normally required.
There are no forms to fill-in, no validation emails to deal with and no paid annual renewals. The certificate and renewals are issued automatically and are trusted by all major web browsing software.
Once installed on the web server, the certificate allows the website administrator to install HTTPS, display the all-important green padlock in the browser address bar and thus provide website users with a secure, encrypted connection to all pages on the site.
Will you make the switch to HTTPS?
I’d love to know what you think about moving to HTTPS. Perhaps you’ve already made the switch or are thinking about taking action?
If you have any questions drop me a line, I’ll be happy to answer them.
pcaWeb is offering current clients the opportunity to install HTTPS for a one-time fee. Please contact me for more details.
References
- https://en.wikipedia.org/wiki/Let%27s_Encrypt
- https://letsencrypt.org/about/
- https://googlewebmastercentral.blogspot.co.uk/2014/08/https-as-ranking-signal.html
- https://googleonlinesecurity.blogspot.de/2014/08/https-as-ranking-signal_6.html
- http://open.blogs.nytimes.com/2014/11/13/embracing-https/?_r=0
- http://www.wired.com/2014/04/https/
