Let’s talk about HTTPS encryption

The trend is clear: HTTPS encryption is a baseline requirement for all websites, not just those handling sensitive data.

WHAT IS HTTPS?

HTTPS is a protocol that uses the standard web communication protocol, HTTP, with an embedded, encrypted channel—Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL).

It both authenticates a website, and encrypts all the communication back and forth, to protect against tampering, forging, or eavesdropping. The process of authentication and encryption uses digital certificates, issued by a trusted Certificate Authority, or CA.

All websites—even uncomplicated marketing and communication websites—should use HTTPS encryption. In the next few years, browsers will increasingly penalize un-encrypted sites with warnings and messages to users; it’s also the right thing to do for customers who may be in public spaces, like cafes or places with open WIFI connections.

HTTPS protects the integrity of your website
HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages.

Intruders exploit unprotected communications to trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources. For example, some third parties inject advertisements into websites that potentially break user experiences and create security vulnerabilities.

Intruders exploit every unprotected resource that travels between your websites and your users. Images, cookies, scripts, HTML … they’re all exploitable. Intrusions can occur at any point in the network, including a user’s machine, a Wi-Fi hotspot, or a compromised ISP, just to name a few.

WHY HAVEN’T WE BEEN USING HTTPS ALL ALONG?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.

Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.

The Hypertext Transfer Protocol (HTTP) lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that block eavesdropping and tampering.

Sites need to look secure.
If you want your visitors to know their data is safe, you’ve got to look secure. The “s” in https and the green lock in the browser address bar are two indicators that a website is protected by a trusted SSL certificate.

WHAT IS AN SSL CERTIFICATE?

SSL stands for Secure Socket Layer. It might sound complex, but it’s really not. SSL Certificates validate your website’s identity, and encrypt the information visitors send to, or receive from, your site. This keeps thieves from spying on any exchange between you and your shoppers.

When you have an SSL Certificate protecting your website, your customers can rest assured that the information they enter on any secured page is private and can’t be viewed by cyber crooks. Most hosting providers make it easy to install your certificate and secure your server.

SSL Certificates inspire trust and show visitors that you value their privacy. An SSL Cert protects your customers’ sensitive information such as their name, address, password, or credit card number by encrypting the data during transmission from their computer to your web server. SSL is the standard for web security, and a Server Certificate is required by most merchant account services – you’ll need one if you plan to accept credit cards on your website.  And now you need one if you want browsers to signal your site as secure with the green lock icon even if you aren’t a shopping site.

WHAT TYPE OF SSL DO I NEED?

There are three primary types of certificates:

  1. Domain Validation: Single domain or subdomain, no paperwork (just email validation), cheap, issued within minutes.
  2. Business/Organization Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 1-3 days.
  3. Extended Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 2-7 days. Green address bar.

Answer these questions to help find the SSL you need:

  1. Where are you located?
    Most certificates are issued worldwide with a few exceptions.
  2. Do you have a business or personal website?
    Unless you sell things on your personal website, a Standard SSL (DV) is fine. This is also true for informational business sites. eCommerce websites should use a business single-domain Standard SSL (DV) or Premium SSL (EV).
  3. Which type of web hosting server do you use?
    SSL certificates work on most hosting and server configurations. (To protect multiple domains on Microsoft’s Exchange Server 2007, Exchange Server 2010 or Live® Communications Server, use a Multiple Domain UCC SSL.)
  4. How many different domains do you need to protect?
    Wildcard SSLs cover multiple subdomains. For example, use a Wildcard to protect *.coolexample.com, which would cover shop.coolexample.com, www.coolexample.com and any other subdomains.
  5. UCC SSLs will cover multiple domains, subdomains and websites.
    For example, you can secure www.coolexample.com, mail.coolexample.com, and www.awesomeexample.com.
  6. Do you need an SSL certificate that supports Intel vPro technology for remote PC management? 
    You’ll need the Deluxe Certificate (OV).

REASONS NOT TO MOVE TO HTTPS:
There aren’t many reasons not to move to HTTPS, but….  time, budget and search rankings should be considered.  
The important thing to remember is to treat the migration from HTTP to HTTPS as important as a URL or domain migration – if done wrong it can have a detrimental effect on your organic visibility within Google.

  • Time the change correctly – choose a quiet period (not when announcing a major event for example)
  • Expect some ranking issues during the change over
  • You will be changing every link connected to your website (both in the site and to the site)
  • Potential reduction in Adsense revenue
  • Potential loss in social shares

NEXT STEPS:

  1. Coordinate with your hosting provider to purchase and set up your SSL Certificate
  2. Coordinate with your team – Be sure to inform everyone involved in the switch that the website will be under maintenance—this includes sales teams, developers working on the site that you may need help from or will be working with, and visitors. Communication goes a long way!
  3. Your web developer will need to make adjustments to the site templates, custom scripts, admin and CSS
  4. Your web developer will need to re-index your website so Google (and other search engines) show the new link as a search result
  5. Test your SSL certificate to see that it is working properly, head over to SSL Labs to view your score.
  6. Perform a link check throughout the site to make sure links work with the new https option (especially if you haven’t been using relative links in your content).  This may also includes any images, videos etc embedded into the main content.
  7. Set up 301 redirects from HTTP to HTTPS so that search engines are notified that your site’s addresses have changed and so that anyone who has bookmarked a page on your site is automatically redirected to the https address after you flip the switch.
  8. Update social media to link back to the new URL with the https in it
  9. Monitor links in all outbound communication to include the new HTTPS version of the site
  10. Monitor your Google Analytics for any issues (remember to Update Your Google Analytics Profile URL)
  11. Don’t let your certificate expire!