This article was originally published on Nick Janetakis.
If you have a website, or you’re thinking about deploying your site soon, you need to consider making it work with HTTPS.
Now, before we go over the issues of not having a secure site (spoiler alert: it’s a big deal even if you ignore the security concerns), let’s go over how many sites are using HTTPS as of mid-2017.
According to Firefox’s telemetry data, ~60% of page views are being loaded over HTTPS:
That shows about a +20% adoption rate in 18 months, which is very impressive considering that accounts for all page views on the internet, not just page views on top sites.
Chrome’s telemetry data is in the same ballpark as Firefox:
Why Is Everyone Scrambling to Secure Their Site?
The reality is, hosting an insecure site just isn’t good enough…
- Google ranks insecure pages (HTTP) worse than secure pages (HTTPS)
- Your visitor’s browsing activity and data isn’t encrypted or protected
- Chrome and Firefox are adding scary visual cues to punish insecure sites. That means, even non-technical folk are now receiving in your face warnings that your site is dangerous to view…
It started with the secure lock icon, but that’s old news. Browser vendors have been doing that for years.
Recently, they have been rolling out more aggressive cues, and it’s going to continue to get worse and worse for insecure sites as time goes on.
A few current and upcoming visual cues in Chrome and Firefox:
Firefox is already showing the visual cues on the right, and Chrome is about to transition to using a non-red “Not secure” label in October 2017, with the red version coming eventually.
These are in your face warnings that your site is not secure. I don’t know about you, but there’s no way in heck that I would consider putting sensitive information into an insecure form.
Insecure Sites Let Anyone Who Is Watching View Your Browsing Habits
I don’t even like browsing anonymously on insecure sites because that means all of your browsing habits can be spied on by your ISP (Internet Service Provider) or anyone watching. With net neutrality constantly being attacked, this is a big deal and ultimately affects everyone in the world.
As website owners, we can do our best to secure the web one site at a time by simply securing our sites over HTTPS. It’s not a war that we can’t win either. We are winning (world wide HTTPS coverage is over 50%).
Insecure Sites Rank Worse in Google Search Results
Learn PHP for free!
Make the leap into server-side programming with a comprehensive cover of PHP & MySQL.
RRP $11.95 Yours absolutely free
In the middle of 2014, Google openly admitted that HTTPS is a page ranking signal.
Now, I’m not going to pretend I know the inner works of its ranking algorithms (because no one outside their search team knows this info), but facts are facts. An insecure page served over HTTP has less page rank value than an equivalent secure site served over HTTPS and the above article states that the strength of HTTPS vs HTTP may go up in the future.
It’s mid-2017 now and that article was written in 2014, so “today” is the future. There hasn’t been an update to that article as far as I know, but all I know is, I wouldn’t want to give my competitors an SEO advantage because I didn’t secure my site.
All that is to say, we’re on a rapid march towards a “secure by default” web when it comes to protecting traffic.
And if you’re serving anything over an insecure connection, you need to plan how you’re going to go HTTPS now.
Let’s Secure Your Site With HTTPS Together
There are a number of options for securing your site with HTTPS, and they all involve obtaining SSL certificates and then configuring your web server to use those certificates.
My favorite way of doing this is with a service called Let’s Encrypt.
Why Let’s Encrypt?
Simply put: They are a free, automated and open certificate authority.
- SSL certificates can be issued for free via Let’s Encrypt. Compare that to $10/year per certificate from other providers — don’t get ripped off!
- It’s open source, transparent and has a huge community
- 100% hands-free SSL certificate automation once you set it up. Other providers require you to manually renew certs yearly or your site stops working
- Over 40 million+ certs issued and growing at remarkable speeds
If you want to learn how to secure any website or web application with Let’s Encrypt then check out the HTTPS with Let’s Encrypt course I recently released.
From insecure to an A+ rated secure site in 3 hours
- Crash Course on SSL Certificates
- Create a server on DigitalOcean
- Securely host a website with nginx and Apache
- Hook up a custom domain name to your server
- Integrate and automate Let’s Encrypt for A+ rated SSL certificates
3 hours is all you need to understand the ‘how’ and then actually secure your own site or web app with HTTPS using Let’s Encrypt.
The course covers everything you need to know about using HTTPS and even goes as far as how to set up a web server and hook up a custom domain name. It also contains ready-to-use scripts and configs that I’ve been tweaking and using in production for years. You’ll get an A+ SSL rating.
Don’t keep doing SSL the old way. It’s time-consuming and costly.
Grab the course now and learn Let’s Encrypt quickly without digging too deeply into its documentation and without having to learn it through trial and error.
Complete with a 100% risk free, 365 day money back guarantee.
Plus SitePoint fans get the course for 40% off for the next 24 hours!
Nick Janetakis is a self-taught full stack developer who concentrates more on the DevOps side of things. Nick is the author of Dive Into Docker. and HTTPS with Let's Encrypt which are premium video training courses aimed at web developers. Over 20,000 people have taken at least one of Nick's courses.
Jump Start Git, 2nd Edition
Visual Studio Code: End-to-End Editing and Debugging Tools for Web Developers