Why Every Website Needs HTTPSBy Jeff Smith
This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.
More from this author
First and foremost, what does it mean for a website to use HTTPS rather than just plain old HTTP? It means that the site is secured with SSL (Secure Sockets Layer) or the more recent TLS (Transport Layer Security). If you’re not knowledgeable about the subject, this statement may mean exactly nothing to you, so let’s break it down.
When you visit a site, and you use the
https version of the URL, you are asking for the secured version of the site. In a nutshell, this means that your browser will be hoping to see a SSL/TLS certificate on the website’s server. That certificate should be granted by a verifiable Certificate Authority (CA) and basically allows your browser to interact with it via an encrypted connection. Depending on the certificate, it may also say “Look, this site is who it says it is, that’s been verified”. Once that certificate is found, a secure encrypted connection can be established between your browser and the website. Now, if anyone attempts to step in and intercept your communication, the data will be encrypted. Your ISP might be able to determine what website you went to, or how much data is transmitted back and forth, but there won’t be any further snooping happening.
If the website’s server is accepting HTTPS requests, but there is no valid certificate for that website, or the site’s certificate is expired, has an invalid CA, or any other issue, your browser will notify you, and attempt to prevent you from continuing. This is due to the fact that the website is saying that there is a secured connection available, but not providing one, so the browser is trying to make you aware of that.
Many web servers either have a certificate, and route all incoming traffic to HTTPS, forcing you to use the secure version, or, if they have no certificate, route all traffic to HTTP, thus preventing users from trying to access a secure connection that doesn’t exist.
So, now that we have a rough idea of what constitutes an encrypted connection to a website, let’s take a look at the positive impacts of obtaining a security certificate for your site.
In 2014, Google made HTTPS a factor in search results. Their goal seemed to be to force a change, to pressure website administrators to offer proper security for their visitors. At the time, this was a big deal, and it seems to have worked. This period was the start of an upward trend in the percentage of websites that introduced SSL/TLS for part of their traffic. In fact, sites that were entirely HTTPS also went on the rise.
Of course, Google doesn’t publish all of the changes to the algorithms, but we know that HTTPS is an indicator, and it stands to reason that as more and more sites go HTTPS, that the penalty for not doing so may also be increasing. But for your site, or that of your client, isn’t a little bit of extra work in trade for ensuring that your site isn’t overlooked in favor of HTTPS enabled competitors well worth it?
Make Your Visitors Feel Secure
This next reason also falls into Google’s wheelhouse, a bit, but concerning a different product: Chrome. According to a blog post about HTTPS sites, starting in 2017 with Chrome version 56, any pages that used forms to collect sensitive information (such as credit cards, login credentials, etc) would now be marked as “Insecure” in the address bar, with the neutral gray icon and text.
So, if your site collects private user information, Chrome may already be marking it as “insecure” to your users. What will that do for your user confidence? And in future releases, Chrome will be marking all HTTP sites as “not secure” with red warnings in the bar – a clear sign to your users that they shouldn’t trust you! And Firefox does much the same thing, flagging form fields in non-HTTPS sites that may have you insecurely inputting sensitive information, and instructing users that the site is insecure in the address bar.
So, what is your users’ faith in your website worth? Even if you aren’t collecting sensitive information on your site, a visitor’s ability to browse with confidence may make all of the difference.
Actually Make Your Visitors Secure
Here we come to what should be the main benefit of using HTTPS for your website – making your visitors and their interactions with your website actually secure. So, what do you actually need HTTPS for, and how will it help secure your visitors?
As stated at the beginning of this article, the key is encrypted web traffic. When using regular HTTP, your Internet traffic – the forms you fill out on the sites you go to, the information you exchange with them, that can all be intercepted. With HTTPS securely in place, your submitted usernames, passwords, credit card and other financial information – it’s all encrypted. Well worth the effort to set up HTTPS for your website, when the return is a security boost for everyone who uses your website!
Granted, some sites don’t deal in these kind of transactions, so this reason, the most compelling for some, may be the least compelling for others.
Your Website Needs HTTPS
Regardless of which specific reason speaks to you most, the fact is that your website needs HTTPS! For small sites this can be a simple and free process, using things like Let’s Encrypt. For more complex ones, you may determine that an immediate switch to HTTPS is logistically challenging. The fact remains that it’s a better solution in the end, though, so you’ll want to make a plan and enact it as soon as you can!
Final Steps: How to Get HTTPS
So, if you’ve decided to get a certificate for your site and go the HTTPS route, the next question is how you would like to proceed. You have a few choices:
- Check out Let’s Encrypt. Let’s Encrypt is a free service, where you use their command line tools to create and set up your own certificates on your VPS or server. The certificates are free, but have to be renewed every 90 days. However, this process can be automated, so it’s not as bad as it might seem.
- Look for a hosting provider that includes an SSL certificate in their hosting plan, like our partner, SiteGround. SiteGround offers free Let’s Encrypt certificates with each of its hosting plans by default, so you won’t need to make any complex configurations. The certificate will be renewed automatically with your SiteGround hosting account and supported by all most popular browsers.
- Purchase an SSL certificate yourself from a certificate authority such as Verisign, Digicert, or Comodo. Note that in this case you’ll have to pay both for the certificate and upload it to your hosting provider or set it up yourself, if using your own server or VPS and also take care of its renewal afterwards.
Regardless of which you choose – pick a method, and get your website running with HTTPS today!