If you know about HTTPS but aren’t yet convinced it’s worthwhile, or perhaps you are wondering if you should care enough to bother reading the rest of this post, then maybe a picture will persuade you. How would you feel if visitors arrived at your site to find this warning next to your domain name URL?
I’m pretty sure you’d rather it looked like the following, right?:
When you type your domain name into a browser, if your website appears with “https://” at the start of the name (note the “s”!!), then you are already using encryption to securely communicate with your visitors. Well done. 🙂
If your website appears with “http://” (without the “s”), then maybe you should consider changing this; but… why?? The simple answer is that it’s better for your customers and better for you. Since 2014, rather than just have websites labelled as “Secure” if they use solid encryption (via HTTPS), Google has been campaigning to mark non-secure sites (“http://” at the start) as exactly that: “Not Secure”. As of the time of writing, this is an option in Google Chrome, and it looks like the first picture above, but it is not yet the default. The current default is an “i” icon which when clicked gives the non-secure message, like this:
However, it’s only a matter of time before Google changes the default to specifically saying “Not Secure”, and Chrome outstrips usage of other browsers by a huge margin. The other browsers will no doubt follow suit. So if you haven’t switched yet, you might want to put an action plan in place now, rather than wait for the inevitable.
You aren’t alone though. As of the start of 2017, many HUGE websites, including eBay, do not use HTTPS, so if they don’t, what’s the fuss about? For many of them, there are technical reasons that they are working to overcome and will no doubt be scrambling to make the change soon.
Apart from the obvious fluffy/professional feeling the “Secure” padlock symbol gives to your visitors, there are other direct benefits to you. Google has stated that they are giving a weighting to secure sites in their search rankings. So if your site has the padlock, but your competitors do not, yours will be given a nudge upwards on search results. Every little counts!
You are probably wondering why Google wants everyone to use HTTPS. That would make for a blog post on its own, but very briefly, it means that the data passing between the site and the user is encrypted, so anyone “listening” on the same network cannot easily intercept it. Anywhere that has a user input area (think login passwords, credit card details, even newsletter subscription (email) sign-up that you’ve promised to keep safe). “User” in this case includes you if there is a login area to your own backend website admin panel! At this point, I’m hoping you are thinking twice about ever logging into sites on that (non-secure) list above whilst using a public wifi network (that might have other people on it you don’t know and trust).
However, note that all the padlock is doing is ensuring that the connection between the user and the site is as expected – so the site is verified to be who it says it is and there is nothing in the middle hijacking the connection. This means that as a web user, even if you see a padlock on someone else’s site, you should still be confident it is a reputable site before entering any private information.
The good news is that it is often straightforward to make the switch. Firstly, you need an SSL security certificate; some web-hosts provide an entry level certificate for free with the hosting and others charge a small annual fee. Then you need to get your site to divert all HTTP to HTTPS, which varies according to platform and so ask your web developer what your options are, or if you don’t know who to ask, go ahead and get in touch with me.