Yes: Well done, good on you! Feel free to be smug, while the rest play catch up.
No: Tut, tut. No cookies for you then! Read on to learn why you need HTTPS.
Your website needs HTTPS
Web giants like Google are encouraging the web to become more secure because quite frankly, there is a real need for
better online security. A secure website is no longer just for sites (eCommerce stores as an example) that handle sensitive information.
Your website should now be secure by default.
Serving your website over an insecure HTTP connection means you’re
potentially missing out on better search engine ranking opportunities. It also means that your website
will soon appear to be rather suspicious with the new up-and-coming browser changes that are about to happen.
It is because of this security change that 2017 is being touted as the year of HTTPS.
More on that in a moment…
Let us first explain the basics of what HTTPS is and how it works.
HTTP Vs HTTPS: The difference and why you should care
HTTP: HyperText Transfer Protocol
HTTP is the ‘old default’ insecure way to serve your website to your users.
The HTTP/1.1 protocol is over 15 years old now and it’s successor is ready
to take to the floor. Welcome HTTP/2, the upgrade with web performance as it’s
key goal from the off.
HTTP/2 requires a secure connection. With optimisation HTTP/2 is significantly
faster than HTTP/1.1 and is another hidden benefit of serving your website over
TLS.
HTTPS: Secure HyperText Transfer Protocol
HTTPS is a secure way to serve your website. HTTPS is essentially HTTP, only
the data transfer is encrypted.
Note the ‘S’, this stands for ‘Secure’.
HTTPS is essentially a secure tunnel to transfer encrypted data from the
server to the client/users machine. Making it safe from MitM (Man-in-the-Middle)
attacks.
A man in the middle attack is a technique used by hackers to get between you
and the data you are looking at and them using said connection to monitor/control
what you are doing and seeing.
HTTPS requires adding a SSL 2048-bit key certificate on your site to secure it via TLS.
SSL: Secure Sockets Layer
SSL is the encryption that makes HTTPS secure and over the years SSL has evolved into TLS.
TLS: Transport Layer Security
When acquiring a SSL Certificate, you are in fact getting a TLS certificate
because TLS is simply an evolution of SSL.
TLS incorporates three key layers of security:
- Encryption – Encrypting the exchanged data to keep it secure
- Data Integrity – Data cannot be modified or corrupted during transfer without being detected
- Authentication – Ensuring site users are communicating with the correct server/website.
HTTP/2
HTTP/2 is the new and improved protocol, with the aim to make the web safer and
faster. SPDY is the basis of HTTP/2.
Why is HTTP/2 good?
HTTP/2 protocol has many benefits: its main advantages though are it’s faster and
reduces server load because it requires only a single connection per origin,
which means fewer sockets, memory buffers, TLS handshakes, and so on.
SPDY vs HTTP/2: What’s the difference?
HTTP/2 uses SPDY as its base to improve speed of the web.
Essentially SPDY was developed by Google,
which is where most of the performance improvements were made in upgrading
the HTTP network protocol. HTTP/2 uses these upgrades along with community
feedback to further evolve.
How Chrome is changing to highlight unsecure websites
In the not so distant future, Google Chrome will begin shaming websites that
aren’t secure by default. Yes, you heard it right, you'll be shamed if your website is not secure!
This clear and obvious show of distrust can have a huge and detrimental effect on not only your users, but your search engine rankings as a whole.
Let’s look at how Google intend on rolling these changes out…
Currently Google Chrome’s address bar looks like this:
From January 2017 when Google release Chrome 56 it will look like this:
In the near future, as Google continues to roll this out, it will end up looking like this:
So, with this red triangle icon it’s safe to say, websites' still using HTTP after the change will look unsafe to customers.
Trust is an important aspect to running a business online, especially when handling any personal & financial data, like e-commerce stores.
No more red purses
Google Chrome security team, headed up by Parisa Tabriz, ran some research to
discover that
Chrome’s security symbology was failing
to inform users when a website isn’t secure.
During these user feedback sessions, Google tested their green padlock icon
to represent a secure connection and red padlock for standard non-secure HTTP.
Previous attempts struggled to get the message across, only 20% of users ‘got’
that the connection wasn’t safe.
In fact, many users didn’t know what the ‘padlock’ symbol represented, some
even thought it was a purse. Surprisingly the colour being red or green made
no difference.
When users were shown a black circle with an exclamation mark in it, along
with “HTTP”, 38% regarded the site to be unsafe and would leave immediately.
Change the icon to a red triangle with the exclamation mark and “HTTP” to
“not safe”, then 66% of users will leave.
SEO Benefits of HTTPS
In this section, we will look at the many SEO benefits of HTTPS:
- Ranking boost
- Trust increase (Can improve conversions and in turn sales)
- Preserves & improves business reputation
- Faster user experience (Websites served by HTTPS are faster to load)
- Opens the door for HTTP/2
- Better security for your business - Less chance of you or your users being hacked
- Greater referrer data (improves data insights)
Can HTTPS increase your website’s ranking?
Yes, for sure, HTTPS can improve your website’s search engine ranking.
Google confirmed HTTPS as a ranking signal
back in August 2014.
At the time of writing it is clear that only a very small boost will be achieved, however, think long term.
In the future it will certainly be dialed up as Google increase the pressure on website owners to make the switch.
Why is Google doing this?
Google initially only recommended migrating to HTTPS whenever a website was
handling sensitive information, especially personal & financial data.
Now the consensus is that all data online is potentially harmful in the wrong
hands. So, in today's world, there is no such thing as insensitive data,
which is why HTTPS everywhere by default is today's best advice.
Improving security, increases Trust
Trust is a big thing with customers and your online presence. Without trust you will find it very hard
persuading customers to engage or buy from you.
As the general public become more aware of the importance of securing the
web, you will struggle in obtaining and retaining visitors on your website, even with only an informative
page that has no sensitive data.
HTTPS also helps you maintain your business's hard earned reputation in your
customer's eyes, whereas HTTP has the adverse effect.
Increasing trust can improve conversions, which is great news for your
business’s bottom line.
Performance enhancement
With optimisation HTTPS is faster than HTTP, so your users will thank you
for adopting HTTPS.
Why is HTTPS faster than HTTP?
Once you have HTTPS installed correctly, it enables you to make use of
SPDY/HTTP2, which is around 70% faster than HTTP.
You can test the performance difference between HTTP/2 over TLS and HTTP here.
Remember: Pagespeed (how quickly your page loads) is also a ranking factor.
So the faster your website, the better chance you’ll have of ranking above
your competitors with slower loading web pages.
Not to mention the correlation between pagespeed and conversions. In other
words, the better your user experience is, the more chance you have of making
money online.
1 Second delay in pagespeed = 7% drop in conversions
Protect your revenue
When a user visits your website on a public WiFi signal, there is no way of
guaranteeing that your website is all they will see, without a secure connection.
Criminals are not the only ones looking to make money off your site,
Internet and WiFi providers have joined in on it too. Injecting scripts to
alter the content of your website, adding their own adverts without you ever
knowing.
Next time you connect to an open connection, an airport WiFi for example,
you may notice more/different adverts on sites you know. This is because
the service provider injects their own advertising,
sometimes in place of your own ads.
5and3 doesn’t use ads because it’s not how we make money and it cheapens
our website. Yet if you view our website on an open proxy, there’s a
high chance you will see adverts
on our precious website. This is very annoying
for us, because we take a lot of pride in how we make websites and anyone
can come along and graffiti it just as a potential future client could be
about to discover us.
Oh no, I rely on income from my website, what can I do?
HTTPS to the rescue. When serving your website with HTTPS most of these
‘attacks’ will be eliminated.
Why Adopt HTTPS now?
Some folk in the SEO community are already touting “2017 as the year of HTTPS”.
HTTPS adoption has more than doubled in 2016.
In 2016, more businesses migrated to HTTPS, than in the last 20 years.
Next year this is expected to grow even more.
Back in 2014, only 1.9% of the top 1 million websites served via HTTPS,
whereas today, around 10% serve their websites securely.
HTTPS site adoption rate has grown from 16,056 in 2014 to 96,413 in 2016.
That’s 6 times more than two years ago.
With Google behind the movement, pressure will build to upgrade your method
of serving your website. The previously mentioned changes to Google Chrome,
will also aid in the “education” of the general public to the importance of
security online.
Why isn’t 5and3.co.uk HTTPS enabled yet?
Update: HTTPS is now fully installed on 5and3 as promised.
Good question!
Because we were monitoring the situation. We wanted to make an informed decision,
and there were many variables to consider.
Now most of these hurdles have been removed/reduced, we are now happy to recommend
HTTPS to our clients and all other sites. It is categorically where the web
is heading and will become more important as general awareness improves,
forcing more businesses adopt HTTPS.
As we, at 5and3, are now actively recommending HTTPS, we need to practice
what we preach, so we have plans to implement TLS to 5and3 early in 2017.
Once we have a small break from client work, we will start migrating 5and3.co.uk
to https://5and3.co.uk.
We are currently in the similar boat to Google, recommending something
that we aren’t implementing ourselves yet, but the plans are there.
Google are a bit ahead of us, in that some of their sites do already support
https, yet because they are enormous, I think we will have our website
secured before Google does.
Reasons not to adopt HTTPS yet - What are the cons?
Over the years there has been many reasons why businesses have put off by
adopting HTTPS.
A lot of these hurdles have been lowered or removed altogether. For example:
Costs: Thanks to let’s encrypt and it’s
partners, the costs of certificates have dramatically come down.
Also thanks to the work from Google in
developing SPDY, the
burden on server resources has been greatly lifted.
Meaning up front costs are now minimal and ongoing costs like hosting, are
now more inline with HTTP/1.1, some websites may even benefit.
Understanding: It takes time to educate everyone. The general public will
become more aware of the importance of security online and once they do,
businesses will have to adapt or fall behind competitors that do react now.
Some of these hurdles still remain:
Technically challenging: All website migrations can be technically
challenging but HTTPS make it way more complicated, making it easier to
break things that already work well. Saying that, quite a bit of work is
being done behind the scenes, in making it easier.
3rd party software: Some 3rd party software might not work yet with HTTPS.
This may be a deal breaker for some businesses. Either waiting for support
from 3rd party software or finding alternatives can be time consuming and
costly.
Anti-patterns: Certain best practices with HTTP/1.1 can become anti-patterns
with HTTPS. This is because HTTPS opens a connection which is the heavy
processing part for HTTPS but all subsequent requests after are faster than
HTTP/1.1. This essentially means, you optimise an HTTPS site slightly
differently compared to good old HTTP/1.1.
Caching: Getting cache to work well with HTTPS can be tricky.
Most of the supposed issue with caching is a myth, but there is a slight
caveat. Firefox will only cache HTTPS resources in memory by default. If
you want persistent caching to disk you’ll need to add the Cache-Control:
Public response header.
WHAT ABOUT INSTALLING HTTPS?
Implementing HTTPS has it’s complications. It’s not something you’ll want
to tackle yourself, unless of course you are technically minded.
If you are interested in implementing HTTPS by yourself,
there is many guides online but this guide from (Chrome security team) Chris Palmer
is a good place to start.
Not technically minded? Excellent, we can handle your site migration for you.
Either give us a call on 01342 837821 or start your
migration project with us today
Conclusion
Google has been behind this drive to making the web safer for some time now.
They are learning how best to educate web users about the importance of security.
January 2017 is their next step in this education. At some point in the
future, consumers are going to wise up and when they do, anyone still
serving their site via HTTP/1.1, will have a nasty shock when they suddenly
lose customers.
There will be a tipping point where all other brands will feel pressured
into it because they won’t be able to compete. The question is, do you want
to be an early adopter and reap the benefits now, or play catch up,
when the carrots are less ripe or worse, gone all together?
Act now when there are benefits, or wait until it becomes minimum requirement,
losing many sales in the process?
Only you can decide... but you can't say we didn't warn you.
Further reading?
External resources
Why HTTPS?
TLS Certificates
HTTPS Guide