Web Strategy

HTTPS: What It Does, Why You Need It and How to Get It

Written by:

HTTP has been around since the very beginning of the internet in the late 1980s. You see it at the beginning of every website URL in your web browser’s address bar, but what exactly is it?

HTTP, which is short for HyperText Transfer Protocol, is a set of rules for transferring a web page between a web server and your browser. When you browse to a specific URL in your browser, it starts a conversation with the website’s server to download everything it needs to render that web page.

What if your browser needs to send or receive information that is private? The conversation that takes place with HTTP happens in “plain text” which means a third-party can listen in on your browser’s conversation and see everything that is being said. This is a great way to steal personal information like your credit card number or other sensitive stuff. To discourage this, we need to use HTTPS.

HTTPS is the exact same conversation your browser and the web server were having before, but now all of that information is encrypted. Only your browser and the web server possess the key to decrypt it. This prevents any eavesdroppers from understanding what is being said.

How does it work?

The encryption that happens when you’re using HTTPS is done using a special “SSL/TLS certificate” from the website’s server as well as a unique encryption key from your browser. Both the certificate and your key are used throughout your conversation to prove to the other party that they are who they say they are. Without these, a third-party could intercept your conversation and pretend to be either the server or your browser.

Before the conversation begins, your browser and the server say hello and agree on two things: the type of encryption they are going to use and the encryption keys that are going to be used to perform the encryption. Once this initial handshake is complete, both your browser and the server can speak the same encrypted language and can have a private conversation that is very hard to eavesdrop on.

How you know it’s working?

Despite all of this complicated technology happening behind the scenes, your browser makes it very easy to make sure HTTPS is on and working properly. In addition to having “https://” in the URL bar on your browser, you will also see a padlock icon somewhere nearby indicating that your connection to the website is secure.

If you don’t see that confirmation in your browser, then HTTPS is not active and everything your browser is sending and receiving is not encrypted. This is actually OK if you’re just browsing a website without entering in any personal information. However, you should always make sure HTTPS is active whenever you are performing activities such as logging into a website, filling out a form, or checking out on an ecommerce site.

How does it benefit your site?

  • Security & Privacy
    The most important benefit for you, your site, and your site’s users is of course the security that HTTPS gives. If your site is running HTTPS, that means that everything your browser sends and receives from the web server is done so with a strong encryption so that third-parties can’t easily eavesdrop on you and/or perform malicious activities. This is absolutely essential if your website is ecommerce, has a log-in system, or any other kind of interface that lets users send and receive sensitive information. You’re not only protecting them, but you are also insulating yourself from any penalties or lawsuits that could potentially arise if a user’s security is breached and exploited.
  • Perceived Security
    Today, the general public is becoming more and more concerned about their privacy. Who can blame them in an age where viruses, malware, phishing, and other naughty behavior is more common than ever before? You also read news stories about companies having major security breaches almost every week. As a result, major internet technology companies like Google are taking a stand and treating HTTPS as a “must have”. For example, Google Chrome will now show a warning that a site is “not secure” if it’s not running HTTPS.

 

This doesn’t actually mean there is a problem with the site, but Google is now taking the responsibility of warning Chrome users to not enter sensitive information on this site. If your users are concerned about their privacy, seeing the words “this site is not secure” does not instill confidence in your website. More and more people are looking for that little padlock icon to give them peace of mind about their privacy and security. If they have that, they will trust your website more, and in turn will be more likely to return.

  • SEO Boost 
    Back in 2014, Google shook things up by including HTTPS as a ranking signal for their search engine. It’s by no means a large factor in your rankings, but it is a small one. It can come in handy if your site ties with a competitor on every other ranking signal because if you have HTTPS you will rank higher. If you’re competing for some major search keywords, it’s almost irresponsible not to have HTTPS.
  • Website Performance 
    A great side-effect of using HTTPS, if you are on the right web host, is that your website will get a nice performance boost. There is a new technology on the web called HTTP/2. Without going into a lot of detail, this technology is the new protocol your web browser can use to connect to web servers. The current HTTP protocol (HTTP 1.1) was created over 15 years ago. Since then, websites have become dramatically more complex. Instead of a single HTML document and a few images, your average web page will have dozens of images, several stylesheets and JavaScripts, and will load a few external APIs like Facebook, a live chat, etc. HTTP/2 was built with the modern web in mind and dramatically speeds up the connections between your browser and the web server resulting in a much faster page load time. Check out this fun demonstration of HTTP vs. HTTP/2 and see for yourself!

So where can you get HTTP/2? The good news is that all modern web browsers support it, but they also require that the website is using HTTPS in order for it to work. The bad news is that you need to have a web host that supports HTTP/2.

WP Engine is an ideal host because they support HTTP/2 and requires almost no effort to set up. By simply installing an SSL certificate, HTTP/2 immediately turns on and you’re ready to go. There are other hosts out there that support it and they can be found by a simple search for “http/2 web hosts.” If you are stuck on a web host that doesn’t support it, you can use a third-party service like CloudFlare. Their service will handle serving up your website’s content via HTTP/2 but your web host still hosts and runs the site itself.

What are the risks?

Despite all of the awesome that HTTPS gives you, there can be some risks to making the switch if you’re not prepared.

  • Temporary Drop in Traffic
    If you have an existing site using HTTP and you switch to HTTPS, Google counts this as a site move. That brings with it the usual SEO penalties that comes with it. However, you can mitigate the effect by adding your HTTPS site to Google Search Console and Bing Webmaster Tools. After making the switch, Google specs SEO recovery time from a few weeks (likely) to 2–3 months (less likely).
  • Duplicate Content and Link Dilution
    Because switching from HTTP to HTTPS counts as a site move, you will need to make sure only one version of your site (the HTTPS version) is active. This can be done by taking the following steps:

Use 301 redirects — Anytime you permanently move content, you need to set up a 301 redirect for search engines. For the HTTP to HTTPS switch, just one rule in your .htaccess file should take care of it.

<IfModule mod_rewrite.c>
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

If editing your website’s files isn’t something you’re comfortable with, there are plugins for all the major CMSs that will do this for you.

Update your sitemap — Make sure your XML sitemap is only using HTTPS URLs. If your site uses a CMS and has an SEO plugin installed, it should take care of this for you if your CMS is configured with an HTTPS URL.

Ensure all internal links point to your HTTPS URL — Any internal links on your website will need to be using the HTTPS version. If your site uses a CMS like Drupal, it uses relative URLs in its content and will automatically update. If you’re using WordPress which uses absolute URLs in its content, you’ll need to do a search and replace of your database to change all HTTP URLs to HTTPS.

Ensure canonical tags point to your HTTPS URL — The rel=canonical tag on all of your site’s pages must point to the HTTPS versions. A CMS website with an SEO plugin should take care of this automatically.

Ensure external links to your site point to your HTTPS URL — This one is more tricky since you obviously won’t have the ability to change all the external links to your website. However, you should change the ones that you do have access to, such as within social profiles. It’s not worth the effort to pester other website owners to update their links to your site. After all, that’s what the 301 redirect is for.

Beware of Mixed Content

It’s very satisfying to see that nice green padlock icon in your browser when HTTPS is up and running on your site. However, it only takes one single piece of your site that is not loading via HTTPS to change that.

For example, if your site is set up 100% correctly for HTTPS and you decide to embed a YouTube video in a blog post, you must make sure you use YouTube’s HTTPS URL for the video. Otherwise, the video loads over HTTP and the browser will see this, triggering a “mixed content error.” Chrome shows this by switching from the padlock icon to an information icon and saying your site “is not fully secure.”

If you find it frustrating to constantly make sure you’re using HTTPS URLs in your website’s content, there are plugins available for the major CMSs that will “force” all URLs to be HTTPS. That means if an HTTPS version of the URL exists, it will switch to it. However, you should still be vigilant in case you embed content from a provider that doesn’t have an HTTPS version.

Is Your SSL Certificate Valid and Active?

HTTPS only works if your SSL certificate is valid and active, so you must keep track of the expiration date on your certificate. If you let it expire, HTTPS will break and the browser will display a big scary warning to everyone visiting your site. 

This won’t do any good in terms of establishing trust between you and your users. You must always make sure your certificate is renewed annually.

You can set up auto-renewals with your certificate issuer, but you (or your developer) are still required to install the renewed certificate in your server. If you can’t do this, then try to pick a web host that auto-renews and auto-installs certificates for you. That way you will always ensure your certificate is OK.

How to Get HTTPS

Now that you’re an expert on what HTTPS is, how it works, and the pros and cons, how do you actually get started with using it?

Purchase a Certificate
The first step is to purchase the SSL certificate for your site. Often times, your web host will be the easiest place to get a certificate from. If they don’t offer their own SSL, some reputable certificate issuers include DigiCert, VeriSign, and GeoTrust. For the budget conscious, GoDaddy and Namecheap have the most affordable options.

Always make sure you are buying a certificate that is “SHA-2”, also referred to as “2,048 bit”. This represents the strength of the encryption and is currently the industry standard.

Next, you will be faced with a menu of certificate options. Depending on the certificate issuer, you could be faced with two or three certificate options or sometimes a dozen. So which option is the one you need? All of them can be broken down into just a few certificate types:

  • Domain Validation
    This is the most common type of certificate. It validates that you have the right to use your domain name. This is probably the one you’ll want.
  • Organization Validation
    In addition to validating your domain name, this type of certificate will also validate the existence of your company or organization. Some company details will also be displayed in your public certificate information to pass along that trust to the website user.
  • Extended Organization Validation
    This type will go even further with the process of validating your company or organization. This will involve actual paperwork and processing. They will verify the legal, physical, and operational existence of the company, among other things. You will also get extra-special treatment by people’s web browsers, displaying your company’s name in a lovely shade of green next to the secure padlock icon. 
  • Wildcard
    If you have multiple subdomains that you use for different websites, products, etc. then a wildcard certificate may be best. Instead of buying a certificate for every single subdomain, a single wildcard certificate will take care of the job. This will save a lot of money.
  • Multi-Domain
    These are also known as “Subject Alternative Name” (SAN) certificates or a “Unified Communication Certificate” (UCC). This is an option from some issuers that let you use one certificate on multiple domain names. This is different from a wildcard which only works on one domain name and is designed for subdomains.
  • Free SSL Certificates
    Yes, this is really a thing! Created by organizations that believe in “HTTPS everywhere”, there are a few issuers that will give you a domain validated certificate for free. Let’s Encrypt is a great example. The only problem is that if you’re not a developer, these can sometimes be difficult to set up. However, there are web hosts out there that have included a free SSL option in their plans. WP Engine, A2 Hosting, and Dreamhost are examples. Just do a search for “free ssl web hosting”. Free certificates are a major leap forward in the goal towards making the web a more secure place.

No matter what level of validation or type of certificate you choose, always remember that there is absolutely no difference in the level of security or encryption. You can use a free certificate or pay hundreds of dollars and your users’ data will be just as secure as long as they are using SHA-2 encryption. By paying extra for more validations, you’re getting a more trustworthy stamp of approval on your certificate due to how heavily your website and company have been vetted.

Contact us to learn more about HTTPS, in addition to other website security tips and recommendations.

10 Questions to Ask About Your Web Design Project

Join the Conversation

Related Posts

Tips for Creating an Enviable Homepage: Navigation & Header Design

Read More

Web Strategy -

You only get one chance to make a first impression. At Vital, we know this all too well.

Read More

Written by:


The Top 10 WordPress Plugins Your Website Needs

Read More

Web Strategy -

Fact: WordPress now powers 28.4% of all websites on the internet.

Read More

Written by: