You may have heard or read about the latest announcement from Google regarding an HTTPS update. Last month Google stated that “[in] October 2017, Chrome will show the ‘Not secure’ warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”
In practice, this is how it will work:
Examples of entering data could include signing up to a mailing list with an email address, or as Google demonstrate in the GIF below, entering search terms into a search bar on a website:
Google Chrome already displays a not secure warning on pages where customers are entering their card details, or login details (if the site does not have HTTPS).
But this HTTPS update means that further sites will be affected if they collect any data at all about their customers via text input fields – such as a contact form.
We are strongly urging all our clients to update their sites to HTTPS as soon as possible – it is an essential element of web security and is relevant for all sites.
In this post, I’ll cover (in hopefully simple terms!) what HTTPS actually is, why it’s required, the benefits of SSL certification and the steps you need to take to ensure your site is secure.
What Is HTTPS?
HTTPS is short for “Hypertext Transfer Protocol Secure”. It essentially means that communication between computer networks is secure. Every website is either HTTP or HTTPS – for example, the Hallam website uses the HTTPS protocol – you can see this displayed in green in the address bar:
HTTPS, the secure version of HTTP, offers better protection against someone on the same network viewing or modifying traffic, in what is known as a “man-in-the-middle” attack. It ensures that exchanged data is encrypted to uphold data integrity and to prevent information from being stolen.
How to Make Your Site HTTPS Compliant
First of all, you’re going to need an SSL certificate. These are required in order to make your site secure.
SSL certificates “are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser” – GlobalSign
You will need one certificate per live domain. For example, if you use a single domain (domain.co.uk) then you will need to purchase one certificate. If you use two domains (domain.co.uk AND domain.com) and you have a website on each domain you will need a certificate for each. If you have additional domains which redirect to your primary domain (if you own domain.com which simply redirects traffic to domain.co.uk) then you will only need one certificate.
There are a few different types of SSL certificate, and which one you opt for depends on your company and website requirements. These are:
- Domain Validation (DV)
- Organization Validation (OV)
- The company is displayed within the certificate
- These are paid for
- Can take anything from minutes or several days to issue
- Extended Validation (EV)
- Is a more expensive option
- Can take up to a week to issue
- Shows organisation in URL bar as well as within the certificate, see below:
- Wildcard Certification
- Wildcard domains are used for sites which have multiple subdomains, and need a certificate across all of them.
- For example, if you have www.domain.com, and blog.domain.com, you can create a wildcard certificate which applies an SSL certificate to both these domains, rather than having a separate one which is managed for both. This cuts down on administration and renewals.
Choosing Between a Free or Paid For SSL Certificate
Both paid and free SSLs are used to secure your site and protect your visitors – and to that end, they are exactly the same.
However, as a rule of thumb, if you purchase an SSL certificate, you’ll have better liability protection than you would if you were to use a free SSL. If this is important to your business you may want to investigate further and compare paid versions with free ones.
If you have a straightforward brochure website and don’t collect more information than names and email addresses, the free option should suffice, as it’s secure and convenient. The main free provider is called Let’s Encrypt (WordPress recommends them). Other providers have picked up on SSL too and they can generally be installed on any server.
For more sensitive websites such as a lawyer site, or an e-commerce, it’s better to go for a paid SSL certificate such as rapidSSL.
We strongly recommend securing your website for three years, the longest available validity period for the certificate, as this is the most cost-effective option.
You also need to factor in any potential costs of implementing the HTTP to HTTPS migration. Avoid paying extortionate development costs for something that should be relatively simple to implement, especially if you are using a CMS like WordPress. Migrations for a custom built CMS may be more time-consuming and therefore more expensive.
Why Is It Important to Migrate My Site to HTTPS?
Essentially, if you don’t have the certification, when a user is on the page which the form is on, there will be a notification in the top left of the browser bar saying “not secure”. As you can imagine this could have a detrimental effect on your conversion rate as people won’t see your site as trustworthy.
From a user’s point of view, an HTTPS update is important as it provides security and privacy when they are interacting with your website.
For website owners, HTTPS has a few advantages:
- Security, which allows processing of sensitive information such as payment processing
- Could contribute to improved rankings in Google results pages
- Adding greater credibility to your website, increasing visitor trust, which could have a positive impact on conversion rates
At this point, if your site is not HTTPS, you’re going to want to get it sorted ASAP. Get in touch with your developer and discuss the options with them. You may also want to familiarise yourself with the HTTP to HTTPS website migration process.
Still unsure on what SSL certificate you need, or the process of migrating your site from HTTP to HTTPS? Get in touch with us and our in-house web development experts can help.