In October 2017, Google Chrome started to show a padlock with a red “X” for every site without HTTPS. Conversely, if the website you are visiting uses HTTPS, a green locked padlock will be shown to your visitors. For sure, this is drawing more and more attention to the websites that do not use HTTPS and are potentially insecure. It is clear that Google vision on the future of the Internet is that it should be secure and all sites will be served over HTTPS.
But what is the reason for this change?
The rationale is simple. For the websites that are served over HTTP, all the data exchanged between the server and the user is sent and received in clear. Should anyone get the ability to snoop on the traffic, he could steal passwords or other sensitive information.
HTTPS, or HTTP with an “S” appended for Secure, is an encryption mechanism that keeps your data safe every time you browse the Internet. When you visit an HTTP website, the browser and the website first execute a cryptographic key exchange. This allows the website and the browser to exchange data that can only be decrypted by one of them. Any eavesdropper will not be able to get access to the information.
However, HTTPS does lots more than encryption. It also enables websites to prove their identity. To achieve this, they rely on a trusted third party (“certificate authority”) that vouch for them by issuing a “certificate”. A certificate is a cryptographic key that, at least in theory, it is impossible to be forged. Thus, when your browser says you are visiting https://www.google.com it means that you are truly on Google’s site and not on an imposter’s.
Even more, HTTPS prevents any meddler to tamper with traffic or to even block it. A usual tampering approach is, for example, the practice of ISPs to insert ads. With HTTPS, this is no longer possible.
As mentioned above, HTTPS means better overall security. It is not only about encryption but it also allows the websites to prove their identity and prevents third parties to tamper with the traffic. It is designed to offer confidentiality, integrity, and identity.
Another not so obvious aspect is that HTTPS is considered as a ranking signal within Google’s search algorithm:
“We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging.
For these reasons, over the past few months, we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now, it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
This was back in 2014. Since then, several studies found that indeed Google moved along this path and HTTPS is directly correlated with higher rankings:
Unfortunately, there are several challenges when implementing HHTPS:
Let’s see how you can protect your website using HTTPS.
There are three main methods to get your website protected with HTTPS:
You will have to purchase an SSL certificate from a Certificate Authority and perform several steps like verify it through a CSR, validate it and install it on your website. We strongly advise you to backup your content and configuration before making any changes.
A traditional HTTPS certificate offers you the highest level of security, it’s fully customizable and it can be easily applied to your subdomains. There are also downsides, like the costs of the certificate and of the developers that will modify the website. We should mention also that the implementation time can be quite long.
Let’s Encrypt is a free service, designed to promote the overall web security. Let’s encrypt certificates share most of the characteristics of the traditional ones with few differences:
It is an interesting and easy to use alternative that removes the difficulties of installing the certificate on your website. They will serve a cached copy of your website from their servers and will provide a secure connection using their SSL certificates. To make it work, you must modify your DNS as to direct the request to their IPs. Cloudflare offers several tariff plans that you can choose from, and the level of security and support you get depends on how much you pay. For basic personal pages you can use the free version, but for anything else, we advise you to go with one of the paid plans. We should note that that Cloudflare was hacked in 2017 and personal information of their customers was exposed in the process. The issues were solved and additional security measures were undertaken but we think you should be aware of it.
When it comes to the question of whether you should employ HTTPS for your website the response is simple: YES. As we have seen, it helps with your website’s overall security and it even improves your SEO ranking. If we go further into detail and ask which service is best, then the response is not so simple. It really depends on the website. For a very simple website you can choose Cloudflare but if you run an e-commerce website, for example, we strongly advise on using Let’s Encrypt or, even better, a dedicated SSL certificate.
We would like to hear back from you! If you already got your website protected with HTTPS we will be happy to find out how it works for you. If you plan to implement it in the future, we would also love to hear which implementation method will you choose.