Should I secure my website with HTTPS?


In this article we will look at what HTTPS means and why your website should be secured using the protocol.

What is HTTPS?

HTTPS stands for ‘HyperText Transfer Protocol Secure’. You may have noticed that when navigating websites you will see this protocol (https) and its non-secure variant (http) at the beginning of the website address bar in your browser window. The HTTPS version is identified (in most browsers) by a green padlock.

HTTPS

HTTP

When a website is served over HTTPS then it provides a two way encrypted connection between the website being displayed on your computer and the server that the website is being hosted upon. Once your browser has connected to the server then a communication between the browser and the server takes place. If this is authenticated then the data passed between your browser and the server will be encrypted with your browser decrypting the data. With the secure connection established, this now guards against any interception of this website-server communication for dishonourable intentions, such as tampering of submitted data or mimicking the website to hijack the data that has just been passed.

A simple example of this communication would be an online form that is filled in on a website. Once this form has been submitted, the data sent to and from the server is encrypted and cannot be intercepted.

Should my website be HTTPS?

Up until recent years the main utilisation of HTTPS was securing ecommerce websites where payment checkouts are used and user data is collected. There is now a movement by companies such as Google and Mozilla to enforce HTTPS across the web, meaning that all websites, no matter their purpose, should be fully encrypted.

If your website is not HTTPS and the nature of the site is a simple brochure website, then don’t panic! As long as users of your website are not logging in to a restricted area or purchasing products through the website then there is no immediate urgency to make sure the website is on HTTPS, although the switch should be a consideration sooner rather than later. If the website does have a restricted account area and/or you do take payments through the website then as soon as possible you should consider the switch to HTTPS.

Reasons for HTTPS switch

Protection of user data

An obvious reason for making sure your website is HTTPS is the protection of the data of users that interact with your website. When online forms such as register, login and contact forms are submitted you are ensuring the data sent to and the data received back from the web server is encrypted and cannot be compromised.

User Trust

A user seeing that your website has the green HTTPS identifier will far more likely trust using the website and all it’s features than one that isn’t HTTPS.

Even for simple information-based websites it shows the user that you care about the integrity of the data being served on the website. The reinforcement you are projecting to the user is that the online arm of your business is trustworthy and authentic.

For ecommerce or websites that store user data and take payments, the need for user trust and protection of data is obvious and essential. From a business point of view the likelihood is that as an ecommerce website owner you will be missing out on sales and sign ups from users who are deterred from entering sensitive information on a website that is not secure.

Browser warnings

As of January this year both Google Chrome and Mozilla Firefox have rolled out updates that begin to highlight if a website is not HTTPS. Firefox (as of version 52) highlight pages that contain potential vulnerable forms such as login forms.

Image from https://blog.mozilla.org/blog/2017/01/24/gets-better-video-gaming-non-secure-web-warning/

Google Chrome (as of version 56) also marks pages that collect certain types of sensitive data such as passwords and payment information, with a clear indication that these pages are not secure.

Image from https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

Not only this but Google plan to go one step further with Chrome in a future release and mark any pages that are HTTP with the following indicator.

Image from https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

As Chrome and Firefox currently have around 70% of the browser market share then these indicators will be seen by many.

Google ranking indicators

Reinforcing Google’s vision of a secure web, since 2014 they have indicated that a website that has adopted HTTPS will benefit from a positive ranking signal over those that don’t. Which means that your secure website will potentially take precedence over a non-secure website in the natural ranking positions.

Additionally, the search results for a website that is HTTPS will have the URL displayed with the https:// prefixed at the front of the URL (see example below).

A ‘security aware’ user will be more inclined to interact with a website that is secured this way than those that are not.

It is important to note that although Google use HTTPS as a ranking indicator, this is only one ranking signal out of hundreds that make up Google’s search algorithm. So a website being HTTPS won’t determine whether you appear on page 1 or page 10 of the search results (there will be other factors). But it will help and it does show that the biggest player is taking the HTTPS issue seriously with the ranking indicators and the recent update to Chrome.

If you want to discuss moving your website to HTTPS then get in contact with us using our contact page or call us on 01785 250222.