What is https
and why do we need it?
For years HTTPS has been a must-have for e-commerce and data-sensitive websites, while other sites have mostly been able to get by without the need for increased security. That’s all about to change, however: starting in October 2017, Google will show non HTTPS sites as non-secure. The Chrome browser will also start showing warnings for HTTP sites. While switching over to HTTPS won’t be required, not making the switch could mean significantly less viewer traffic, a decline in reputation and a negative impact on a site’s SEO.
Step Back – What is HTTPS?
HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Protocol Secure) are both languages for exchanging information between web servers and clients or users. HTTPS is a secure data connection, while HTTP data is transferred unencrypted, making it more susceptible to interception. With HTTP, unauthorized parties can observe and collect data between your device and the sites you are visiting. This isn’t great for users who expect a secure and private online experience when using a website. It’s good news that Google is taking the steps to ensure user privacy, and penalizing the sites using HTTP connections.
In fact, there have been rules put in place to enforce privacy standards called the PCI compliance laws. The Payment Card Industry Security Standards Council (PCI SSC) is a council dedicated to creating a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. PCI Compliance Laws prohibit any website from accepting sensitive data to process online orders without HTTPS in place. You could say that Google is just extending the rules of the PCI to all sites, whether they handle sensitive information or not.
Importance of Protection
Even if your site doesn’t handle sensitive communications, you should still protect all of your site with HTTPS. HTTPS helps prevent intruders, including malevolent attackers and intrusive companies, from tampering with the activity between websites and the users’ browsers. Even website hosts themselves can take user information from HTTP sites to to inject ads into pages. For example, say you’re browsing for shoes on a department store site. That department store can take your confidential private session data in the form of cookies and give it to other sites, who then create ads of those same shoes you were looking at on all other sites you visit on the web. Using HTTPS ensures users a safe web experience and can help businesses gain the trust of their users.
The first step towards HTTPS, is to obtain a SSL certificate. SSL stands for Secure Socket Layer which establishes an encrypted link between a web server and a browser. This ensures all the data between web servers and browsers remains private. The certificate is like an ID card for your site, and uses a password to prove that your website is in fact your website. When users visit your site, that certificate is checked by the browser to make sure it is valid. Once verified, the SSL certificate protects everything flowing in and out of your site.
Once you have purchased an SSL, a Certificate Signing Request (CSR) needs to be generated to activate the certificate and prepare it for installation on your server. Following the certificate activation, the SSL will need to be installed on the server. Depending on your host, all of this can be done in a fairly automated fashion or a developer will need to handle these steps for you. Once the certificate is installed, your website needs to be configured to direct all requests over HTTPS instead of HTTP.
Google’s decision to flag HTTP sites as insecure is a positive step forward in a changing world of web security and the protection of private information. Web developers who are hesitant to make the change to HTTPS are endangering their users along with the reputation of their website. Now that Google has started to flag insecure sites, it’s time to future proof your business and make the switch to HTTPS. Your users and your business will thank you.
Also published on Medium.