We have recently started to encourage many of our website design clients to utilise an HTTPS connection on their new website projects. You’re probably somewhat familiar with secure certificates and HTTPS and might be wondering if your website needs a secure certificate.
Maybe you have a simple information website and think that a secure certificate is overkill for your website. Fair enough – for many years there was no reason to have a secure certificate on a website that did not send or receive financial or personal information. This blog post will help you understand why we are now recommending that all clients – regardless of the type of business they’re in – get secure certificates for their website.
An overview of HTTPS and secure certificates
HTTPS stands for Hypertext Transfer Protocol Secure and, as the name implies, refers to a connection that offers an added layer of security. An HTTPS connection is formed by layering the Hypertext Transfer Protocol on top of the SSL/TLS protocol, thereby enhancing the security abilities of the communications sent out by the website.
It’s important to encrypt private user information because it typically hops through dozens of servers and networks before reaching its final destination. At any point, your customers’ information could be intercepted and used maliciously. Secure connections protect against this by encrypting data before it leaves your website and decrypting it when it arrives at its destination.
Historically, HTTPS connections were associated with eCommerce websites, email platforms and websites that conducted sensitive transactions. In the last several years, however, the use of HTTPS has become prevalent across a wide variety of websites to protect page authenticity, secure accounts and keep user information private.
A secure connection is created through the use of a third party Secure Sockets Layer (SSL) Certificate. The certificate provides an independent verification that you are who you say you are and, at a very basic level, says that the site can be trusted. If you would like to learn more about the complexities of how an SSL Connection is established, refer to this blog: http://robertheaton.com/2014/03/27/how-does-https-actually-work/
How to tell if a website is using a secure certificate
You can quickly determine if a website is using a secure connection by looking for the following indicators:
- The presence of https before the URL (rather than simply http)
- The presence of a closed lock icon in the URL bar
You can see both of these on our website, which uses HTTPs (shown in IE):
What sites need secure certificates?
Until recently, this was a very straightforward question to answer. There are certain types of websites that need to use HTTPS to ensure that their customers’ data remains protected. A website needs an SSL certificate if it:
- Processes financial information, including any type of online store
- Accepts any type of payment (credit card, PayPal, etc.)
- Has any type of account login (username and password) that allows access to restricted information
- Transfers or stores any type of sensitive data (identification numbers, birth dates, addresses, license numbers, etc.)
- Works with any type of medical information
- Is transmitting any other type of private data (legal, confidential, proprietary, etc.)
While this list would cover a large number of websites out there today, there are also many websites that don’t do any of these things. Think of a website that simply promotes a company’s services, for example a website for a restaurant that contains beautiful photos of food, current menus and contact details. Traditionally, we would not have recommended that this type of website obtain an SSL certificate. But due to recent changes in how search engines are viewing HTTPS websites, we are changing our stance.
Secure certificates and web rankings
You might be wondering now what secure certificates have to do with web rankings. To understand this, you must first understand that Google is very focused on improving the safety, quality and usability of the internet as a whole. To do this, they choose to reward certain actions and behaviours via elevated web rankings. For example, websites with spammy or duplicate content are demoted in search results, while websites with unique, relevant content are rewarded with elevated search rankings.
Similarly, Google have decided that websites with HTTPS connections are safer and more secure than those without and that these sites will be given a slight preference in search results. Google have emphasised that, at this point, HTTPS is a weak signal and not nearly as important as having good content and user flows; however, we’re in the early days and there is no way of telling how important this could become in the future.
We also believe that a safer, more secure internet is better for everyone. We pride ourselves on staying informed about the latest trends in both web rankings and internet security. With this in mind, we feel it’s important to advise our clients to consider using a secure connection on their website.
How and when to get a secure certificate for your website
When to make the move to HTTPS
If you’re in the processes of building or redesigning your website, we strongly encourage you to consider launching your new site with a secure certificate. While it’s possible to move to HTTPS later on, additional work will need to be done to ensure a smooth transition. URLs will need to be redirected from HTTP to HTTPS, which will cost you more money and potentially impact your search rankings for a period of time.
If you have an existing website that transmits data via HTTP, then you might be wondering if you need HTTPS right away. In addition to an annual fee for an SSL certificate, you’ll need to take into consideration upfront costs to redirect URLs from the HTTP site. In many cases, we think the long term payoff will be worthwhile. If this is something you’re thinking about, we encourage you to get in touch with us. We’ll help you determine if it’s worthwhile to make the change now or if you’re better off waiting a bit longer.
How to get a secure certificate
This is an easy one – just talk to us! We’re happy to help you purchase and install an SSL certificate on your website, either as part of a new build or on an existing website that we host. We’ll help you understand the process and the best way to make the transition.
Costs
We currently charge a nominal $270+GST/year fee for purchase/renewal and installation of SSL certificates. There is no additional cost on our side to set up an HTTPS connection for you for a new website build. We can implement secure certificates on an existing site, but as mentioned previously, additional fees would apply to cover the time required to research, implement and test redirects from HTTP to HTTPs. At that price, we think the move to a secure website is not only affordable but advisable and we expect to see early adopter advantage as this particular ranking signal gains more importance with the major Search Engines.
The future of HTTPS
We’re very interested to see how HTTPS will continue to contribute to a safer online community and influence web rankings. We envisage a future Internet where all Internet connections will be secure. It’s a bit like locking your house when you go out – you don’t have to do it but it gives you a lot more peace of mind knowing your house is secure! As with any other change in the online ecosystem, we’ll have our ear to the ground and pay close attention to how this unfolds so we can keep you informed. In the meantime, we encourage you to reach out if you’d like to discuss implementing HTTPS on your website.
UPDATE -JANUARY 2016:
Google have continued with their drive to make the internet a safer place by considering the use of HTTPS on a website as a ranking signal. They announced in December 2015 that they are adjusting their indexing system to look for even more HTTPS pages and giving preference to these pages in their index. At the Google Developer conference in 2014 they also focussed on convincing web developers to convert to using HTTPS on all web builds. And last year there was a proposal put forward by Chrome developers (that is the developers behind Google’s own web browser) to mark all non HTTPS sites as ‘non-secure’ in their search results. We believe this will have a huge impact on user behaviour as the idea of visiting a non-secure site becomes less and less desirable. Yet more reasons to make your whole site secure with the purchase and installation of a secure certificate.
UPDATE – September 2016:
Google has announced their plan to indicate connection security with an icon in the Chrome address bar commencing January 2017. Initially they’ll only mark HTTP (non secure) pages that collect passwords or credit cards as non-secure, but the long-term plan is to mark all HTTP sites as non-secure.
Interestingly, Firefox have also started indicating non-secure connection, for all HTTP pages, in their browser address bar too.
UPDATE – January 2017:
It appears that Google have begun to make changes and are now showing sites that ARE secure with a green secure label in the Chrome browser: