That little lock in the address bar—you’ve seen it. Maybe you even know to look for it when you go to your bank’s website or you enter your credit card information. That little lock means the website you are visiting is secure. It means that the data going from your browser to the webserver on the other side can’t be intercepted and read by anybody else. It’s a big deal.
If a site doesn’t have that little lock, it’s running over something called hypertext transfer protocol, or HTTP for short. HTTP is the way pages get from the Internet to your browser. If a site does have that little lock, tack on an “S” for secure at the end: it’s running over HTTPS.
It’s been widely accepted that HTTP is OK for most sites. Unless a site is directly involved in banking or e-commerce, it doesn’t need the security of HTTPS.
That’s no longer true. HTTPS has benefits for every website, and it’s about time to start thinking whether your site should go secure.
New Web Features
One of the underlying technologies of the web, HTTP/1, hasn’t changed since 1999—but it’s changing now. Websites that use HTTP/2, which is essentially approved, will be faster and more efficient.
But if you want your website to get the speed and efficiency boost of HTTP/2, you’ll need to be running HTTPS—because HTTP/2 requires HTTPS.
And HTTP/2 isn’t the only new web feature requiring the use of HTTPS. Service Worker, an oddly named new standard that will enable push notifications for the web, also requires the page to be loaded with HTTPS in order to work.
These aren’t isolated features. In the future, we’ll see more and more web features requiring the use of HTTPS, especially since major internet standards bodies are now actively preferring secure communication (e.g., W3C, IETF).
ISPs and Cellphone Companies
In the security community, there’s an attack known as “Man in the Middle.” It refers to an entity between your customer and you that is watching what your users send to you or actively altering what you’re sending to your customer.
This is traditionally considered to be a malicious entity. For example, some hacker that is stealing credit card numbers on HTTP (which is why e-commerce websites need to use HTTPS, by the way).
But recently, it’s come to light that less malicious entities like ISPs and cellphone companies are using this attack for their own purposes. For example, Comcast has started using its position in between customers and websites to show advertisements on pages they have no affiliation with.
Similarly, Verizon has started using its trusted position between users and websites to track users, regardless of whether the websites want to track the users or not.
While these Man-in-the-Middle attacks aren’t malicious, the only way to ensure your users aren’t getting bombarded by ads on your website that you haven’t added, and are getting the amount of privacy they expect, is to use HTTPS to prevent these Man-in-the-Middle changes.
Search Engine Optimization
Many factors go into how well websites ranks on search engines like Google. This past year, Google has said that one of those factors is whether a site uses HTTPS, and using HTTPS will give your site a small boost.
There are a lot of factors that go into a page rank, and it’s unclear how much of a difference this makes now or will make in the future. But if Google says it makes a difference, then it certainly doesn’t hurt.
The little lock
Users are trained to look for the little lock icon on their browsers when they log into websites or do e-commerce. When seeing a red lock, they think that something might be fishy.
HTTP without HTTPS offers no security. Anything theoretically could happen – remember those men-in-the-middle from earlier? It’s for this reason that Google Chrome is considering marking HTTP sites as insecure with a broken or red lock. It wouldn’t happen immediately, but Chrome is thinking about phasing it in slowly.
So while this isn’t a pressing issue and isn’t even approved yet for the Chrome browser, in the future you may need to use HTTPS to avoid the loss of trust caused by a broken or red lock. But before that happens, going secure means you can use that little lock next to your URL as a trust signal for your customers.
One of the main deterrents to using HTTPS on websites is the cost. Every year or two, websites that want to keep using HTTPS have to buy a new certificate for prices ranging up to hundreds of dollars a year.
But recently, the Electronic Frontier Foundation, Mozilla, and a few other companies decided to get rid of that cost. Starting later in 2015, they will be launching Let’s Encrypt to provide free ssl certificates to websites. There’s no catch; they just want to encourage websites to switch from HTTP to HTTPS.
Making the switch
If you or your website provider are going to make the switch to HTTPS, there are some things to watch out for.
- Don’t go cheap – Until Let’s Encrypt launches free SSL certificates, you may be tempted to buy the cheapest one you can find. In some cases, this isn’t a good idea. Some certificate resellers will show a green or gray lock in some browsers, but scary red “This site may be hijacked!” warnings in others. Use a trusted certificate seller so you don’t scare your customers.
- Redirects – While there may be an SEO boost for switching to HTTPS, that benefit is completely lost if you don’t have a redirect plan in place. All of the links to your site out on the internet will still be pointing to your HTTP site, so you need to properly redirect to the corresponding HTTPS page.
- Non-Secure Assets – When your pages are HTTPS, many browsers will not load assets that are served via HTTP. So make sure your YouTube embeds, Facebook share buttons, images, and your Google Analytics code are also all served via HTTPS. If you don’t, you may scare off users that see a “some items are unsecure” warning instead of that coveted lock.
But if you do it right, the benefits could start to grow for your site in the future.