Switch to HTTPS: Why Now Is the Time to Sort It Out
Security is a big concern for web users. And it’s no surprise what with all the data leaks and phishing attacks reported in the news every week.
After all, if huge corporations like HBO can get hacked, what hope is there for small businesses like yours?
(And don’t assume that because you run a small business you’ll be a less tempting target for criminals. There is plenty of money to be made from targeting businesses just like yours.)
One way to make your website more secure for your users is to get an SSL certificate. If your website is currently on an HTTP domain, getting an SSL certificate will turn it into an HTTPS (Hypertext Transfer Protocol Secure) domain.
An HTTPS domain is not only more secure (see later on to find out why), but it also gives your users peace of mind – and that’s great for your branding.
But now there are other reasons to make the switch ASAP – one of which will start to affect websites very shortly.
Google’s Drive to Make the Web Secure
Not so long ago, the only sites with SSL were banks and other big websites where personal information and passwords were required. However, Google has long been pushing for more secure websites, and now the general idea is to get every website onto HTTPS.
Google has been cracking down on insecure websites for a while, but it’s been ratcheting up the pressure in recent years.
From the start of 2017, any websites that ask for financial details or transmit passwords have been highlighted as insecure on the Chrome web browser if they still use HTTP (see reports here).
So if you do not use a security certificate but you ask for any passwords or financial details, you get a big red exclamation mark and a ‘Not Secure’ warning right at the beginning of your address.
But if that wasn’t enough of a warning for you, now Google is taking it further. From October 2017 onwards, it is cracking down even harder – and you need to be ready.
Chrome 62 Will Highlight More Websites as Insecure
From October this year, Google’s Chrome version 62 will add a ‘Not Secure’ warning to any web page that runs over HTTP and contains a search box or form, as reported here.
That’s right. Not a web page that asks for a password or personal data, but any type of form that asks for any type of data.
As soon as the visitor starts entering information in the form, an exclamation mark and the words ‘Not Secure’ will appear in the address bar before the URL.
In addition, Chrome 62 will also flash up the same warning for any HTTP page that is visited in Incognito mode.
As you can imagine, many more websites will be affected by this change. There are plenty of web pages that contain a search box, so this could be a game-changer
The effect on users is clear. They might very well think that your website has been hacked or compromised, or that it has security failings – even if this is not the case.
Users Can Now Verify Your SSL Certificate with Ease
Google is also making it easier for users to verify an SSL certificate for any website. In Chrome 62, users can now enable a new feature (it will probably become the default soon) that allows them to click the SSL icon right next to the URL at the start of the navigation bar and immediately see if it is valid.
They can then open a page to find out more details such as the issue date and the period of validity.
Why Is Google So Keen on HTTPS?
Google likes HTTPS because it provides better security, which gives your users better protection.
On HTTP, a person on the same network might view the traffic or modify it – which is called a ‘man-in-the-middle’ attack.
Google’s position is that when users enter data into a website, that data should not be accessible to other people.
HTTPS offers three key layers of protection:
- Encryption – the data being exchanged is encrypted to prevent anyone stealing it or listening in.
- Data integrity – data is not corrupted or changed during transfer without being detected.
- Authentication – prevents man-in-the-middle attacks.
SSL is the protocol used by HTTPS, but there are different types of SSL certificates. These include Domain Validation, which is the most basic, Organization Validation, which is the mid-level option, and Extended Validation, which is the most secure.
Is HTTPS fool proof? No. You could still suffer from a DDoS attack or another type of attack. However, it provides a lot more protection than standard HTTP, and that’s why Google is pushing for all websites to switch.
What to Do Right Now
If you run a website for your business, now is the time to get an SSL certificate – even if you don’t have any forms on your website.
The fact is this: even if the new changes will not affect your website, Google has made it very clear that it wants all websites to change to HTTPS in the future. It’s easy to see that the Chrome browser will probably start highlighting any HTTP website as not secure in the near future, and you don’t want your website to be affected.
So by not changing to HTTPS now, you will only be putting it off until further down the road.
To make the switch, start by visiting your hosting provider and find out about how you can set up SSL. While you can buy an SSL certificate in many places, it’s best to go with your hosting company.
Sometimes SSL is free, but sometimes you will have to pay. Some hosts also make it very easy to set it up, making this the most convenient option.
Alternatively, you could do it all manually yourself. However, you will want someone to do it who really knows what they are doing (i.e. your developer).
We won’t go into the detailed process here because it is quite complex. However, this Search Engine Land article provides a detailed resource on the complete process.
SEO Benefits: Another Reason to Switch
The main reason to change to HTTPS is because of the Chrome issue already highlighted. But there are other good reasons to get an SSL certificate.
Google confirmed way back in 2014 that it was a ranking factor, meaning HTTPS websites can get a small ranking boost (this may or may not be larger now).
This Search Engine Land article from 2014 provides details of the ranking boost. Even though it may be very minor, it is still worth doing because it could boost visitor numbers to your site by hundreds or thousands.
It could also become more relevant to rankings if Google decides to really push it – and when Google recommends something, you can’t lose out by doing it.
Switch to a More Secure Website ASAP
It might seem like a lot of information to take in, but the basic conclusion of all this is simple: switch to HTTPS as soon as you can.
If you don’t switch before October, you’ll start showing up as not secure on any web pages where the user enters data.
Google has made it very clear that it intends to highlight all HTTP websites as less secure, so you’re going to have to do it soon anyway.
And remember the small ranking boost – depending on your traffic levels, that could translate into a lot of extra visitors, which means more business for you.
So, check out your hosting provider and find out what they suggest, then make switching to HTTPS a priority this autumn.