Should my website be on HTTPS? (Tip: the answer is yes)
What is HTTPS, and why do I need it? To find out if your website should be using a secure protocol to limit the chance of data theft, read on...
Recently, Google has announced that newer versions of Chrome will soon label any HTTP pages that collect passwords or credit card info as 'insecure'. The news probably won't have registered with most people, but it’s just the latest move by Google to make the web more secure by encouraging the use of HTTPS as the standard protocol for web traffic.
For many people, though, the question is not so much ‘should I use HTTPS?’ as ‘what is HTTPS?’, so here’s a quick intro and some thoughts on why all pretty much websites should now run on HTTPS.
What is HTTPS?
Short version – it’s encrypted comms for websites. Makes it harder for hackers to make off with your data.
Longer version: Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent when a user views a website. The key thing is the ‘S' at the end – standing for secure; because with HTTPS all communications between your browser and the website are encrypted. With HTTP they are not – meaning that if a hacker were to break into the connection between your browser and the server, they could help themselves to any data being transmitted, potentially including passwords and credit card information.
How do I know if HTTPS is being used?
Most web browsers will show whether a site is connected to the server using HTTPS. In addition to the address bar showing https://www.thesite.com, you will also see a padlock icon which indicates an encrypted connection.
Why should I use it for my website?
Well, if you’re sending any information you wouldn’t want a third party to get their hands on, HTTPS makes sense. It’s not true to say that you only need HTTPS if users are submitting credit card details to your site (although you definitely need it then, and you should never put your own credit card details into a site that isn’t secured using HTTPS). It means that any websites that have any passwords or personal information submitted to them should run on HTTPS. A good example is your Content Management System, or CMS. Many sites nowadays have a CMS that runs on the same domain as the website. So you might log in to edit your site at www.yoursite.com/cms or www.yoursite.com/wp-admin. Into that login page you put the password that enables you to edit your public-facing website. Do you really want that to fall into the wrong hands?
If that’s not enough reason (and it really should be), consider this: since 2014, Google has been pushing ‘HTTPS Everywhere’, an initiative to make the web more secure by moving all web traffic onto the secure protocol. That year the search giant announced a minor rankings boost for sites using HTTPS, meaning that it can factor into a website’s search results position. Now they’ve also announced that any website accepting credit card details or passwords via HTTP will be slapped with an ‘insecure’ warning in the latest version of Google’s Chrome browser. Google’s pushing for HTTPS, and its sanctions against sites not using it will only get stronger as time goes on.
What does it cost?
Until recently, cost was sometimes cited as a reason not to use HTTPS. Secure certificates were (in some cases) expensive to obtain, complex to configure, and had to be renewed annually. However, in April 2016 a new certificate authority, Let’s Encrypt, was launched, offering free certificates and an automated process that replaces the manual creation, validation, signing and installation of certificates… giving everyone one less reason not to use HTTPS.
Reasons NOT to use HTTPS
We’ve already demonstrated that cost and complexity are not the hurdles they used to be. But while we’re on the subject of reasons not to – what other considerations are there?
- If you need to include non-secure third-party items on your page
If your site absolutely requires third-party items to be included, such as iframes containing information from another site which is not secured by HTTPS, then this will trigger ugly warnings in the browser. - If you pass absolutely no sensitive information
Arguably if you pass absolutely no sensitive information between the browser and the server, then HTTPS may be unnecessary. However, these days this is likely to be true of very few sites. - If your hosting doesn’t support it.
Some shared hosting platforms will not support HTTPS – although in this case it’s well worth looking at changing your hosting rather than ditching the idea of using HTTPS.
HTTPS and SEO
We’ve already covered the fact that running your site on HTTPS will have some benefit to your search rankings, and the expectation is that this will carry much more weight as time goes on. But if you are considering moving your site to HTTPS, it’s worth planning it carefully with consideration of your SEO footprint. Like any major changes to your site URLs, a migration from HTTP to HTTPS can cause some temporary disruption to your page ranks, so talk to your SEO agency first!
Conclusion
For the majority of sites in 2017, there's no valid reason not to use HTTPS. It increases security, it's best practice, and it has few drawbacks. It should be specified for all new websites or rebuild projects; and owners of older sites should consider whether an upgrade to HTTPS would be appropriate. Should my site use HTTPS? Ideally, yes.