You may have noticed many business websites now have a green padlock in the address bar next to the letters ‘https’. Until recently, you’d only see this on shopping or banking sites, but now days it's become expected for all business websites - even if you don’t ask people to log in or enter credit cards - to have.
So what is 'https' and why does it matter? Simply put, the ‘s’ in https stands for secure and means any data sent/received by the visitor is encrypted. This means that any data sent to and from that particular web page cannot be seen by anyone or anything other than your system and the website you are visiting. Without the 's', anything and everything is transmitted "in the clear" and can be read by any other third party (even those little password boxes that put dots in front of the password).
Clearly then, this is an essential feature for e-commerce sites, but why have all the info-only websites started using https too?
The New Google Rule
The biggest reason why websites need to be using https happened this summer. In July 2018, Google will now mark your page as insecure unless you’re using https. It’s a movement they started a few years ago to make the internet a more secure place by default. Since Google pretty much rules the internet when it comes to search and increasing security is always a good idea, businesses have been gradually switching over. Without https protection, someone with access to your internet connection, whether from digital eavesdropping or hacking, could intercept the information. They could also place malware onto otherwise legitimate sites and infect innocent visitors. That’s why eighty-one of the top 100 sites online have already switched to https and a strong majority of the web is following suit.
In addition to this, Google will also knock down the Search Engine Optimization (SEO) score of websites not using https. This makes those pages much harder to find in the search results and can severely hamper lead generation which can adversely affect your business overall.
The Browser Bar Says It All
In the same way a green padlock in the browser bar indicates a trustworthy site, you can expect non-https sites to be marked with a “not secure” warning. Previously, users had to click an information symbol to actively investigate non-secure sites. The shift to plain sight markers will be most noticeable on Chrome, however it’s expected that other browser developers will follow suit. Visitors may then be alarmed by landing on your site and seeing that the connection isn’t secure.
The fact that you may not be asking them to log in, enter personal details or payment is irrelevant. You may not be asking them to enter anything at all, but perceptions matter. Eventually that warning will be changed to an alarming red as Google declares war on unsecure sites. As the common understanding is that a warning = bad, you may get more visitors bouncing away within seconds or even contacting you to report that your site has a problem.
What to Do Next
In an ideal world, your site would have a secret switch on the back-end you could flick over and suddenly be https, but it’s a little more complicated than that. In fact, you may have already noticed some sites experiencing trouble with the migration. When the setup goes wrong, users don’t see your website with a little warning in the corner, they’re blocked by a full page error and offered a return to ‘safety’ (away from your site).
For starters you will need what is called an "SSL certificate". This certificate is what identifies your site as legitimate and is a critical piece of the https encryption process. SSL certificates are sold by specific companies that are trusted as well as many web hosts. SSL certificates are sold on a per-domain basis so if you have multiple websites or microsites you will need to either purchase multiple SSL certificates or ensure that your single SSL certificate covers all of your domains.
One thing to avoid is the use of "self signed" certificates. These types of certificates are designed for testing purposes only but are commonly used as a cheap alternative to buying a proper SSL certificate. The problem with self signed certificates is that they are not recognized as secure and can also be spoofed meaning they aren't really any more secure than not having SSL in the first place.
Of course, the easiest way to make the move to https is to contact your IT technician or web developer, as they’ll be able to make sure you’re keeping Google happy and rolling in the green.
Need help migrating your site to https or want to make sure it's done properly?