Web security is a crucial element to the overall health of your site. Security ensures users can access your site safely, preferably through HTTPS instead of HTTP. HTTPS or Hypertext Transfer Protocol Secure, adds a layer of protection to your website, making it harder to theoretically peer into your website and capture sensitive user information.
As of 2018, Google Chrome is taking security a step further by being more prominent about pointing out unsecure websites.
Think of it this way: HTTPS works by creating a secret between you and the website you're trying to use.
What is HTTPS and How Does it Work?
Hypertext Transfer Protocol Secure uses a Secure Sockets Layer (SSL) Certificate, to encrypt the data shared between you and the receiver. The SSL Certificate is a code that scrambles the information, so that information can only be viewed between a sender and recipient.
Confusing? Think of it this way: HTTPS works by creating a secret between you and the website you're trying to use. No one other than you and the website knows this secret, so if anyone tries to look at what's happening, it'll come across as scrambled. This is extremely important not just when handling sensitive information like credit cards, but for general viewing safety.
What's happening with Chrome?
Alphabet (Google's parent company) recently announced that as of October 2017, Chrome version 62.x and higher will start displaying websites that aren't secured with HTTPS with a "Not Secure" signifier next to the URL.
For now, this will only be shown when entering data during normal viewing, but will show at page load and when entering data for incognito viewing.
What about other browsers?
So far, Mozilla Firefox, Safari and Microsoft Internet Explorer/Edge currently aren't displaying anything prominent when a page isn't secure, but that doesn't mean that won't change in the future.
Each browser does display a padlock when a page has HTTPS and is secure, but they don't show anything if using HTTP.
What do pages using only http: look like in Chrome?
In regular browser windows, non-secured HTTP pages will load normally, until someone interacts with the page. If you start typing in information, filling something out, checking on a button, the Not Secure signifier will appear. Refreshing the page removes this signifier until the page is interacted with again.
During incognito browsing, the Not Secure signifier will appear and stay immediately during page-load, and will remain for as long as you're on the site.
Are HTTP security warnings happening on mobile? Android?
As of October 2017, this update has not gone live to Chrome for Mobile, or for Android. Alphabet has not yet announced when/if this change will be pushed to Chrome for Mobile and Android.
Why you need to switch to HTTPS
If you're not already using HTTPS, it's time to get with the times. 71% of pages are loaded via HTTPS already according to Google's HTTPS Transparency Report. Alphabet has made it clear that they plan on pushing the greater world-wide web to jump to HTTPS ASAP.
What does having HTTPS mean for your web traffic?
Although it's currently not actively harming webpages, seeing a "Not Secure" pop-up when interacting with a web page can stop potential customers from filling out forms or buying something online. With HTTPS, your website delivers a better user experience.
How HTTPS Can Impact Your Digital Marketing
As of 2014, HTTPS is a ranking signal in Google. This means that having HTTPS can give your site a bit of a boost, especially when competing for top spots in competitive environments.From an Adwords perspective, having HTTPS on your landing page can increase your quality score for ads in Adwords. Higher quality scores mean lower cost per conversions on average, which means that adding HTTPS can help lower the cost of your leads slightly long-term.
How do I switch to HTTPS?
Switching to HTTPS can often be done as part of most hosting packages, and can often be added for free or at a low cost through various methods. Before switching, make sure your hosting environment uses a dedicated IP address, and not a shared address. This is necessary to get an SSL certificate. To switch to HTTPS:
- Acquire an SSL certificate. This can be done for free through sites like https://letsencrypt.org/ or can be paid for through most hosting providers.
- Generate and Install a Certificate Signing Request (CSR) in your hosting control panel. This is necessary to create the public and private keys that compose the handshake that makes your SSL certificate. Your hosting provider may do this step for you, if you're purchasing SSL through them.
- Update your http to https sitewide. Now that you have an SSL certificate installed and working, you need to make sure that all of the unsecured links are updated sitewide to your secured links.
- Ensure that all the elements on your page are secure. Linking to unsecure elements can negate website security, so in order to have your secure site be fully locked down, all the elements on the page, and associated links must be secure as well. If you're having trouble with this step, https://www.whynopadlock.com/ is a great tool to help find anything that's keeping your site from being totally secure.
With the growing ease and availability of HTTPS, there's no reason not to secure your website immediately. Get started today.