What is HTTPS and SSL?
Cyber security tends to be a fleeting topic in the relatively grand plan for a website project. Like insurance, cyber security is something you don’t appreciate until you need it.
When data breaches at major corporations are reported seemingly a few times each year, it’s easy to take a step and say those famous last words: It’ll never happen to me.
“Of course they were hacked,” you might say. “They are a multi-billion dollar company. I just sell t-shirts online.”
Unfortunately, small-time hackers looking for a few quick bucks know to target small-time sites because there is a greater chance they’re not protected.
You may have heard about HTTPS and SSL Certificates but never knew how they secure your site. Below is a full primer.
First, what is HTTP?
There is no shortage of acronyms when it comes to explaining the Internet. Let’s define a few before we get too deep into the proverbial weeds.
HTTP stands for Hypertext Transfer Protocol, and it’s the typical way files are sent back and forth between your browser and a server a website is hosted on.
If you are a tad familiar with HTML (Hypertext Markup Language), you will recognize the first part of HTTP – Hypertext. When the World Wide Web started taking shape in the early 1990s, HTML files were what was mainly sent across the web, thus the name.
Of course many types of files, for example, images and style sheets, can now be transferred from a server to a browser to enhance a HTML page, and HTTP is how it happens. HTTP is the road system of the information superhighway.
What is SSL and HTTPS?
As you may have guessed, HTTP and HTTPS are related. The ‘S’ stands for Secure, which means the data being sent back and forth is encrypted or scrambled.
That scrambling happens through one of two ways: SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
The details of these methods are fairly technical, but think of these like the secret decoder ring you may have had when you were a kid, or a perhaps the special language you used to talk to your friends when you didn’t want others to know what you were saying.
Obviously, someone needs to know how to decode or unscramble your messages in order to make sense of it all, which is what makes securing your site’s data so appealing.
To clarify, SSL and TLS only encrypts the data when it is transferred from the server to your browser and vice versa. If your site is managed through a content management system and is hooked up to a database, the data becomes unscrambled when it is stored again.
A hacker trying to steal credit card numbers or personal information will need the key, or set of instructions, to turn that coded data into something worthwhile.
It’s worth noting that SSL and TLS are relatively similar and used interchangeably, though perhaps incorrectly at times. SSL preceded TLS and was developed in 1995. TLS came along in 1999 as an improvement to SSL and has been refined since then, becoming the standard method.
The green padlock
When you come across a secure site using HTTPS, you may notice a green padlock, or some version thereof, in the URL bar of your browser. This means you can trust that data you share will be encrypted while it is being sent back and forth.
The green padlock can also be a sign that the business or organization behind the domain has been verified. More expensive SSL certificates require this extra check before a certificate is issued.
You should never provide credit card, social security, or health information if you do not see this indicator. And you should never ask your customers or site users to do so either if you don’t have HTTPS.
Why do you need HTTPS?
By now, you may be eager to set up HTTPS on your site. Before you do, answer these questions:
-
Do you sell products on your site where customers can make direct purchases (meaning they do not complete a purchase through a third-party payment site, such as PayPal)?
-
Do you have forms on your site where users are asked to provide personal information they may otherwise want to keep private (excluding their name, email address, phone number, and mailing address)? Anything related to health and finances will definitely put you into this category.
If you answered ‘yes’ to either of these, you need secure encryption on your site. Going without puts your users and customers at risk.
What doesn’t need HTTPS?
A blog or informative website with a basic contact form doesn’t really benefit from HTTPS.
It may make visitors feel warm and fuzzy inside knowing they are protected, but the price you’ll pay for that security layer may not be worth it if the main purpose of your site is to share information.
Sites meant to be a portal for internal business use and require users to login will fall into a grey area. If specific client or customer information is shown in full detail, it’s probably best to set up HTTPS.
How does HTTPS affect SEO?
Google announced in August 2014 that HTTPS has been added as a ranking factor in their search algorithm.
At the time, it was noted that HTTPS does not have as much influence as other factors, such as quality content. But Google left the door open, adding they may decide to increase how much HTTPS affects a web page ranking in the future.
What has the impact been thus far?
A Search Metrics study in early 2015 showed unencrypted sites that already had some SEO weight saw, at most, a 5 percent uptick in their search engine ranking after switching to HTTPS. But some also saw little to no difference.
HTTPS could also harm your site’s SEO if done incorrectly. For example, all page links need to be properly redirected to their encrypted version. If not, all your previously built up SEO value could be lost.
The future of SEO with HTTPS
While there are certainly other search engines available, it’s no secret Google reigns supreme for many reasons. And as Google goes, the Internet goes, so it seems.
Look no further than April 2015 when Google made mobile-friendliness a ranking factor. While building responsive sites has been a standard among web development agencies nationwide for years, the mobile-friendly factor forced late adopters to get onboard – either out of fear or necessity (or both).
Switching to HTTPS could follow suit, but likely not until implementation gets easier and the cost is lowered.
As front-end developer Anselm Hannemann explains in an interview with CSS Tricks, “honestly, today setting up HTTPS properly is way too complex, even for tech-savvy people.”
Hannemann also has a great write up on his blog if you’re interested in reading more about some of the technical trials and tribulations behind HTTPS.