Sitefig - your site sorted

Posted in /tech/ on 03 Nov 2022

Why you need HTTPS

Everything you need to know about securing your website

All websites these days should use HTTPS (Hypertext Transfer Protocol Secure). Yes, there was a time TLS (Transport Layer Security) certificates were unnecessary, but today you really cannot go without them. Here is why!

HTTPS is the encrypted version of HTTP (Hypertext Transfer Protocol), the protocol used for transferring data to your browsers. The HTTPS protocol relies on a TLS certificate to encrypt all the data between your computer and the server. As a result, HTTPS prevents anyone from tampering with the data and ensures content integrity, and it works both ways: when receiving and sending data such as usernames, passwords and visa card numbers.

The benefits of having a secured website far outweigh the downsides, which range from personal data loss, website impersonation attacks and lawsuits brought to you by any DPA (Data Protection Authority) in Europe.

For example, in 2021, the Dutch DPA imposed a €12,000 fine on an orthodontic practice for allowing new patients to register on an unsecured website.

We can obtain TLS certificates for free, which means paying that hefty price was unnecessary.

The benefits of a secure website

Security

With HTTPS, intruders can’t manipulate or passively listen in on the communications between your site and your users. An HTTPS connection provides additional security and privacy for your company and customers.

The encryption makes it practically impossible to eavesdrop or snoop on any communication. While your customers are online, browsing or entering sensitive data on your website, nobody will be able to track what they are doing.

Additionally, the company operating the website can be sure that no 3rd party is making changes to the website and the customer effectively sees the website as expected. You might be surprised how many companies have injected marketing messages, advertising, script and images onto pages browsed on open WiFi networks. It happened pretty often.

Luckily the need for privacy increased, and TLS certificates became much more common. Most of the websites in the top 1 million are now using HTTPS .

The certificate is also a means of authentication and proves that your user sees and uses the intended website.

alt

Privacy and trust

Besides security for your company and your customer, privacy concerns have become the focal point of several new directives and legislation efforts worldwide.

We already mentioned the need to use HTTP to avoid anyone snooping n the communication between your website and the customers’ browser. Here is why that is important.

In 2021 a complaint was lodged to the Dutch DPA about the website of an orthodontic practice. The registration forms on the website in question asked for all kinds of personal data about the patient’s health.

Unfortunately, the form was not on a secure connection, and it potentially exposed the data to anyone who had access to the network.

As the orthodontic practice had many patients and a large number of under-aged patients, the DPA decided to impose a hefty fine for not complying with the GDPR directive.

If you have forms on your website on an insecure connection (HTTP), the transmitted data can potentially be tracked by hackers.

This kind of data breach is difficult to detect, but you are still liable and need to report any data breaches in the next 72 hours as a company as per the GDPR directive.

The GDPR directive states that data processing must be handled in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).

The GDPR documents, here and here, explicitly define the need for encryption, though no article expressly documents the usage of a TLS certificate on your website.

So, in theory, you don’t need it. In practice, though, it is strongly recommended as it conveys trust and keeps prying eyes away.

SEO and Google

Before GDPR, security and data breaches were on everybody’s radar, SEO improvements were the main benefit of having a secure website. Over the last ten years, Google made several efforts to push SSL certificates, and today it is the defacto standard for websites.

A weak ranking signal

Earlier in 2014, Google already documented that HTTPS was a weak signal which could improve your position on the SERPs. Developers google : https as ranking signal

Having a TLS certificate does not mean your website automatically gets on the first page of Google. But if you are competing for a specific keyword, and your competitor’s website is not on HTTPS, it might just be the tiebreaker.

Google Chrome thinks your website is “not secure”

Insecure website showing "Not secured" in the URL bar of the brwoser. In July 2018, Google Chrome started labelling websites lacking an SSL certificate as “not secure”. In addition to Chrome, other browsers have implemented similar notifications for sites without valid SSL certificates.

In other words, Google actively pushes websites to set up HTTPS. And since most if not all browsers are these days based on Chrome, it is the defacto standard.

Trust is still important for whether customers purchase goods online or not. Last year the UN reported that at least 30 % of users are unwilling to buy online due to a lack of trust. So if your website is actively labelled as untrustworthy, it isn’t going to do you any good.

Downsides?

Did we mention that the cost of obtaining a certificate is free? If you’d like to win an argument with someone, visit https://doesmysiteneedhttps.com/

How to set up HTTPS for your website?

Today, the easiest way to enable HTTPS is to move your DNS to Cloudflare. Unfortunately, that does not mean the website is entirely secure.

The webserver running the website still requires a TLS certificate to enable traffic between Cloudflare and your server to be encrypted.

Cloudflare does provide certificates to fix that issue, but there are other options such as Let’s encrypt or Zerrossl.

How to check for potential mistakes?

Once you have your website set up or migrated to HTTPS, it is easy to make mistakes.

It might be that a redirect points to an HTTP URL, an incorrectly configured subdomain is still on HTTP, invalid canonical tags, or your SSL certificate is simply out of date.

There are plenty of mistakes that can happen, and it is easy to check for common SSL mistakes.

Check for HTTP pages and links:

With Google operators

You can make your search very specific. You can search for all pages on your website indexed by Google that use the HTTP protocol in the URL:

Try it: “site:sitefig.eu inurl:http://

alt

A free account with Sitefig

Sign up for a free Sitefig account and you’ll get access to all the broken links and resources on your website. Each page will be tested to ensure that it redirects to an HTTPS page.

alt