From January 2017 Google will begin issuing browser warnings on site login pages that do not use encryption. This is part of Google’s plan to encourage all websites to be served over the secure HTTPS protocol, rather than the unsecured HTTP protocol. Google first began encouraging website owners to switch to HTTPS in 2014 when it indicated that it would start to use security, and specifically the use of strong HTTPS encryption, as a ranking factor in searches.
Starting with version 56 of Chrome login pages and pages that collect sensitive personal information, such as credit card information, will be labeled as ‘Not Secure’. In future release of Chrome all HTTP pages will be labeled as not secure.
HTTP vs HTTPS?
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP and is the protocol that serves data from a website server to your browser. When using HTTPS all data sent from the server is encrypted. When a website is using HTTPS most browsers will indicate this to users with a green padlock and green https in the address bar.
There are two main secure protocols used by HTTPS pages, Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Both use an asymmetric Public Key Infrastructure which involves a public key and private key. Information encrypted using the public key can only be decrypted by the private key and vice versa. The private key is kept securely protected on the website server, and the public key is used by visitors to decrypt the information. When information is sent from the server to the browser, or vice versa, using HTTP there is an opportunity for the information to be intercepted which, is clearly problematic when the information is sensitive.
Key benefits of HTTPS
- Encryption – Data you send is useless to anyone without the key to decrypt it.
- Protection of sensitive information such as credit card details.
- Data integrity – Data you send cannot be corrupted.
- Authentication – Prevents ‘Man In The Middle Attacks’.
- Trust – customers are more likely to complete sales from protected sites.
- Verification – Visitors can verify the ownership website.
How to implement HTTPS
A security certificate is required to enable HTTPS on a website. Certificates are issued by a certificate authority who will verify that the organisation buying the certificate is the owner of the web address they are seeking to protect.
Different types of SSL certificate
There are three main types of certificate and each provide different levels of protection and have different costs ranging from free to upwards of £250 per year. The most suitable certificate for your organisation depends on the nature of the business you conduct. A business that simply wants to encrypt data for confidentiality could use a basic certificate, whereas a bank would use an extended validation certificate to give their customers the best level of protection and gain the trust of their website visitors.
The certificate authority conducts extensive background checks of the organisation including their right to use the domain name and that their identity matches official legal records. These audits are repeated annually to ensure the continued integrity of the organisation. Extended validation certificates offer a highly visible indication to visitors that the site is well protected including green address bar, green https and a green padlock.
Organisational validation certificates verify the ownership of the domain name and also conduct some auditing of the organisation although not as extensively as the extended validation. Company information and the details of the certificate can be viewed by clicking the secure site seal.
Only the ownership of the domain name is verified. There is no auditing of the organisation and no additional information is displayed. HTTPS is written in green in the address bar. This type of certificate is ideal for businesses looking for a low cost encryption solution and it also has the benefit of being issued very quickly due to the fact that no company details are required to be submitted or audited.
Although the benefits of using HTTPS outweigh the negatives, there are several things to consider when switching.
- When moving from HTTP Google regards the switch as a site move and treats the HTTPS version as a new URL.
- Special attention needs to be paid to redirecting old URLs to the new version, with 301 permanent redirects, to avoid loss of page rank.
- The certificate must be registered to the correct version of your domain name e.g. www.yourdomain.co.uk or yourdomain.co.uk, failure to do this will lead to a certificate name mismatch error
- Certificates expire so remember to keep it up to date.
- Ensure that you only serve HTTPS assets on your secure page. This is commonly a problem if you embed third party plugins which use files from HTTP sources
- Using HTTPS may slow your website down slightly due to the additional round trip to set up the secure connection.