What is HTTPS and SSL for websites?
Why should you consider migrating from HTTP to HTTPS
SSL and Secure Certificates provide security for your website by encrypting communications between the server and the person visiting the website. It was traditionally required to be used on e-commerce sites when accepting credit card payments online. Recently, Google are pushing for HTTPS to make the web a safer place. Adding an SSL certificate and showing the green padlock on your web pages build trust and credibility with your visitors. Now that Chrome mark non-secure pages with sensitive input field as Not Safe, and Google likely factor https into their algorithms it has also become an important SEO consideration.
As of January 2017 Chrome mark non-secure pages containing password and credit card input fields as Not Secure in the URL bar. For more information, read Avoiding the Not Secure Warning in Chrome.
Note that Chrome will eventually show a Not Secure warning for all websites not on HTTPS:
'Long term - Use HTTPS everywhere
Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.' - Google
What is HTTPS
HTTPS is the acronym for Hypertext Transfer Protocol Secure and is used for secure communications over a computer network, such as the internet. Data over HTTPS are encrypted between the client and the server, which means the data can not be tampered with, and your website data is at less risk of being accessed and changed during transmission. Further information can be found in this Google article: Secure your site with HTTPS.
What is SSL
SSL stands for Secure Socket Layer, a standard encryption technology used to transfer data from a user’s browser to the web server. SSL is a protocol that helps encrypt communications over the internet.
Websites use SSL encryption to help prevent hackers intercepting and misusing data that users leave on a website (such as on contact forms).
To encrypt the transmission of website data between the server and the client, the website owner can purchase an SSL certificate which contains an encryption key on the server where the website is hosted.
A website with SSL setup is marked with https:// in from of the url in the address bar.
A website that has the standard protocol without SSL is marked with http:// in the address bar, which indicates that data are not encrypted.
What HTTPS and SSL can do for your website
HTTPS works simultaneously with SSL (Secure Sockets Layer) to communicate data safely in three ways:
1. Encryption; Encrypting the transferred data for security.
2. Data integrity; Data cannot be altered or corrupted during transmission. HTTPS and SSL prevents hackers from tampering with the data during transmission, giving integrity to the data sent and received.
3. Authentication; Users are authenticated to communicate with the website. The Data Encryption provided by HTTPS and SSL means that no one can read the information being sent and received, ensuring privacy.
Important considerations for SSL certification
An SSL certificate on a website can influence the way consumers perceive an organisation. SSL certificates come in a variety of forms and there are several considerations when choosing the best one for a website. In a brief guide on the topic, Google suggests the following:
- Use SSL certificates issued by trusted Certificate Authorities in order to protect visitors from potential man-in-the middle attacks. The certificate authorities are associated with legal regulations and aim to verify the website as a trusted resource.
- Decide on which type of certificate you need: single, multi-domain or wildcard certificate.
- Use 301 redirects to point both users and search engines to the https pages.
- Use protocol relative URLs to minimize the possibilities of serving 404 pages when a user lands on a URL loaded from a development environment.
- Use a web server that supports HSTS (HTTP Strict Transport Security)
- Test your pages using Qualys SSL/TLS
These are just some of the key steps in the whole process of shifting to HTTPS and simply getting a certificate is not enough to actually provide secure communications. Namely, after choosing the right SSL provider and obtaining the certificate, there is a set of steps that need to be taken on a website in order to ensure Google will index it properly.
SSL setup process and costs
We are able to assist clients who wish to make the transition from HTTP to HTTPS, keeping disruption to your website to a minimum.
SSL Certificate and Installation
We offer a variety of SSL certificates to be able to meet the differing needs of our customers. If you only need to secure a single site, we recommend the Positive SSL for application needs and the Extended Validation certificate for eCommerce needs. A Deciated IP address is also needed due to the way the SSL protocol works with the HTTP protocol. This cost is factored in to our SSL certificate costs. Our SSL Certification and Installation service includes:
- Application and purchase the right certificate for your website.
- Installation of the certificate on your website.
Information required to purchase and setup an SSL certificate includes your name, email, phone, and address. We also need to know how long you would like to purchase this SSL Certificate for, 1, 2, or 3 years, and the type of SSL Certificate required.
Costs vary depending on who the certificate is purchased through, and the type of certificate.
Our SSL certificate and installation costs start from $150 per annum.
Please note, an IP change will likely be required. A new IP address will be provided to you, which you will need to update in your DNS records (usually changing the IP address in the 'A' Record). DNS changes can take up to 72 hours to fully propagate.
Additional steps to convert website to HTTPS once SSL certificate has been installed
Once an SSL Certificate is setup on your website, there are a number of further configuration and SEO considerations, such as:
- Update the configuration of your website to point to HTTPS instead of HTTP.
- Redirect all incoming requests for your HTTP website to the location of the HTTPS site.
- Re-verify ownership of your website in Google Search Console and update the sitemap location.
- Update your web property’s configuration in Google Analytics.
- Test and confirm that the conversion was successful.
We offer the above services, please contact us for a cost estimate as the above configuration services vary according to the size and nature of each website.
When you change to HTTPS, it is important to note that although the domain of your website is not changing, the address to get there is. HTTP and HTTPS request your website from two different ports on the web server. There is therefore a possibility that traffic to your website will drop briefly as Google works to re-index your site. This is also why it is important to check that redirects are working as expected.
Once up and running, there are a other considerations for website owners. For example, if you have any marketing tools or digital ads pointing to your website you will want to update the URLs they are pointing to. While redirects will be set up to send HTTP request to the HTTPS URL it’s still best practice to change them as redirects slow the request time and could decrease visitors and conversions.