If you haven’t already switched, you should migrate your sites from using HTTP to HTTPS, even if you don’t handle sensitive communications such as credit card information, passwords, and so on. HTTPS, in addition to providing important security and data integrity for your site and your users’ information (however benign), is a requirement for many of the latest web development technologies and the best rankings when it comes to search engine optimization.
What is HTTPS?
HTTPS builds on HTTP by adding an additional security layer (typically using Secure Socket Layer or Transport Layer Security) to protect information transfers. HTTPS offers three layers of protection that HTTP currently lacks:
- Encryption, which prevents information theft
- Data integrity, which ensures that the information received is the information that was transmitted
- Authentication, which proves the legitimacy of a site and preserves the user’s trust in a particular site
Cyber breaches are occurring more often, so it’s important to secure your site to minimize the probability of this happening.
The Need to Secure Your Sites
HTTPS prevents unauthorized third-party intruders from tampering with data that is transmitted between your websites and your users’ browsers. These third parties do not include just malicious attackers who want to trick your users into installing malware or providing sensitive information, but legitimate (yet intrusive) parties that push their ads on unsuspecting users. Remember that any unprotected resource–images, cookies, HTML, scripts–can become a target, and these intrusions can occur at any point of the transaction. What results is a negative user experience and/or a security vulnerability for those on your site.
Using HTTPS will eliminate these intrusions on the transactions occurring between your sites and your users’ browsers. Many people assume that the only sites that need this kind of security are those that handle sensitive communications, such as eCommerce sites that ask for credit card information, but this is not the case. Each unprotected HTTP request reveals something, however benign, about your user. Because some intruders watch for aggregate browsing activities, they may be able to garner quite a bit of information about the users’ behaviors, intentions, and even identities. For example, employers may be able to determine that an employee is facing a sensitive personal issue, such as divorce or illness, based on the unprotected articles the employee has sought and viewed.
Penalties for Non-Secure Sites
Large entities such as Google and Facebook are leading the charge to change the standard from HTTP to HTTPS. Here are some of the ramifications for not doing so.
Lower Rankings in Search Engine Results
When given the choice between using a secure site versus a non-secure site, users are more likely to choose the former; as such, this is one reason why it’s no surprise that Google’s user-based algorithm for search results rankings will begin penalizing sites that do not use HTTPS. Though it is still unclear how much using HTTPS will benefit a site’s search engine rankings, there’s no debate that it will benefit the site.
As such, you should ensure that, after the migration process from HTTP to HTTPS:
- None of the links on your sites are broken
- All of the links, including redirects and redirect chains, were updated
Negative Perception from Chrome Users
Over 40% of Internet traffic use Chrome. As of today, Chrome indicates safe sites with a secured connection icon in the address bar, but it does not label sites not using HTTPS as non-secure. HTTP connections are labeled with a neutral indicator, but Google is concerned that this does not adequately convey the limited security of such connections. Beginning January 2017, however, Google will begin rolling out a multi-phase project that identifies sites that do not use the HTTPS protocol.
The first phase of this transition affects sites that transmit passwords and credit card information. Chrome will be marking sites that perform these actions not using HTTPS as non-secure.
Future release of Chrome will extend HTTP warnings. Eventually, all HTTP pages will be labeled as non-secure, and the warning indicator used will be the red triangle that is currently used for broken HTTPS connections.
Given that such a sizable portion of the Internet uses Chrome, not migrating your site over to HTTPS means that, eventually, users will see icons indicating that your site is not trustworthy.
Limitations on the Web Platform Features Used
Many of the new features that you can implement on your site require explicit permission from the user prior to execution. These include:
- Taking pictures or recording audio with getUserMedia()
- Enabling offline experiences for apps
- Progressive web apps
- Older APIs that are being updated, such as geolocation
HTTPS forms an integral part of the permissions workflow for these features, and without this protocol, you cannot use them. While you may not need to implement all, or even some of these features, you will want to maintain your abilities to build the best possible sites given the tools available to you at the very least.
Requirement for Implementing HTTP/2
One way to ensure maximum performance from your site is to implement HTTP/2, which is the first new version of the HTTP protocol (which governs the connection between your servers and your visitor’s browsers) since 1999. In short, the goal of HTTP/2 is faster websites for everybody. The only browsers that support HTTP/2, however, require the use of a secured connection. As such, you must be using HTTPS (which includes the required Transport Layer Security (TLS)) to utilize HTTP/2.
To implement HTTPS, you will need to perform the following steps:
- Obtain and install the necessary security certificate(s):
- Redirect all traffic to the HTTPS page using server-side 301 HTTP redirection
- Utilize a web server that supports HTTP Strict Transport Security (HSTS)
You can allow your viewers to visit using either HTTP or HTTPS connections, but to provide a more secure experience, you will want to force your viewers to used only HTTPS connections.
As with all major changes, implementing HTTPS might take you some time, especially if your site is large or your site uses a lot of redirection chains. However, take care that your site doesn’t trigger mixed-content warnings during your migration process.
Mixed-content warnings are typically triggered when the site is served via an HTTPS, but it contains some content (including, but not limited to, scripts, stylesheets, and images) that is retrieved via HTTP. In the worse case scenario, the user’s web browser blocks this content completely, breaking your site. Be sure to make the necessary changes so that this doesn’t happen.
Given the importance of HTTPS in terms of protecting your users’ information, optimizing your site’s search engine rankings, and preserving your abilities to use the latest and greatest features on your site. All websites (including Rigor) should consider beginning the migration process sooner rather than later.
For additional information on how Rigor can assist you with your site’s monitoring and optimization needs, contact Rigor today.