Most any web user can tell you when they visit a website that uses HTTPS. They know this by the green lock in browser or the HTTPS (vs. HTTP) in the address bar. This indicates that you can generally trust your connection to the site in question is “secured” with TLS (Transport Layer Security). Herein we’ll explore why you should (if you haven’t already) set this up for your website immediately. Although you may not be familiar, TLS is the successor to SSL (Secure Socket Layer). Unfortunately, many continue using the term SSL (including major industry titans) when they mean to refer to TLS. Anyhow, onward into why you need to set up TLS encryption today.
Even in 2018, there are still a large number of websites which don’t have HTTPS/TLS enabled. When you visit a website, and you use the HTTP (Hyper Text Transfer Protocol) the content of your session is in clear text – readable to anyone in between you and that website. Enter HTTPS. HTTPS creates a secure channel over an insecure network (the Internet) which secures your session from your browser to the server you are connecting to. It keeps you ‘secure’ from eavesdropping, tampering, MiTM (Man in the Middle) and many other threats. The underlying technology that powers HTTPS is actually TLS. TLS enabled a website visitor can be reasonably assured of the authenticity, privacy and integrity of the connection to your website. In essence, it keeps user session/communications, identity and web browsing away from prying eyes. But that’s far from its only purpose it has many serious business impacts which we’ll explore further.
Google Page Rank is the elegant algorithm which decides how your website ranks within Google’s organic search results. Google has publicly stated for years that HTTPS or TLS is a requirement. In essence Google and other search engines will rank your site lower than comparable sites that have TLS. In some cases, you may be outright blacklisted if you don’t have HTTPS. Generally speaking, you will lose out in terms of your page rank over those that have HTTPS enabled. Sound serious? Yes, it is. Keep in mind most customers find you from the web.
As we stated before, HTTP is the foundation of data communication on the world wide web. The current version of HTTP (Hyper Text Transfer Protocol) HTTP 1.1 which was introduced in the early 90’s is, like SSL; going to be supplanted. HTTP2 is the next generation of the HTTP and is an important step forward in the speed and performance of your site. HTTP2 is key here because it requires TLS to function. This is also critical because performance is a key ranking factor in page rank. A faster website, generally means you place better in search engine results which means more customers and more profit. There are many benefits of HTTPS: better performance, security and page rank, etc.
Google Chrome is one of the most popular web browsers used today. As of July 2018, with its release of Chrome 68 browser all sites without HTTPS will be marked ‘Not Secure.’ Google’s goal here is to make the web a safer & secure place to be. The browser is simply notifying a user that the site they are communicating with is unencrypted and is susceptible to eavesdropping, tampering, MiTM etc. Google isn’t the only tech titan recommending TLS, Apple, Mozilla Firefox and nearly every other vendor have been doing so for years now. Do you really want your customers assuming your organization is insecure?
Industries and companies that fall under regulations also have the requirements to have HTTPS on their website. If you’re a healthcare provider or covered entity, HIPAA applies, if you are doing business with EU citizens GDPR applies, if you have an ecommerce effort you must comply with PCI. As always, TLS is only a single part of your larger compliance requirements.
How to Get HTTPS
If you are not currently using HTTPS on your website contact your web hosting provider and ask to get it set up today. If they don’t offer it, find a new provider contact us and we’ll help you get it all squared away. It shouldn’t cost you more than a $100ish a year. If your web hosting provider supports it, the nonprofit Let’s Encrypt offers free TLS certificates.
Be under no illusion that this technology magically solves security concerns but it’s a step in the right direction. It secures your users client sessions via TLS cryptographic protocols but it doesn’t secure your website itself – only the transmissions to and from your website. It doesn’t magically secure your web applications, ensure your coders are using secure coding practices or solve the multitude of other security risks. It’s not ‘magic’ beans, but part of a larger requirement of todays best practices for securing your web presence. As always, defense in depth is no single technology or process but many layered elements of people, process and technology.
As you arrive at the end of this post, I hope it’s clear you need HTTPS setup yesterday. If you conduct ecommerce, have a web application that sends or receives sensitive data or you have a contact form – you should have TLS. Fact is, you should have TLS no matter what. If you have questions or comments please leave them below or contact us. We are always happy to help.