No HTTPS? Warning your website is insecure.
Changes in web browsers mean your website will now be flagged as “insecure” if you are not using HTTPS – which is a really bad look and reduces trust with your visitor.
When your website uses HTTPS your website shows your visitor a secure padlock symbol showing all data passed from your browser to the website server is encrypted.
If your site uses HTTP then your visitor will be warned your site is insecure.
What is HTTPS?
HTTP stands for Hyper Text Transfer Protocol – it’s the way web pages and other data is transferred from computer to computer, across the internet. HTTPS is Hyper Text Transfer Protocol where the S stands for secure.
When you use HTTPS any information passed between your browser and the server is encrypted. Anyone listening in cannot see your personal data e.g. email address, password, bank details, etc.
The green padlock icon indicates the website developer, or hosting company, has correctly set up a SSL Certificate that verifies the domain and the server for a specific timeframe. Certificates are renewed frequently to maintain credibility.
So what’s the problem with unencrypted data?
Data travels across the internet – from server to server – between your computer and the server where you requesting data. Usually the data is publicly visible information like a web page. However, when you send data from your browser to the server it usually contains personal information – your name, your email or your password.
So, what’s the big deal? With a little bit of effort people can listen in to the traffic between servers so they can capture any unencrypted information.
If you said your PIN Number – out loud – when you were using a cash machine then anyone behind you would know your PIN number. Sure, they might not be listening, they may not remember it – but would you take that risk?
So, why now?
Web browsers has been gradually encouraging developers and website owners to use HTTPS by showing, next to the URL, how secure your connection is. This is nothing new.
What has changed recently is the display of HTTP (without the S) traffic.
If your webpage asks for any information from the visitor, on an insecure page, then your visitor's browser will warn the visitor your site is insecure. That’s a bad user experience - trust is everything.
Does it change my Google ranking?
Google, back in 2014, announced HTTPS is a very minor ranking factor. However, this says it's only be a minor ranking factory – the big benefit is for your user and their experience while they’re visiting your site.
Google is being proactive in making the web a more secure place. You can read more about their long term plans from this post on the Google Security Blog (updated December 2016).
In my opinion, Google has chosen the browser (Google Chrome is used by more than half the people on the internet) to motivate website owners to switch to secure sites, rather than the search results. It’s possible that insecure sites, over time, get demoted in the search results the same way mobile in-friendly websites have in the mobile search results.
However, if you’re focussing on the SEO benefits you’re missing the point – look after your website visitors and their user experience first.
What do I have to do to get HTTPS?
The good news is that it’s now easier and cheaper than ever to get a certificate.
You have a number of options:
- Ask your hosting provider to set up the ssl for you. This is probably the easiest way for you to get your site running over https for a small fee.
- Ask your developer to setup the security certificates for you. This will be a little more costly but probably cheaper in the long run if they do it right.
- Do it yourself – but only if you’re a geek. This is a complex job and if you get it wrong the user experience will be even worse than before.
If you want to DIY then here’s a resource from Google to help you:
If this makes you nervous then I recommend you find someone who has the skills and experience to help you.
Whatever you choose it’s essential you test your site (see below) to make sure it’s working correctly. Incorrect settings can break your website.
How much does HTTPS cost?
A quick check of pricing in New Zealand shows hosting companies charge between $50 and $500 dollars per annum.
We recommend Let’s Encrypt because they have made it their mission to make the web more secure and they offer free SSL.
We make all our websites secure – at no charge – because we think it’s essential for every website.
What to check when you’re testing
Test your site thoroughly. Your developer should do this for you but they aren’t always thorough. Check as many pages as you can. Login (if your site has the functionality) then log out, test your forms - especially your contact form. Look for any errors in your browser.
Here’s a few common issues and how to avoid them:
- Incorrect setup
- You need to check everything is working correctly by clicking the icon, next to the URL in your browser.
- HTTP vs. HTTPS – mixed content
- Mixed content is a common issue that will actually pop up a warning panel. This happens when part of your secure page is requesting information from insecure sources. This is usually an image or a link in the template of your page. You can easily find and correct the error by looking at the Page Source and searching for “http://“ (without the S).
- External files
- Working fine, you think it’s sorted, but the renewal fails. Your ssl will renew as often as 90 days or up to a year. Regardless of the frequency you want to have your renewal process automated. You also want your renewal to happen before your certificates expire.
- Lack of Testing
- “Oh, I didn’t check that page” is a common mistake. We use a tool to run automated tests using Screaming Turtle a tool to check all the links on your site.
Secure your site with HTTPS - now
If your website is running on HTTP and not HTTPS then your visitors will see that you haven’t been paying attention, or worse that your site can’t be trusted. Even though these are minor ranking factors now the effect of user experience and dent in your online trust far exceeds any SEO benefits.
Google Chrome is now changing again - this time to remove the green padlock we were all so proud of.
As the number of sites using SSL has increased the need to show "Secure Indicators" has reduced. Google Chrome will continue to show "Insecure Indicators". So, you still need to make sure your site is secure.
Update - 19 October 2019
Google has released a new update on their Security Blog. Google will eventually block any pages with "mixed content".
Mixed content is when a page (usually a secure page) downloads some resources that aren't secured. This could happen when an image loads over http, not https (where s stands for secure).
To check your website – to see if you have any Mixed Content – you can use Lighthouse.