If the Internet is like a boundless forest, then websites are like cabins. Cozy, fun to visit, but surrounded by snarling wolves.
Securing your website against people who would prey on your data, your visitors, and your customers is incredibly important. And until there’s a way to upload a pair of perimeter-patrolling Dobermans or install the virtual equivalent of motion-activated laser turrets, the only line of defense are two inexpensive acronyms: HTTPS and SSL.
What are HTTPS and SSL?
HTTP is “hypertext transfer protocol” — how messages are formatted and transmitted on the World Wide Web. The S in HTTPS stands for secure. When a website is using HTTPS, your communication with that website is being encrypted using SSL — the “Secure Sockets Layer” protocol. This means that the conversation you are having with the website can’t be eavesdropped on.
Why is HTTPS important?
It’s good for users. When a website isn’t secure (using HTTP, not HTTPS) your connection with that website is vulnerable. Data being sent back and forth is unencrypted, and can be easily intercepted. You want a secure connection to a website when you are making online purchases, to protect credit card details, but also on any website that requires users to log in, in order to protect their login and personal details.
It’s good for you. If you’re a website owner, using HTTPS doesn’t just protect your users’ privacy, but yours as well. Some Internet service providers and Wi-Fi providers have been found to have tracked what their customers (you) do online and to have sold that information to other companies. An unsecured website can also have its code modified before a user views it — ISPs, hotels, and public WiFi providers have been caught augmenting websites with their own ads.
It’s good for building trust. In the Chrome browser, the words “Not Secure” are displayed in the address bar next to unsecured website names. Even if data isn’t being intercepted, this signals to visitors that your website is not trustworthy.
Why don’t all sites have HTTPS?
As mentioned above, the S in HTTPS stands for secure. To earn that S, you have to be using the Secure Sockets Layer (SSL), and to do that you need an SSL certificate registered with a certificate authority. In the past, there was an annual cost for registering an SSL certificate, and it was fairly technical to implement.
Today, there are low-cost and free SSL Certificate providers (eg. letsencrypt.org) so cost isn’t a barrier. It is, however, still fairly technical to implement and there are plenty of pitfalls. Don’t let your web developer use that as an excuse though— a good one will take the time to learn and do it right.
Is my website already secure?
A quick way to check if you have HTTPS properly installed, is by browsing to your website and looking at your web browser’s address bar. It should look like the image below, with both the icon of a closed lock and “HTTPS” displayed.
A more thorough method is required to verify that HTTPS has been installed properly. Use linksspy.com or, if you’re up to the technical challenge, use ssllabs.com to perform a full evaluation and flag any problems that require your attention.
Which type of SSL certificate do I need?
There are different types of certificates, and many companies to register with. We always recommend using the registrar your website host provides support for. Free or inexpensive certificate can provide the same benefits and user experience as pricier options. If your website is for a major brand or does a high volume of online sales, you should consider an EV (Extended Validation) certificate for $200-$300 per year.
In addition to displaying the lock icon and HTTPS in the browser’s address bar, EV certified websites also display the company’s name and country of origin.
In some browsers, it will display the address bar in green, providing another trust signal to the user.
Our take? The more secure your website, the better. But you don’t need to pay a premium for the EV certificate’s flashy green bar shown above, but as a customer or a website host you shouldn’t settle for anything less than HTTPS. No wolves allowed.