Google Chrome has started tagging HTTP websites as insecure and lowering the ranking of sites without HTTPS. Without HTTPS, customers will see a safety warning notification when they are browsing your site.
What is HTTPS, and why do you need it?
HTTP stands for hypertext transfer protocol. It’s a protocol that allows communication between different systems. Most commonly, it is used for transferring data from a web server to a browser to view web pages.
The problem is that HTTP (note: no “s” on the end) data is not encrypted, and it can be intercepted by third parties to gather data being passed between the two systems.
This can be addressed by using a secure version called HTTPS, where the “S” stands for secure.
This involves the use of an SSL certificate — “SSL” stands for secure sockets layer — which creates a secure encrypted connection between the web server and the web browser.
Without HTTPS, any data passed is insecure. This is especially important for sites where sensitive data is passed across the connection, such as e-commerce sites that accept online card payments, or login areas that require users to enter their credentials.
How HTTPS Encryption Protects You
HTTPS is much more secure than HTTP. When you connect to an HTTPS-secured server—secure sites like your bank’s will automatically redirect you to HTTPS—your web browser checks the website’s security certificate and verifies it was issued by a legitimate certificate authority. This helps you ensure that, if you see “https://bank.com” in your web browser’s address bar, you’re actually connected to your bank’s real website. The company that issued the security certificate vouchers for them.
When you send sensitive information over an HTTPS connection, no one can eavesdrop on it in transit. HTTPS is what makes secure online banking and shopping possible.
It also provides additional privacy for normal web browsing, too. For example, Google’s search engine now defaults to HTTPS connections. This means that people can’t see what you’re searching for on Google.com. The same goes for Wikipedia and other sites. Previously, anyone on the same Wi-Fi network would be able to see your searches, as would your Internet service provider.
What’s the process for switching to HTTPS?
If you are familiar with the backend of a website, then switching to HTTPS is fairly straightforward in practice. The basic steps are as follows.
- Purchase an SSL certificate and a dedicated IP address from your hosting company.
- Install and configure the SSL certificate.
- Perform a full back-up of your site in case you need to revert back.
- Configure any hard internal links within your website, from HTTP to HTTPS.
- Redirect any external links you control to HTTPS, such as directory listings.
- Update htaccess applications, such as Apache Web Server, LiteSpeed, NGinx Config and your internet services manager function (such as Windows Web Server), to redirect HTTP traffic to HTTPS.
- If you are using a content delivery network (CDN), update your CDN’s SSL settings.
- Implement 301 redirects on a page-by-page basis.
- Update any links you use in marketing automation tools, such as email links.
- Update any landing pages and paid search links.
- Set up an HTTPS site in Google Search Console and Google Analytics.
If you are not technically adept, you will probably need assistance with the above steps.
It’s worth pointing out that, for a small site, say less than 50 pages, this process won’t take too long. However, for larger sites, the full update of links and page redirects should be performed by an experienced developer.
However, a secure connection does not mean a secure site
HTTPS is not like a web application firewall. It’s not going to prevent your website from getting hacked. It’s not going to stop phishing emails getting sent, either.
The green lock means that the site has been issued a certificate and that a pair of cryptographic keys has been generated for it. Such sites encrypt information transmitted between you and the site. In this case, the page URLs begin with HTTPS, with the last “S” standing for “Secure.”
Sure, encrypting transmitted data is a good thing. It means that information exchanged between your browser and the site is not accessible to third parties—ISPs, network administrators, intruders, and so on. It lets you enter passwords or credit card details without worrying about prying eyes.
But the problem is that the green lock and the issued certificate say nothing about the site itself. A phishing page can just as readily get a certificate and encrypt all traffic that flows between you and it.
Put simply, all a green lock ensures is that no one else can spy on the data you enter. But your password can still be stolen by the site itself if it’s fake.
Phishers make active use of this: According to Phishlabs, a quarter of all phishing attacks today are carried out on HTTPS sites (two years ago it was less than 1 percent). Moreover, more than 80 percent of users believe that the mere presence of a little green lock and the word “Secure” next to the URL means the site is safe, and they don’t think too hard before entering their data.
How not to fall for the bait
To sum up, the presence of a certificate and the green lock means only that the data transmitted between you and the site is encrypted, and that the certificate was issued by a trusted certificate authority. But it doesn’t prevent an HTTPS site from being malicious, a fact that is most skillfully manipulated by phishing scammers.
The presence of HTTPS itself isn’t a guarantee a site is legitimate. Some clever phishers have realized that people look for the HTTPS indicator and lock icon, and may go out of their way to disguise their websites. So you should still be wary: don’t click links in phishing emails, or you may find yourself on a cleverly disguised page. Scammers can get certificates for their scam servers, too. In theory, they’re only prevented from impersonating sites they don’t own. You may see an address like https://google.com.3526347346435.com. In this case, you’re using an HTTPS connection, but you’re really connected to a subdomain of a site named 3526347346435.com—not Google.
Other scammers may imitate the lock icon, changing their website’s favicon that appears in the address bar to a lock to try to trick you. Keep an eye out for these tricks when checking your connection to a website.
So always be alert, no matter how safe the site seems at first glance.
- Never enter logins, passwords, banking credentials, or any other personal information on the site unless you are sure of its authenticity. To do so, always check the domain name — and very carefully; the name of a fake site might differ by only one character. And ensure links are reliable before clicking.
- Always consider what a particular site is offering, whether it looks suspicious, and whether you really need to register on it.
- Make sure your devices are well protected.
We Wish Your Business Every Success.