It’s an ever-looming question. Is HTTP sufficient for a website, or should site owners use HTTPS instead? Google has been pushing for all websites to migrate to HTTPS, but what is their reason for this stance? To answer these questions, we should first look at what HTTP and HTTPS are, and what separates them from one another.
HTTP stands for Hypertext Transfer Protocol, and it is the basis of all data communication on the Web. The way in which HTTP works is the client (the user’s web browser, for instance) makes a request to the web server, which in turn responds with the requested content and any other relevant information. HTTP resides in the application layer and relies upon network-level protocols such as Transmission Control Protocol (TCP) to work.
HTTPS adds an extra layer of security to HTTP by using either Secure Sockets Layer (SSL) or its successor, Transport Layer Security (TLS). This security layer provides encryption, which makes the data traveling both ways in the client and server communication secure; data integrity, which ensures the data cannot be corrupted or altered during the transmission; and authentication, which makes certain that the users themselves have a secure connection to the website. These three major features make HTTPS essential for all websites that handle sensitive data such as passwords and billing information.
Because HTTP lacks the security of HTTPS, it is vulnerable to attacks in which someone with malicious intent can intercept the data packets before they reach their destination and gain access to private user information. HTTP websites can also be made to harbor intrusive ads, which lower the user experience, or even malware, which, if let loose onto a user’s computer, can cause major problems.
Due to these concerns, Google has implemented a new policy in which Chrome will now flag all non-HTTPS websites as being insecure to warn users of potential risks in using unencrypted websites. This change tentatively began in 2014 when a member of Chrome’s security team made a proposal to flag HTTP websites as being insecure; the policy has begun to be implemented since January 2017. Starting in October 2017, Chrome’s “not secure” warning will appear in the URL bar when a user enters data on an HTTP page, and on all HTTP pages while in Incognito mode.
The thought process behind this new policy is simple: anyone able to “snoop” on the network connection through an unencrypted transmission can steal passwords, private messages, and other sensitive data, making a secure alternative a necessity. Switching to HTTPS makes data transmissions secure and ensures that the user is connected to a valid website and not a harmful one. Being connected to such harmful websites is another valid concern, as people with malicious intent can set up a fake website that looks very much like the real one and use it to trick unsuspecting users into revealing private information.
Having your website marked as “non-secure” by Google can also affect your user engagement in a negative manner. A customer or visitor who sees that the site is not secured is less likely to stay on the site, especially if he or she intends on making a purchase or some other transaction that requires personal data. Yet another reason Google has cited for making the switch to HTTPS is that sites using it typically have significantly better loading speeds than those that do not have HTTPS. This factor can also affect search ranking, although Google has stated that it carries much less weight than other factors, such as the content of high caliber. That being said, Google is working to make SSL a factor in their ranking algorithm down the line.
Switching to HTTPS can be accomplished through a few simple but important steps to ensure that your web traffic doesn’t suffer from the switch. First, you should decide the type of certificate your site will need: single, multi-domain, or wildcard. Second, you’ll need to create a 2048-bit public/private key pair, which will handle the encryption/decryption process. Next, you must generate a certificate signing request (CSR), which will embed your public key. Then, you will need to submit your CSR to a certificate authority via their preferred method (online form, email, etc.). To complete the conversion to HTTPS, you must then install your certificate in a non-web-accessible place on your servers. You should also update your robots.txt file to ensure that your web pages will be crawled by search engine bots.
All this information might seem a bit overwhelming but fear not. Mitro Digital Marketing employs trained professionals who are adept in keeping up with current internet trends and working with the latest internet technology. We can easily switch your website from HTTP to HTTPS so you can offer your customers and visitors the safest and most immersive experience possible!