Moving to HTTPS By Default
The Jake Group team has an exciting announcement that will provide even greater value to any of the websites we host. From here on out, any website that is launched and hosted by Jake Group will include an SSL certificate and be using HTTPS protocol by default.
HTTPS/SSL Basics
So, what are HTTPS and SSL anyway? It has something to do with that little green lock thingy that displays next to my website address, right?
Well, yes. The HTTPS in a URL indicates the presence of secure socket layer encryption on a web page (SSL). When you go to load a web page in your browser, a variety of data is sent back and forth between your computer and the web server hosting the website. Under standard HTTP protocol, that data is sent as plain text — in other words, readable by anyone who happens to be watching for it.
An SSL certificate enables encryption of those transmissions making it nearly impossible to read that data as it flows between your computer and the web server. You don’t see any difference other than the little lock icon or green address bar that may display in your browser window. But to anyone trying to snoop, you’ve made it difficult to capture any useful information.
You are probably familiar with SSL-enabled interfaces from online stores. Any legitimate interface processing online transactions such as credit card payments will use SSL and have an HTTPS URL — if it doesn’t, flee that site immediately! Login pages for Intranets or personal content tend to utilize SSL as well.
However, it has not always been a priority to apply SSL across the board to website traffic in general. In fact, even many online stores have limited their application of SSL to shopping cart and checkout pages, as opposed to the overall store website.
The Case for HTTPS By Default
Today, this is changing. Only a cursory look at the news reveals online security is increasingly important. For this and variety of other reasons, HTTPS is moving towards becoming the standard for web hosting configurations.
Here are some of the factors at play:
- Risk of hacking: Running a simple marketing-oriented website may give you the sense you won’t find yourself in the cross hairs of hackers. Think again. Just because you are not processing credit cards or don’t believe your data is particularly sensitive doesn’t mean hackers won’t seize upon lax security to leverage your site for attacks on higher profile targets, distribute malware, or spy on the behavior of your users.
- Website growth: Many sites start out as a simple information site with limited traffic. But over time the site may evolve into something more, and it’s not always clear when that happens. Being prepared for evolving security needs is important because it allows you to focus on the purpose and goals of your web properties rather than the security and logistics.
- Search engine rankings: Google makes it known that sites using HTTPS protocol receive a minor ranking preference when it indexes sites for content. That means, all things being equal, your HTTPS site will rank higher than an competitor without HTTPS. For more on this topic, check out https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html.
- Instilling confidence: In addition to providing real security benefits, there is also an advantage to making your users AWARE that your site is secure. As privacy and security issues receive more media attention, the security assurances implicit in the lock icon appearing next to your URL will help your users feel more confident about interacting with you online.
-
A standard HTTP site using Chrome’s ‘non-secure origins’ flag Future non-SSL warnings in browsers: If none if the above resonates, here is something that should. Two of the three most popular web browsers, Chrome and Firefox, have announced plans to actively mark sites not using HTTPS as non-secure. That means when a user visits your HTTP URL, the browser will display a warning such as a distressing Red X over a lock beside the address. In other words, only properly secured sites will be given a positive designation; everything else including plain HTTP will include a warning of some sort. Chrome already allows users to customize browser settings to do this. It is likely only a matter of time until this becomes the default.
SSL Costs
One factor discouraging SSL in the past has been the cost. An SSL certificate could cost upwards of $1,000/year. When juxtaposed with cut rate hosting offerings from bulk hosting providers running less than $50/year, it may have seemed an unnecessary cost for non-transactional websites.
Now SSL certificates routinely are sold for less than $100/year, making it far more affordable for the average website owner to invest in this important security measure. In addition, the movements promoting ubiquitous SSL on the web are developing new ways to set up HTTPS certificates that may prove even cheaper and in some cases even more secure.
Here at the Jake Group we recently converted our own website to HTTPS by default, and we’re excited to offer the same enhanced security to our clients. Future projects will include an SSL configuration as a matter of course, but if you are interested in upgrading your current site or just learning more, please contact us!
For more information:
- HTTPS as a ranking signal, Google Webaster Central Blog
- Google Chrome gets ready to mark all HTTP site as ‘bad’, ZDNet.com
- Deprecating Non-Secure HTTP, Mozilla Blog
- Let’s Encrypt, ‘free’ SSL certificates in public beta