- ABOUT ANALYTICS DESIGN
- LEGAL INFORMATION
Back in 2018, Google’s Chrome browser version 68 was released. Along with the regular spate of bug fixes and UI changes, they implemented one big new feature: any website that was not using https would show as Not Secure in the browser bar. With approximately 56% of the market share for web browsers, any change that Google makes will be felt by the majority of web users. The effect was exactly what Google wanted: Any site that was still using http was immediately thought to be a security risk, and website owners were inundated with calls from visitors wondering if their favorite websites had been hacked.
Google, along with other organizations like Mozilla and Let’s Encrypt, are pushing to fully encrypt the internet. Rather than risking any data be picked up by attackers they (and we!) want all traffic encrypted. Even if you’re not sending sensitive information like passwords, the content of your browsing can be intercepted and read, and hackers can use that to build a profile of your activity to use against you.
https vs http is the difference between a postcard and a certified letter. With a postcard, anybody who sees the card can read what’s on it and see where it’s going. With a certified letter, even if someone sees the envelope in transit they don’t know what’s inside and when it gets to you, you can be sure it’s from the right person.
What is the difference between http and https? http stands for HyperText Transfer Protocol. This protocol has been around almost as long as the internet, and it’s the standard by which web pages are transmitted and displayed. The S stands for Secure. What makes https secure is an SSL certificate.
SSL works by using a pair of keys, one public and one private. The private key is stored on the server, hidden from the world. The public key is stored in a trusted public repository. There are only a handful of trusted repositories in the world and they are closely guarded to make sure that the public keys they store are legitimate and worthy of being trusted. The two keys are linked in such a way that any data that’s encrypted with one key can only be decoded with the other.
When you try to load a site over https, the first thing your computer does is verify that the server you think you’re talking to is actually the server you want to be talking to. The server sends a message to your computer that it encodes with its private key. Your computer finds the public key and uses that to decode the message. If it’s what is expected the site will load.
If somehow you’ve ended up at a malicious server pretending to be your intended destination, your computer will display a big warning that the SSL certificate doesn’t match and you should leave immediately.
Once the identity of the web server is verified, the SSL certificate is then used to negotiate a unique encrypted connection to your computer. This is done in a way that only your computer can decode the data from the site, and only the web server can decode data sent back (such as passwords or credit card numbers).
So why don’t all sites use https? Back in the old days when the internet was young, computers and web servers had limited processing power, and bandwidth was very small compared to what we have now. The process of checking keys and establishing encrypted connections requires both the computer and the server to run through a procedure that requires a large amount of processing power compared to an http connection, and encrypted sessions require more bandwidth. With modern computers and internet infrastructure these differences are trivial, but 30 years ago this represented a significant performance gap. It was believed that most information wasn’t sensitive enough to warrant encrypting, so the lower resources of http were preferred. For website owners there was a significant technological and monetary cost to implementing an SSL certificate as well, so unless there was a reason to use https, older sites largely were left to use http.
Fast forward to today and the landscape looks very different from where it was even just 5 years ago. The internet has sped up significantly, and processors on computers and mobile devices are much better equipped to handle the cryptographic processes, and that connection which used to take a long time to complete is now done in the blink of an eye.
There are now multiple companies like Let’s Encrypt that provide free SSL certificates to websites that meet certain very basic requirements, so nowadays there’s no excuse left to not have a valid SSL certificate.
In a word: NO! SSL certificates encrypt the traffic while it’s moving across the internet. If you send your password over http and a hacker intercepts it that way, the bad guy can get in to your site easily and cause trouble. But thanks to the advent of https (especially for login pages) this represents a fairly small percentage of vulnerabilities. What’s much more common is a vulnerability in the site’s code. All it takes is one line of code that allows a hacker to exploit it and the whole site is at risk, regardless of whether or not you’re using https. With modern platforms like WordPress there are routine updates, and anytime a vulnerability is found it’s patched and the patch is released to the world as soon as it’s ready. Keeping your site’s software up to date (including plugins and themes) is paramount to keeping your site protected. For most systems like WordPress there are security plugins as well that will keep watch over your site and help protect against attacks.
Websites are active pieces of software. Ideally you’ve got a lot of visitors coming to see your site, and unfortunately that means bad guys are coming too. Regular checkups to make sure the software is up to date and that your security is tight are what’s needed to protect you.
Your SSL certificate protects your visitors coming in the front door, but you need to make sure the back door is locked too!
Having a valid SSL certificate is just the first step. Most web servers will respond to both http and https, and they’ll display the same site either way. If the website isn’t set up to direct traffic to https, you may see the http version and then your visitors will see Not Secure in the URL bar. Browsers also check all of the content of your site, so even if the page is loading over https if you have an image or a script loading over http you’ll get a broken lock instead of showing as totally secure. This is better than Not Secure, but still something your visitors will notice. Google’s recently announced plans to start forcing mixed content to https and displaying a warning when it can’t, or worse not displaying content at all, so now it’s more important than ever to make sure 100% of your site is running over https. Depending on the type of site you have it may be a simple fix to change everything over to https. Sometimes it will require going through the code and the database to find all of the links and resources that are using http and switch them over. If you’re not sure how to do this, get a web developer involved.
Beyond protecting your visitors, you want to make sure visitors can find you and https plays a role there too. Google has started to penalize sites that use http and ranking them lower in search results. Simply making the switch keeps you from getting that penalty and dropping down in the list when people try to find you, or leaving the first page entirely! On a technical level, the http and https versions of the site are actually two different things, and splitting that traffic up affects your search ranking as well, since it’s like having two sites with virtually identical content. Trackers like Google Analytics will also interpret these sites as different, so if you’re looking at your traffic you may not be getting the whole picture if both versions are visible.
A properly implemented SSL certificate is essential to protecting your visitors and keeping your site visible in search engines. Many hosting companies like Mosaic Data Services offer free SSL certificates as part of their hosting plans now, and if you’re not sure how to make your site use the certificate you’ve got just ask our developers and we’ll be happy to help out.
SSL is just one tool that you can use to bring visitors to your site and keep you protected, but it’s a critical tool that your site needs. Reach out to us today by clicking the live chat button down on the right to have us check your site and see how we can help protect your site and use our expertise to help grow your online presence.
We have seen websites of all shapes and sizes, from brilliant to completely dysfunctional. Your site may live solidly in the middle of the bell curve in this regard, however that doesn’t mean your site couldn’t stand to benefit from some amount of modernization. Just like all other technology, the technology of websites is constantly evolving and changing. Often times, elements of a site which were highly effective when a site was built lose their effectiveness over time; and depending on the nature of your business, you may not even realize how significantly even a small issue can affect your business.
While it may be difficult to fully comprehend and validate the decision to move forward and modernize, it is important to keep in mind that time flies as it relates to technology and user expectations fly right along with it. Your website is a 24-hour, 7-day a week representation of your organization online. It needs to properly showcase your brand, your message and your mission. It should drive results, rather than hinder your efforts.