As more information is shared over the internet, the risk to users' privacy has equally grown in recent years. A safe future for the web is now critical than ever before. Every unencrypted HTTP request exposes information about a user’s behavior.
HTTPS (HyperText Transfer Protocol Secure) is the internet standard for secure communication via web browser. HTTPS uses a security layer called SSL (Secure Sockets Layer) to add end-to-end encryption, enabling only your computer and the web server you’re contacting to decipher the data.
In 2010, Google introduced HTTPS by default for Gmail and encrypted search, with other leading communication sites adopting the same the following year. Almost eight years of HTTPS adoption, we’ll take a look some facts that debunk common myths about HTTPS.
Much of the discussion on HTTPS is centered on encryption. HTTPS also delivers on two important benefits of authentication and data integrity.
A quick recap;
Authentication: answers the basic question of “I am I talking to who they claim to be”. Successful decryption proves that you are communicating with the right server. The visitor is talking to the “real” website and not to an impersonator or through a “man-in-the-middle”.
Data integrity: ensures that data is not modified in transit, meaning no changes can be made without detection.
Encryption: means that there is end-to end communication with each of the servers and that no third party can “listen in” to your conversations, track your activities, or steal your information. This guarantees privacy. Here, the visitor’s connection obscures URLs, cookies, and other sensitive metadata.
To put matters in perspective, HTTPS encrypts nearly all information sent between a client and a web service while, an unencrypted HTTP request reveals not just the body of the request, but the full URL, query string, and various HTTP headers about the client and request.
In 2014 Google confirmed the impact of HTTPS on SERPs by stating that;
“We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal — affecting fewer than 1 percent of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS.”
Research carried out by Backlinko in 2016 found that HTTPS has a reasonably strong correlation with first page Google rankings. These findings are supported by a recent SEMrush ranking factors study that discovered that 65% of domains ranking for high volume keywords are HTTPS.
We can’t know when Google will boost HTTPS as a key ranking signal but what we are sure of is your search rankings don’t dip owing to a missing security certificate if you migrate to HTTPS.
A common misconception is that HTTPS is only for major communication or high trafficked websites. With the evolving threat environment, HTTPS is key for every site on the web. In September 2016, Google announced plans to start marking non-HTTPS sites as insecure in the Chrome browser especially pages that require sensitive information from users or credit card details. This will roll out over time until eventually all HTTP pages will be marked as non-secure with a red warning triangle.
The chrome and other browsers has have removed important features like Geo location, getUserMedia(), HTTP/2 and push notifications for web properties without HTTPS and will soon remove AppCache and Encrypted Media Extensions from HTTP.
With these developments, HTTPS is a must-have for all websites committed to providing a good user experience.
A common concern among website owners is the HTTPS Green padlock is associated with a heavy financial investment and therefore going secure can be deferred to the future. To deploy HTTPS, an SSL certificate will be required. Certificates are now available at lower costs with some available for free through projects dedicated to migration to HTTPS. Let’s Encrypt will begin issuing wildcard certificates in January of 2018 with the ambitious goal of accelerating the web’s progress towards 100% HTTPS. A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.
You will require configuring of Transport Layer Security (TLS) to your server, which calls for some man-hours to manage the migration. In general the long-term benefits outweigh the costs.
HTTPS adoption has increased and is now the golden standard of basic security standards of the web today. When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from a modern website.
Need help to navigate a digital milestone or development project? Schedule a free consultation.
In-Post Photo: Google Security Blog