Switch to HTTPS with an SSL Certificate

Recent years have witness a move to almost universal adoption of SSL across the web, driven in part by Google’s increasingly apparent intentions to begin actively favouring websites that deliver their pages via HTTPS.

SSL (Secure Socket Layer) is a method for connecting two end-points across the internet, typically a server and a website visitor’s browser. Through an exchange of keys an encrypted connection is established allowing data to be sent securely and privately between the two points. SSL certificates also carry with them information about the website owner, certifying the identity of the sending server. This helps prevent the pages a website sends you from being spoofed or tampered with along the way without your knowledge – mitigating so called man-in-the-middle attacks.

Most banks and e-commerce websites have had SSL protection for years and visitors have become accustomed to seeing the padlock icon in their browser address bars.

But it’s fair to say that until relatively recently the rest of the web has seen slower adoption. Cost and the technical know-how to get an SSL certificate installed correctly are probably the two main barriers. While around £150 to provision a basic certificate and cover a couple of hours developer time are fairly insignificant commitments for larger sites, for smaller ones that might be the same as they spend on hosting and support for the year. If your website isn’t critical to your business then it may be hard to justify this cost.

Google’s push to SSL

But if you are serious about your online presence then you might want to read the tea leaves in what Google has been saying about SSL over the past few months. In September 2016 Google announced that Chrome would start to mark non-secure pages containing password and credit card input fields as Not Secure in the URL bar by the end of January 2017.

“Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the same red triangle that we use for broken HTTPS.”

Proactive webmasters and SEOs have been quick to pick up on these cues and there is a growing consensus that, all else being equal, a site whose pages are delivered securely via HTTPS would rank higher than one which is not.

If your website includes a shop or forms through which visitors submit personal information, ensuring those connections are secure makes a lot of sense and may even be a requirement of your payment gateway. Not only are you offering meaningful security for your customers but you’re also sending them a positive signal that you care about their privacy. As a result you should see the benefit in lower abandonment rates on your checkouts and forms.

Your SSL Options

But before you jump in and make the switch there are a couple of things to be aware of. The first is that not all SSL certificates are created equal. The reputation of the authority you source your certificate from and the level of identity verification you go through will both determine the level of ‘trust’ that a browser and your visitors will have for your site. Extended Validation certificates (which give you the green padlock and company name in a visitor’s browser bar) are the gold standard of SSL certificates, but come with a price tag to match, costing upwards of £400 per year from an authority like GlobalSign. A more basic Domain Validation certificate can be set up in minutes for as little as £50. Because you don’t go through the same rigorous identification process the level of trust this certificate receives is slightly lower. While a padlock will display in the browser bar your business name won’t be shown or highlighted in green. However in practical terms your site is protected by the same level of strong SSL encryption. There can also be an additional cost if you need to secure sub-domains such as something.yourdomain.com along with your main domain. Either you’ll need extra individual certs for each sub-domain or a Wildcard that will cover anything.yourdomain.com

When it comes to getting your certificate installed and your website configured to deliver pages via https this is probably the point for your developer to step in. To retain the full trust that your certificate offers you need to ensure not only that all the resources from your own domain are loading via https, but that all the external assets that the site calls upon, such as fonts and third-party code libraries, are too. If your site wasn’t originally configured this way you might need to budget a couple of hours for the necessary tinkering. Purchasing the certificate itself is probably most easily done through your hosting provider. This ensures compatibility with your serving environment and installation is usually included in the price.

Make the switch

Now is a good time to get ahead of the curve on making the switch to HTTPS. This relatively simple change offers genuine benefits to your website users and moves us all one step closer to a more secure web.