Do I need SSL, HTTPS on my website?

Google has announced that as of July 2018, Chrome version 68, will mark all sites “non secure” that do not have an SSL certificate. See Google Developer Blog. 

What does this mean to you and your website?  How can you get an SSL certificate? Do you really need one?

Many of our clients have been moved to SSL and all our new websites are automatically set up with SSL. But what does it mean to be marked “Not Secure?”  The image below from the Google Developer site shows how the URL bar will look for websites that do not have a valid SSL certificate.

Some sites that have this “non secure” warning may not be available to Chrome users.  The other browsers are expected to follow suit with future updates. This is a warning screen in Firefox:

Common Questions We Get About SSL and Its Impact

I thought  SSL (https) was only needed for sites with forms or that take payment?

Previously Google only marked pages without encryption that collect passwords and credit cards. Then they started showing “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode. But starting in July, all sites without encryption will be marked “non secure.”

Why are browsers moving toward requiring an SSL certificate?

When a valid SSL certificate is applied to a website, it prevents intruders from tampering with the communications between your website and your users’ browsers.  These intruders are usually malicious attackers trying to inject advertisements into websites that break the user experience and create security vulnerabilities. The attackers exploit unprotected communications and try to trick users into giving up sensitive information, or install malware. They can exploit any unprotected resource that travels between your site and your users such as images, cookies (every site has them), scripts, and HTML. In some industries this can be particularly important for website users. For example, in the healthcare industry there are laws around patient (users) privacy and if information is compromised, it can result in HIPAA violations. Every website interaction can potentially reveal information about the user’s identity and possibly disclose a sensitive health condition to their employer.

How can I get an SSL Certificate on my website?

Generally, you’ll need to work with your hosting company to move your site to a server that offers SSL. Then, unless you are skilled at website administration and hosting, you’ll need to hire a programmer or server administrator to implement the SSL certificate.  The process includes purchasing, signing and applying the certificate. This usually takes 2-4 days. It entails generating a CSR signing code through ssh from the hosting server and submitting this CSR code to the certificate vendor you purchased the SSL from.  The vendor will then issue a certificate and an intermediate certificate which you will need to install on your hosting server. (For more on intermediate certificates.)

How does HTTPS work?

HTTPS stands for “HyperText Transfer Protocol Secure” and solves the privacy problem by encrypting communication end-to-end between your website and the visitor’s browser. Additionally, the certificate ensures you are connected to the correct server, and as long as the green lock appears in the address bar, traffic to and from the website is encrypted.

With an SSL Certificate, will my site be secure?

This is an important point. An SSL certificate secures communication between the website and the user.  The certificate doesn’t secure a website on the server. For example, a hacker can still access your WordPress blog login if the password isn’t complex or the server isn’t secure.  Other precautions are needed to “secure” your website. We use WordFence Plugin for WordPress, hardening code, double password access, secure FTP, and complex passwords and user names to name a few. Additionally, keeping full backups of source code and incremental backups of data in the event of a breach so the site can be restored with minimal downtime is crucial.

Site speed is important for Google search results and user experience. Will SSL slow down my site?

A website with HTTPS can be faster than an HTTP website. Basically, using HTTP serves out your website in different packets. But the HTTPS site, (if set up on an HTTP2 server), serves everything at once in one packet.

Will having my site on HTTPS (SSL certificate) help or hurt my search engine ranking?

There has been some debate about the importance of having a secure site related to search engine results. I was unable to find a  recent Google Developer blog that specifically said high preference would be given to HTTPS websites. However, in a 2014 article Google did mention HTTPS as a signal for ranking and that this signal would only get stronger as Google moves toward ensuring a secure web. It is such a high priority for Google that they are likely to eventually make it a requirement in the near future. So it certainly won’t hurt.

Terminology

HTTPS – a website that has a secure certificate will show HTTPS://example.com in the address bar SSL – Secure Sockets Layer.  There are also TLS – Transport Layer Security the newer form of the certificates, but the common term is still SSL Certificate. Encryption – The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Please let us know if you have any questions.  We will update this blog post with answers.

Barbara Irias, contact: 510-519-6402