The short answer to why your website should use HTTPS instead of HTTP is “because Google prefers it.” But what do HTTP and HTTPS mean? What are the differences, drawbacks and benefits?
When you visit a website, your computer and the web server communicate using a protocol known as HTTP. This stands for Hypertext Transfer Protocol. HTTP has inherent weaknesses that are important to recognize.
HTTP can be intercepted
One weakness of HTTP is that the information passing between your computer and the website is not encrypted. This means it is theoretically possible for an attacker to intercept, read, and even modify the contents. This could enable them to steal sensitive information, or trick you into clicking a malicious link.
HTTP cannot be verified
Another weakness is that there is no way for your computer to verify the identity of a website using HTTP. This means it is theoretically possible for an attacker to impersonate the site you’re visiting. As in the example above, they might do this to deliver malicious content to you, or to steal sensitive information from you.
These weaknesses may not seem serious for someone visiting a purely informational website. However, there are obvious problems when dealing with sensitive situations like online shopping or banking.
Both of the weaknesses in HTTP described above can be solved by using a secure communication channel. The current standard for this type of communication is Hypertext Transfer Protocol over Transport Layer Security, known as HTTPS.
You can tell whether the website you’re visiting uses HTTPS by looking at the address bar at the top of your browser. A connection using HTTPS will be indicated with a symbol such as a padlock or a key. It will also display HTTPS at the start of the address, like this:
If your users log into your website, and particularly if you run an online store, it should be obvious why this is the way to go. But what if you have a website that merely presents information about your business? If there is no transfer of sensitive information, why use HTTPS?
My website doesn’t handle sensitive information. Why should I care about HTTPS vs HTTP?
Quite simply, because Google’s search rankings favor HTTPS over HTTP. Google started using HTTPS as a ranking signal in 2014. It can also boost confidence in your business when visitors see the security symbol and HTTPS as part of the address. Using HTTPS shows that you value your visitors’ privacy, even if you aren’t receiving any personal information from them.
In 2017, top line web browsers started warning users when they visit sites that use HTTP. If your site includes a contact form that asks for the visitor’s email address, the browser will display a security warning if the page doesn’t use HTTPS.
More recently, browsers have started displaying “Not Secure” in the address bar on every web page served via HTTP, regardless of its content.
HTTPS can be significantly faster than HTTP
Some technologies designed to make websites faster only work with HTTPS. One example is a protocol enhancement known as HTTP/2. Take the HTTP vs HTTPS test to see this in action.
How do I convert my website? How much does it cost?
The first step to converting your site is to install a professionally signed security certificate on your web server. Strictly speaking, you can use a ‘self-signed’ certificate, which costs nothing. However, doing so will result in scary looking warnings in the visitor’s browser. Fortunately, a professionally signed certificate can be purchased and installed for as little as $15/year. Many web hosting companies now offer signed certificates from Let’s Encrypt, which are free and renew automatically every 3 months. If your host charges more than $15/year for a standard signed certificate, this might be a good time to look for a new hosting company.
The second step to converting your site is to convert all the internal links to HTTPS. If you don’t do this, visitors will see less scary but still off-putting warnings about mixed content.
At Trevellyan.biz, we recommend that all new websites use HTTPS. If your site is already built, we can help convert it. We can assist with the purchase and installation of a professionally signed security certificate, and convert all your website’s internal links. We can also ensure that incoming HTTP links continue to work properly.
If you’re interested in having a new site built using HTTPS, or if you need to have your existing site converted, contact us today for details. We can be reached at (518) 392-0846 or [email protected]. Visit our website design and development page to learn more about the services that we offer.
This is a nice brief infographic that supports this post with a visual.
http://www.lantymarketing.com/what-is-https-and-why-should-you-care.html
Hi Landon,
I’m sure you mean well, so I’m going to offer some constructive criticism on your linked post:
This might seem picky, but when dealing with technical subjects, it’s important to get the details exactly right.
Nice post, I’ll use it for my next blog
I find it ironic that Google sent me here via https:// and your server returns a “Secure Connection Failed” error, and the page is not displayed.
Great post, BTW.
Hi Jeff,
Thanks for the feedback. I’m not seeing any certificate errors here, but I just switched the domain back to Cloudflare, and it looks like the new certificate isn’t quite ready yet.
Great work, google is taking HTTPS seriously as one of ranking factors.
If you’re new to moving site to HTTPS, this post helps https://www.cloudliving.com/wordpress-ssl/
Very useful, thanks.
I just want to mention that you might run into trouble if you set up a redirect (step 2) before updating internal links (step 3).
Thanks for your information! luckily, blogger has https feature.
Did the test:
HTTP is about 2-7% faster than HTTPS (obviously, as it has the overhead of encrypting/decrypting).
Interesting. I just ran three tests each way, with the following results:
HHTPS: 3.282s, 2.368s, 3.599s, mean 3.083s
HTTP: 4.044s, 4.052s, 3.867s, mean 3.988s
In other words, in this series of tests, loading the page over HTTPS took on average almost 1 second less, which represents a better than 22% saving in page load time over HTTP.
While there is clearly work involved in encryption and decryption, that’s typically not the critical path for loading a web page. The performance improvement comes from the fact that HTTPS allows for HTTP/2, which in turn allows for connection multiplexing. That’s what makes real-world performance better with HTTPS in most cases. Of course, you won’t see better performance with HTTPS if your browser or the web server doesn’t support HTTP/2.