The short answer to why your website should use HTTPS instead of HTTP is “because Google prefers it.” But what do HTTP and HTTPS mean? What are the differences, drawbacks and benefits?
When you visit a website, your computer and the web server communicate using a protocol known as HTTP. This stands for Hypertext Transfer Protocol. HTTP has inherent weaknesses that are important to recognize.
HTTP Can Be Intercepted
One weakness of HTTP is that the information passing between your computer and the website is not encrypted. This means it is theoretically possible for an attacker to intercept, read, and even modify the contents. This could enable them to steal sensitive information, or trick you into clicking a malicious link.
HTTP Cannot Be Verified
Another weakness is that there is no way for your computer to verify the identity of a website using HTTP. This means it is theoretically possible for an attacker to impersonate the site you’re visiting. As in the example above, they might do this to deliver malicious content to you, or to steal sensitive information from you.
These weaknesses may not seem serious for someone visiting a purely informational website. However, there are obvious problems when dealing with sensitive situations like online shopping or banking.
Both of the weaknesses in HTTP described above can be solved by using a secure communication channel. The current standard for this type of communication is Hypertext Transfer Protocol over Transport Layer Security, known as HTTPS.
You can tell whether the website you’re visiting uses HTTPS by looking at the address bar at the top of your browser. A connection using HTTPS will be indicated with a symbol such as a padlock or a key. It will also display HTTPS at the start of the address, like this:
If your users log into your website, and particularly if you run an online store, it should be obvious why this is the way to go. But what if you have a website that merely presents information about your business? If there is no transfer of sensitive information, why use HTTPS?
My Website Doesn’t Handle Sensitive Information. Why Should I Care About HTTPS vs HTTP?
Quite simply, because Google’s search rankings favor HTTPS over HTTP. Google started using HTTPS as a ranking signal in 2014. It can also boost confidence in your business when visitors see the security symbol and HTTPS as part of the address. Using HTTPS shows that you value your visitors’ privacy, even if you aren’t receiving any personal information from them.
In 2017, top line web browsers started warning users when they visit sites that use HTTP. If your site includes a contact form that asks for the visitor’s email address, the browser will display a security warning if the page doesn’t use HTTPS.
More recently, browsers have started displaying “Not Secure” in the address bar on every web page served via HTTP, regardless of its content.
HTTPS Can Be Significantly Faster Than HTTP
Some technologies designed to make websites faster only work with HTTPS. One example is a protocol enhancement known as HTTP/2. Take the HTTP vs HTTPS test to see this in action.
How Do I Convert My Website? How Much Does It Cost?
The first step to converting your site is to install a professionally signed security certificate on your web server. Strictly speaking, you can use a ‘self-signed’ certificate, which costs nothing. However, doing so will result in scary looking warnings in the visitor’s browser. Fortunately, a professionally signed certificate can be purchased and installed for as little as $15/year. Many web hosting companies now offer signed certificates from Let’s Encrypt, which are free and renew automatically every 3 months. If your host charges more than $15/year for a standard signed certificate, this might be a good time to look for a new hosting company.
The second step to converting your site is to convert all the internal links to HTTPS. If you don’t do this, visitors will see less scary but still off-putting warnings about mixed content.
At Trevellyan.biz, we recommend that all new websites use HTTPS. If your site is already built, we can help convert it. We can assist with the purchase and installation of a professionally signed security certificate, and convert all your website’s internal links. We can also ensure that incoming HTTP links continue to work properly.
If you’re interested in having a new site built using HTTPS, or if you need to have your existing site converted, contact us today for details. We can be reached at (518) 392-0846 or [email protected]. Visit our website design and development page to learn more about the services that we offer.