SSL and HTTPS: essential from now on?
Security will always be crucial. As much as we need to interact and do business, it’s an unfortunate fact of life that unscrupulous ne’er-do-wells are often lurking in the shadows, waiting for any opportunity to exploit. The online world is no exception, but fortunately there’s a whole range of organisations and tools dedicated to keeping us safe on the internet.
We already talked about building trust in your website, and how one of the best ways to ensure security is an SSL certificate. By encrypting all data sent from the browser, SSL (Secure Sockets Layer) enables a secure HTTPS connection between user and website, as opposed to the standard HTTP (Hypertext Transfer Protocol) method. Now, Google is introducing measures to highlight websites that lack this level of security, making SSL and HTTPS critical for any site dealing with sensitive information.
How SSL certificates work
An SSL certificate provides encryption by scrambling data sent from browser to server, making it unreadable to any third parties who might be eavesdropping – such as someone on the same public Wi-Fi network. The key required to unscramble it is only held by the website operator, ensuring no one else can access the user’s details. Webpages that transfer data in this way are indicated with ‘https’ in the address bar.
Just as vital as the encryption side of SSL is the authentication element, or endpoint verification. To ensure maximum security, the user needs to verify the identity of the website they’re connecting to. A common tactic of online criminals is to set up a website that purports to represent a real company, then dupe customers into entering their personal details. With an SSL certificate, visitors can be confident, since only websites that have had their identity verified will be able to display ‘https’ and the green padlock icon in the user’s browser.
SSL certificates are available from trusted providers like GeoTrust, responsible for managing the encryption and authentication required for secure online transactions. Different SSL certificate types can be used for single or multiple domains, and various levels of authentication can be selected, from basic domain validation (checks that your organisation is in control of a domain) up to extended verification (a background check on things like the physical location of your business). Often, the website operator will be able to display a trust seal to highlight their SSL protection and offer even more reassurance to users.
HTTPS and SEO ranking
Does having an SSL certificate help SEO? In a 2014 article entitled ‘HTTPS as a ranking signal’ Google stated that HTTPS does indeed improve SEO ranking, even if it was ‘only a very lightweight signal’ compared to other factors such as content. But that was then, and Google has been ramping up its focus on HTTPS ever since.
It’s safe to assume that HTTPS sites will rank higher in future search results, in Google’s own words, ‘to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web’. With this in mind, HTTPS is recommended for any website, whether it takes personal details or not, since Google’s intention is to push the whole web in this direction.
Chrome 56: when HTTP is ‘Not Secure’
As of late January 2017, Google Chrome has started labelling any non-HTTPS webpage that collects passwords or personal information as ‘Not Secure’ in the address bar. Previously, all HTTP URLs were displayed in a somewhat neutral grey colour, but now, if they collect passwords, they’ll be explicitly highlighted as a potential risk.
The reasoning behind this is simple: as previously outlined, Google wants to encourage as many sites as possible to move to HTTPS, especially if they’re handling user data. In September 2016, the search engine giant gave an overview of the next step towards a more secure web.
Right now Google thinks that when it comes to website security, there is no neutrality. In other words, if a site can’t prove it’s secure, it should be treated like it isn’t. And because many users have been taking a lack of explicit warnings as a sign that everything’s fine, the latest version of Chrome has added an active indication to name and shame webpages that aren’t up to scratch.
With over 50% of the desktop and mobile browser market share and more than a billion users, a website ignores Chrome at its peril. And it’s not just Google – Mozilla has made similar moves, with Firefox 51 launched in January 2016 with a new crossed-out padlock icon for password-collecting pages lacking HTTPS.
This is all part of a long-term effort to label all HTTP websites as non-secure, again underlining how all site owners should be looking at moving to HTTPS – whether they take customer payments or not. For any developers out there who want to ensure their site isn’t branded ‘Not Secure’, Google has created a guide to help you avoid this warning.
An SSL certificate and HTTPS give you the best possible security for your website. More than that, they reassure existing and potential customers that you care about safeguarding their data, boosting your brand’s reputation in the process. At Fasthosts, our platforms offer everything you’ll need for watertight security, including a GeoTrust SSL certificate free for one year on our Cluster web hosting and dedicated servers.