5 Top Reasons Why Your Website Should Use HTTPS

Posted on March 24, 2021 Under AMP, Cyber security, Google, Google search, Security, SEO, Web, Websites 0 Comments

If your website is still using HTTP versus HTTPS,  it could pose a threat to your website security, traffic and brand.

For the past several years, Google has been continuing to move toward a more secure web by strongly advocating that sites adopt HTTPS encryption. To make it simple for users to understand that HTTP sites are not secure, Google has been gradually marking a larger subset of HTTP pages.

A quick history — Google started moving towards sites being marked as “not secure” in July 2018 with the release of Chrome 68. At that time, through its Chromium Blog, Google announced, “Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red ‘not secure’ warning when users enter data on HTTP pages.”

HTTPS security

Chrome treatment for HTTPS pages

Google further explained, “Chrome’s new interface will help users understand that all HTTP sites are not secure and continue to move the web towards a secure HTTPS web by default.”

Why is this Now a Requirement?

Security is critical. HTTP (Hypertext Transfer Protocol) — is a network protocol standard that allows web browsers and servers to communicate and exchange data on demand. With HTTP, all data entered into the unsecured site is sent in plain text and can be hacked.

HTTPS (Hypertext Transfer Protocol Secure) — is powered by TLS protocol (Transport Layer Security) and formerly the SSL protocol (Secure Sockets Layer). According to Cloudflare, this protocol secures communications by using what’s known as an asymmetric public key infrastructure. This type of security system uses two different keys to encrypt communications between two parties:

  1. The private key – this key is controlled by the owner of a website and is kept private. This key lives on a web server and is used to decrypt information encrypted by the public key.
  2. The public key – this key is available to everyone who wants to interact with the server in a way that’s secure. Information that’s encrypted by the public key can only be decrypted by the private key.

HTTPS establishes an encrypted connection between a web server and a browser. It also authenticates the server you are connecting to and protects transmitted data from unintended recipients and hackers, including contact capture data, username/password logins and credit card/payment details.

HTTPS, traffic is encrypted such that even if the packets are sniffed or otherwise intercepted, they will come across as nonsensical characters.

Cloudflare provides this example:

Before encryption:

This is a string of text that is completely readable

After encryption:

ITM0IRyiEhVpa6VnKyExMiEgNveroyWBPlgGyfkflYjDaaFf/Kn3bo3OfghBPDWo6AfSHlNtL8N7ITEwIXc1gU5X73xMsJo

 

Beyond security, there are 5 critical reasons to move to HTTPS:

HTTPS Security — Top 5 Advantages

1. Secure is faster – HTTPS is a more technically advanced and secure network protocol solution than HTTP. HTTPS is better as it unlocks both performance improvements and powerful new features that are not available with HTTP. SSL is also required for Accelerated Mobile Pages (AMP). See our AMP article for more information.

2. Visitor Trust – Your website visitors want to know that they can trust your site and can quickly and readily see the lock . If your clients/website visitors know you’re secure, they’re far more likely to do business with you and revisit your site.

3. HTTPS and SSL/TLS is Essential for PCI/DSS – Websites which accept credit card payments need to offer protection to their visitor data.  According to the PCI Data Security Standard any sites that collect payment information to process online payments, must be PCI-compliant. Having an SSL/TLS certificate installed is one of the primary requirements set by the payment card industry (PCI). It is mandatory that financial, e-commerce and most websites that require log in have HTTPS.

4. HTTPS is Becoming the Universal Norm – As demand for security and privacy grows we are seeing a more secure web. According to recent numbers from Google:

  • Over 68% of Chrome traffic on both Android and Windows is now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
  • 81 of the top 100 sites on the web use HTTPS by default…..and these numbers are growing

5. Search Engine Optimization Boost – HTTPS can also help with SEO

“In 2014, Google announced HTTPS as an SEO ranking signal,” says Joshua Alexander, Sprout’s Director of Technology. “Since then, that signal has increased as Google pushes for a universally secure web. Therefore, configuring your entire website for HTTPS could provide a small SEO boost.”

For now, users will not be blocked from accessing HTTP sites, however they will be warned. As of October 2018, all Chrome 70 users see the following not secure warning below.

HTTPS Security

Source: Google Security Blog

What Are Google’s Next Steps to Ensuring a Secure Web?

Further to indicating unsecured sites, Google also announced last February that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. “We’ll start blocking ‘mixed content downloads’ (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.”

Starting with Chrome 84, Chrome will gradually start warning, and later blocking, mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.

Google has stated it will roll out restrictions on mixed content downloads on the desktop platforms (Windows, macOS, Chrome OS and Linux) first, which will be as follows:
  • In Chrome 81 (released March 2020) and later:
    • Chrome will print a console message warning about all mixed content downloads.
  • In Chrome 84 (released July 2020):
    • Chrome will warn on mixed content downloads of executables (e.g. .exe).
  • In Chrome 85 (released August 2020):
    • Chrome will block mixed content executables.
    • Chrome will warn on mixed content archives (.zip) and disk images (.iso).
  • In Chrome 86 (released October 2020):
    • Chrome will block mixed content executables, archives and disk images.
    • Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
  • In Chrome 87 (released November 2020):
    • Chrome will warn on mixed content downloads of images, audio, video, and text.
    • Chrome will block all other mixed content downloads.
  • In Chrome 88 (released January 2021) and beyond, Chrome will block all mixed content downloads.

HTTP vs. HTTPS: How Does This Affect Your Brand?

If your website does not meet HTTPS requirements, not only does it affect your security but your brand image. The bottom line is that your clients and website visitors want to know that they can safely visit your site, while accessing all available, secure content. This ensures client trust. Security will also motivate your target audience to come back to your site now and in the future.

To learn more about meeting HTTPS requirements, please click here for a free consultation.

For more information about Google’s HTTPS plan please see Google’s Security Blog.