Why Every Website Owner Should Care About (and Convert to) HTTPS
Most people know, or at least suspect, that it is unwise to purchase items over a public Internet connection – but they may not know why.
The reasons is because of a possible ‘man-in-the-middle’ attack – a MITM attack is when someone inserts him / herself into the middle of your, and the website you are visiting’s, Internet connection & impersonates both parties in order to gain access to sensitive information like userIDs, telephone number, passwords, name, address, and credit card data.
Let’s say, for instance, Ann (A) is in her favorite coffee shop browsing Best Buy (B’s) eCommerce website & wants to make a purchase. There is nothing to stop a malicious man-in-the-middle (M) from inserting himself into Ann & Best Buy’s conversation. He could capture, and possibly alter, the data that gets transmitted. If Ann makes a purchase, he could change the order quantity and/or steal her identity. Ann and the website she is visiting are both at risk.
HTTPS Protects In-Transit Data
HTTP stands for HyperText Transfer Protocol, which is the standard and agreed-upon format for transmitting data between 2 devices on the Internet. HTTPS stands for HyperText Transfer Protocol Secure. It is a way to help protect conversations between 2 computers by layering a security certificate and encryption on top. Here is how it works.
Let’s revisit Ann’s shopping experience & pretend she’s shopping at Adorama (D) instead of Best Buy. Adorama has a secure (HTTPS) web. When Ann uses her browser to connect:
• Her browser requests & Adorama sends, an independently verified security transaction that certifies the website server Ann is trying to connect to does, in fact, belong to Adorama.
• Adorama sends an encryption key to Ann’s browser. The key will be used to encrypt / scramble any subsequent transactions between the 2.
Only Adorama has the decryption key – even though a malicious man-in-the-middle intercepts their exchange, he / she won’t be able to alter, delete, or make any sense of subsequent conversations.
HTTPS is added security but not total protection – some folks are figuring out ways around the certification process.
It is not perfect, but it’s a step in the right direction, and it is likely to improve even more as time goes on.
Why Convert Now?
HTTPS has been around since 1994 – so why’s there a sudden push for everyone to convert?
Concerned that users aren’t recognizing or heeding Google’s previously neutral & ambiguous labeling of unsecure websites, on September 8, 2016 Google announced that beginning in January 2017, it’ll explicitly start labeling HTTP connections as not secure.
“Historically, Chrome hasn’t explicitly labeled HTTP connections as non-secure. January 2017, we will mark HTTP pages that collect passwords / credit cards as non-secure, as part of a long-term plan to mark HTTP sites as non-secure.
In following releases, we’ll continue to extend HTTP warnings, for instance, by labeling HTTP pages as “not secure” in Incognito mode, where users can have higher expectations of privacy. We plan to label all HTTP pages as non-secure, adjust the HTTP security indicator to the red triangle that we use for the broken HTTPS.”
This is the visual they shared that illustrates what they mean by a not-secure label.
So far, we have not seen the “not secure” label, we have only seen the already familiar gray circled letter “i” displayed in browser address bars when websites aren’t secure. Here is an example using Best Buy’s website (below).
However, Google has amped up their labeling of secure websites, like Adorama’s (below). Labeling includes a green padlock, the word “Secure”, and the green letters “https” on websites that have been completely & successfully converted.
Implications For Website Owners
If you own a website that captures userIDs & passwords or credit card data, you’ll soon be labeled as “Not Secure” when visitors are using the Chrome browser. This is bound to raise concerns & deter people from wanting to transact with you, especially if you are asking for any type of personal data – email addresses, for instance, to build your mailing list.
Website visitors will easily be able to recognize unsecure websites & find better, more secure, alternatives.
If you own an informational website and think you’re off the hook, think again.
Non-eCommerce website owners risk losing the trust & confidence of website visitors. 25% of the world’s websites are built with WordPress, a content management system is accessed, administered, and maintained using a & and password. Joomla and Drupal, WordPress’s closest competitors, use userIDs and passwords. These sites will be flagged as non-secure unless they’re converted over to HTTPS.
You could be aware that anyone who intercepts the transmission of userID & password data will be able to add, change & delete content on your website. It is not only website visitors who are at risk, website owners need to protect their data.
Implications For SEO
In addition to the obvious benefit of securing the trust & confidence of your audience, there is a search engine optimization benefit when you migrate over to HTTPS.
At the time, the lightweight incentive was not enough to motivate most non-eCommerce website owners to migrate because of the work involved & the potential to lose SEO equity.
When you convert your website to HTTPS, you are changing your Internet address – that means you should give Google a “change of address” notification, known as a 301 or 302 redirect. A redirect diluted your SEO equity or ability to rank by as much as 15%. Google’s John Mueller announced that SEO equity / PageRank will no longer be lost when a 301 / 302 redirect is used in conjunction with an HTTP to HTTPS migration.
There is no longer an SEO penalty when you implement HTTPS. The previously lightweight signal could help boost your rankings.
Now Ann & other website visitors could feel safe knowing secure-labeled websites will protect their identity and data.