Jan 26

Encrypting Your Website is Now Monumentally Important


Websites that don’t go full site HTTPS may be in for a surprise in the coming weeks. Google and Mozilla Firefox, popular web browsers, will now show a warning to users who visit websites not accessed through a secure connection. While only sites that collect passwords are impacted, that will still include a vast majority of websites.

Google, particularly, has been focused on creating a more secure and faster web; ranking secure, fast, and mobile friendly websites higher than their counterparts. In fact, site speed and security is now built into Google’s core search engine ranking algorithm.

Traditionally, e-commerce websites that collect sensitive customer and payment information have been the only sites to secure via SSL and HTTPS, while most customer-facing marketing sites have not even bothered to due to the cost and headaches associated with setup. However, over the past few years it has become much easier. Community driven projects like Let’s Encrypt, a community supported certificate authority, are now offering free SSL / TSL certificates. Not only that, web hosting companies are now integrating that service directly into their administration panels for webmasters to procure and install instantly.

It sounds like a no brainer, right? While it may seem as easy as setting up SSL and installing the certificate, there are a few gotchas. Your web team may have to perform additional work to ensure your site works properly over HTTPS.

Why? For one, most web pages actually load resources from several domains and CDNs (content delivery networks). Not only do websites need to load assets from their servers over HTTPS, they also need to make sure all third party assets (images, data, external javascript libraries) are also loaded over HTTPS. If not, your browser will display a mixed content warning which could be even worse. Essentially, this warning will tell customers that the site they are on thinks that it is secure, when it’s really not 100% secure.

Google has provided a list of considerations, but the following highlight the main areas that would need to be considered when going full-site HTTPS:

  • Server side redirects – your website should redirect all HTTP requests to HTTPS, so that your site is always accessed via HTTPS (secure), not HTTP (insecure)
  • Use the Fetch as Google tool to make sure your website is accessible via HTTPS
  • Ensure that www and non-www requests are encrypted

In the end, it may be a very easy fix for your site, or a complicated one, depending on your requirements, infrastructure and change-agility. Regardless of the effort involved, it’s your duty to ensure a safe browsing experience for your customers and of course they will greatly appreciate a company that provides them safety over a company that does not!