Over the past few months, you may have started noticing these icons in your Google Chrome URL bar:
What’s happening is that Google Chrome has started marking HTTP connections as insecure, only bestowing the green lock on websites using the more secure HTTPS protocol. But what is the difference between the two, and why does Google care?
HTTP stands for Hypertext Transfer Protocol, which is a standard that allows computers to communicate with each other over the Internet.
The problem is that HTTP is not very secure, because it does not encrypt the data that it is passing between the two systems. This means that the plain text data can be intercepted as it goes back and forth, which is a big problem when dealing with sensitive information such as credit card details, passwords, or Social Security information.
HTTPS (“S” for “Secure”) is the answer to the relative insecurity of HTTP, because it does encrypt the data. HTTPS websites all have an SSL (Secure Sockets Layer) certificate, ensuring that the website and web server in question are authenticated. It also uses a public and private key to establish a bidirectional encrypted connection, preventing eavesdropping and tampering.
Why Would You Need an HTTPS Certificate?
- The obvious one: HTTPS makes your website more secure. Even if you’re not handling a ton of sensitive information, you want to make sure that nobody is eavesdropping on your communications or modifying your data.
- E-Commerce customers are likely to abandon their purchases if they see that they’re on an insecure connection, and even non-ecommerce sites see a boost in their conversions once they’ve got that green lock.
- Google is pushing for it. Any site that wants to work on Google Chrome in the future is probably going to need the SSL certificate, and those that put it off are going to have some issues. In fact, Google is already “punishing” websites without HTTPS, by including HTTPS as a ranking signal in their search results.
Making the Switch
One of the reasons that some websites are dragging their feet is that migrating their site to HTTPS can be a bit of a hassle. The SSL certificate costs at least a few hundred dollars per year when purchased through your domain or hosting provider, and requires you to go through a process of proving the identity and legitimacy of your company to the issuer of the certificate. Cheap or free certificates do exist, but not without their own set of problems.
You will also need to make some site changes, including setting up a number of redirects to your new HTTPS pages. For smaller sites this won’t be as big of a project, but larger sites will have to put in a good amount of effort and time. To top it off, Google treats the shift from HTTP to HTTPS as a site change, which can temporarily affect your traffic numbers. But at least they provide a guide to the process: Secure Your Site With HTTPS.
Is It Worth It?
In the end, this is going to be a very personal decision. Website owners are going to have to decide whether or not they think it’s a necessary security measure, both in terms of actual protection and image they convey to visitors. If there’s no password entry, financial transactions, or sensitive data exchanged, then you can probably get away without it. The ranking factor is not that significant, and many HTTP websites get along just fine. But if your site does in fact involve one of these sensitive data transfers, you’d be doing yourself and your visitors a big service by getting your certificate.
Written by Nikolai Vargas