Since 2014, Google has been on a mission to make the web safer. Specifically, to make HTTPS everywhere. And that years-long mission is set to culminate in just a few weeks – July 2018 – when the search giant starts enforcing HTTPS for Chrome users.
No biggie right? Wrong. If your website doesn’t have an SSL certificate installed after July, you risk:
- Having your site labeled as “Not secure” by the world’s most popular browser,
- Losing search rankings and traffic,
- Potentially getting hacked, and
- Losing trust and credibility in the eyes of your users.
Serious stuff. So if you’ve been putting off getting an SSL certificate, it’s time to make it a priority.
Fortunately, time is on your side. In this post, we’ll take a look at what SSL and HTTPS are, how they work, why you need to make them a priority, and how you can get hold of an SSL certificate before July.
How Do I Check If My Site is SSL-Enabled Or Not?
A website is SSL-enabled when the browser address bar displays a green padlock and the word “Secure.” It should also display “https” rather than “http.”
When a green padlock is followed by the name of the company or organization, also in green, it means the site has an Extended Validation (EV) certificate, which is the highest certification level available. It allows organizations behind a website to present their own verified identity to site visitors and is considered more secure because it requires a manual validation of identity by the applicant.
What are HTTPS and SSL?
Let’s start with HTTP.
When you enter a URL in your browser preceded by http://, you’re telling it to connect to a website via HTTP. Short for HyperText Transfer Protocol, HTTP is a set of standards used for transferring data on the web. This data is transmitted unencrypted. Essentially, it’s plain text.
HTTPS is the secure version of HTTP (the “S” actually does stand for “secure”). When you enter a URL preceded by https:// it tells the browser to connect via HTTPS but does so with a connection encrypted by Secure Sockets Layer, or SSL (aka TLS, but more on that below).
So what’s SSL? Basically, it’s the technology that powers HTTPS. SSL.com defines it as:
“… the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.”
Basically, HTTPS is HTTP with an SSL encryption layer on top of it. Servers and browsers still communicate exactly the same way with each other, but over a secure SSL connection that encrypts and decrypts their requests and responses.
The SSL layer has two main purposes:
- It verifies that you are communicating directly to the server that you think you are talking to, and
- It ensures that the server, and only the server, can read what you send it and only you can read what it sends back.
So… What’s TLS?
If you’ve heard the acronym TLS used interchangeably with SSL, it’s because they’re essentially the same thing.
TLS was introduced as the successor to SSL 3.0 in 1999. It was designed to resolve insecurities in the SSL protocol. While SSL is technically not in use anymore, the online community still refers to TLS certificates as SSL certificates, or even SSL/TLS certificates.
How SSL Works
It’s amazing how much personal information we give away online, whether it’s creating a new account on a website, filling in a contact form, or simply sending an email.
The problem with HTTP is that any information you submit online using it isn’t encrypted. This means anyone – including hackers – could intercept and steal it (more on that below).
The technology behind SSL is quite complex, but to the user there’s no visible difference between HTTP and HTTPS except the green padlock in their browser address bar.
The magic happens under the hood. SSL works in five key stages to establish a secure “SSL handshake” between your server and the user’s browser. To do this, the process uses three different types of keys: public, private and session keys. These keys communicate with each other to establish the user’s secure session with your website.
- The user visits your site and their browser asks your server to identify itself.
- Your server sends back its ID – your SSL certificate – which includes a public key.
- Their browser checks the certificate against a list of trusted certificate authorities, making sure it’s valid and up-to-date.
- Once the browser is satisfied that your server is legit, it sends back its own public key and a one-time session key.
- Your server then decrypts the session key using its private key to allow the secure session to begin.
Once the session gets underway, all transmitted data is encrypted. In the past, people used to warn that the additional overhead of SSL may require beefier servers, but with HTTP/2, HSTS, and OCSP Stapling, those concerns have been allayed.
How SSL Helps Stop Hackers
Secure connections are an important step in protecting visitors to your site from a type of cyber attack called content injection, or content spoofing. This is when a hacker inserts content into a legitimate site, or creates a fake website that looks safe and legit on the outside, but has been designed to defraud unsuspecting victims via phishing.
Some common forms of content injection include eavesdropping, data modification, and man-in-the-middle attacks. Hackers sometimes perform SEO injections, which spread false messages through search engine spiders that index and crawl URLs.
Google is enforcing HTTPS because it wants to stop these kinds of malicious attack.
It’s worth emphasizing that having an SSL certificate is just one step towards securing your website. SSL itself doesn’t make a site secure, it simply helps to secure the exchange of information sent between a website and visitors to it.
As Joseph Moran from Practically Networked points out:
“… while SSL is a good start, it’s not the end of security. In fact, the presence of SSL can often lead to a false sense of security because while it protects your data from being intercepted while in transit from your computer to a merchant’s site, it can’t do anything to safeguard it after it reaches its destination.”
There are many layers to website security, including best practices, hardening techniques, and security updates and maintenance, which need to be implemented as part of a comprehensive and ongoing site security plan. These are core features of each Barrel Roll WordPress maintenance plan.
Why You Need SSL and HTTPS ASAP
As I mentioned at the start of this article, there are four primary reasons why you need an SSL certificate. Let’s look at each in more detail:
1. Having your site labeled as “Not secure” by the world’s most popular browser
From July, Chrome will start labeling all HTTP sites as “Not secure.”
The fact is, Chrome has 58% market share, so when this update is rolled out, over 50% of your traffic will see your site labeled as not secure.
2. Losing search rankings and traffic
HTTPS has been a Google search ranking signal since about 2014. While there’s much debate around whether HTTPS actually does lead to higher rankings and greater search traffic, the fact remains that Google says sites should have it, and what Google says goes. After all, it has 91% search engine market share so it’s sending you more traffic than any other search engine.
3. Potentially getting hacked
As we explored above, unencrypted HTTP connections make it easier for hackers to carry out malicious content injections, content spoofing, eavesdropping and man-in-the-middle attacks on websites.
With HTTPS enabled on your site, you’re better able to protect user data. Any information that is exchanged between users and your site – including data submitted via contact forms, shopping carts and checkouts – is encrypted.
4. Losing trust and credibility in the eyes of your users
The most important reason why you should get an SSL certificate is not the possibility of higher rankings or protecting user data from hacks, but gaining users’ trust.
Statistics show that people pay attention to the security of the websites they visit, and some experts believe this results in more traffic to HTTPS pages over HTTP ones.
How to Get an SSL Certificate
Getting an SSL certificate for your site involves several steps, which vary depending on your web host and where you buy your SSL certificate from. But generally, setting up an SSL certificate on your site involves:
- Choosing a certificate type
- Generating a certificate signing request
- Requesting an SSL certificate
- Installing the SSL certificate
- Setting up WordPress to recognize your site’s new HTTPS status
- Redirecting all HTTP traffic to HTTPS
- Making sure all assets on your site use HTTPS
- Updating Google Tag Manager tags, triggers and variables, as well as Google Analytics and Google Search Console for HTTPS
- Making sure your CDN is SSL-enabled
- Testing to be sure plugins, scripts, and third-party tools are updated to HTTPS
- Testing any eCommerce transactions
Choosing a certificate type will depend on the kind of site you run. And how you go about requesting and installing a certificate depends entirely on your hosting situation, so it’s best to get in touch with your web host to find out more.
While many web hosts sell SSL certificates, Barrel Roll discourages paying for SSL certificates. Why? Because SSL certificates are free! Let’s Encrypt has led the way in making free SSL certificates available for anyone to install on their site.
As Scott Carter from Barrel Roll explains:
“We never encourage people to actually purchase SSL certificates anymore. Instead, we make sure members are on hosting that includes free certificates or help them gain access to them.”
Once you’ve got an SSL certificate, setting it up can be tricky if you’re not technically proficient. Barrel Roll has been helping members transition to HTTPS. If you’re interested in learning more, get in touch.
A Secure HTTPS Future
With the release of Chrome 68 in just a few weeks, its updated interface will help users quickly see whether your site is secure or not secure, moving the web towards a secure HTTPS future by default.
If you don’t have an SSL certificate installed on your site, it’s time to get one so you’re not left behind. Whether you run a basic blog, an eCommerce store or even a Multisite network, HTTPS will help ensure any information visitors enter into your site is protected. Plus, you’ll reap other benefits such as potentially better search rankings and improved user trust.