HTTPS: who needs it?

Michael PhillipsI’m sure by now you’ve seen or read about the changes that the big browsers (Chrome and Firefox) have made regarding insecure connections. Google even sent out email late last year that spelled it out pretty plainly: “Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as ‘Not Secure’ unless the pages are served over HTTPS.”

Of course Google aren’t the only ones being aggressive about forcing the web to move toward encrypting all traffic. The Firefox browser warnings are even more in your face than those in Chrome:

Using HTTPS encrypts connections between your website and your visitor’s browsers to prevent a third-party from listening in on the communication. It also helps protect your site against injections of malicious code which can do all sorts of very bad things and cause a mountain of problems in extreme cases. Not to mention less malicious – but still unwelcome – collection or aggregation of your visitor’s behavior.

So the answer to “who needs HTTPS” is: you do. We all do. But there can be a significant gap between wanting to serve up everything via HTTPS and actually accomplishing it.

We’ve wanted to do it for some time now, but we’re just getting around to making it happen. It isn’t because we’re lazy or we don’t care about security, we just have a wide range of sites and applications that have to be converted, and making sure we do it right takes time and preparation. Two websites (DiscountASP.NET and Everleap), blogs, forums, knowledge bases, helpdesk systems, peaches, apples, pears – you get the idea.

A static website, like DiscountASP.NET is relatively easy to change. Relatively. Things that run on databases, like blogs and forums – and pretty much every modern website – are a bit more complicated. I came up with a checklist for switching over the blogs and forums after a lot of testing on different dev installations, but when the time came to switch the live sites, there were still things that needed to be fixed.

Because if you didn’t already know, real life scoffs at our checklists and planning! It’s still better to go in with a plan than without one, trust me on that. But at the moment you believe that you’ve got it down, that nothing has escaped your eagle eye, something always sneaks in to spoil your celebration.

Right Yahoo?

So if it’s such a pain, why bother? Good question.

As far as the browser warnings go, they may seem unimportant now, especially if there’s no login on your site and you aren’t taking credit card information from visitors. But expect those benign warnings to change in the not-too-distant future. At some point Google and Firefox (everyone else will follow) are going to put up a virtual – or literal – red flag when someone comes to your site and the connection is not HTTPS. Whether there is a login or credit card collection or not.

You don’t want to wait until that happens and find yourself scrambling to make the necessary changes. You’re going to want to have the luxury of time, which you still do if you tackle the project today.

In order to make the move to HTTPS you’ll need an SSL certificate. We can help you there. While there is a monthly fee associated with adding SSL to your account, a free RapidSSL certificate is included. If you need a wildcard or extended validation certificate, we can get you set up with those as well. Here are some Knowledge Base articles to help you get started with HTTPS/ssl.

You’ve probably also heard that you can get a free SSL certificate from Let’s Encrypt. That’s true, and you can use those certs here at DiscountASP.NET. But the Let’s Encrypt certificates come with some drawbacks (among other things: they do not verify sites, so you can’t get a security seal, and they have to be manually renewed every 90 days). Make sure you’re aware of what’s involved in using such a cert before you commit to one.

And guess what? The benefit of moving to HTTPS goes beyond security.

Check out what Google says right now about HTTPS and search results: “Google uses HTTPS as a positive ranking signal. This signal is one amongst many others, and currently carries less weight than high-quality site content; you should not expect a major SEO advantage for moving to HTTPS in the short term. In the longer term, Google may increase the strength of the HTTPS boost.”

Eventually, when everything is HTTPS, that Google search advantage won’t mean anything. But right now, when half the web still doesn’t use HTTPS, it can mean a lot.

So what are you waiting for?

2 thoughts on “HTTPS: who needs it?

  1. “While there is a monthly fee”… yes, basically a doubling of the cost for most people.

    Perhaps a decade ago, prior to SNI this was the norm but you guys should really rethink your policy on charging for SSL.

    1. Hi Jacob. SNI, as you may know, isn’t the ideal solution for everyone since there are compatibility issues with older browsers.

      We implemented SNI over at Everleap, but most of the users there still want to use certs on unique IPs. I imagine a lot of that goes back to the older browser issues. Windows XP might seem ancient to us, but millions of people still use it (or are stuck with it).

      It’s under consideration for DiscountASP.NET, but right now I couldn’t tell you if/when we’ll implement.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.