May 1, 2017

What is HTTPS and why your website MUST have it?

https website

Google wants your website to run on HTTPS and you don’t get a say

(assuming you want to maintain your existing website traffic and increase it going forward)

Google have made an official announcement in September 2016 about some important changes they are making in their Chrome browser.

In case you didn’t already know this, the Chrome browser is the most widely used browser on computers worldwide. You can check these tables for the most detailed and up-to-date breakdown.

Chrome is also one the most widely used browsers on mobile devices (and in many countries, the most used) such as smartphones and tablets. This is mainly due to the fact that it is often the default mobile browser that comes pre-installed on many devices running Android.

As a result of this, any changes Google makes to Chrome have far reaching implications to Internet users as a whole.

Here is what Google said:

Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure

If you are already selling anything through your website and collecting credit card details, your website may already run on HTTPS.

If that’s the case then you’re all good and you can stop reading now.

However, if you have any feature on your website which requires visitors to create user accounts and choose passwords (such as a forum for example) and your website isn’t already on HTTPS, the Chrome browser will actively warn people from visiting your website.

The same also applies to the WordPress login screen where you enter your details to access the admin panel (most often found on mywebsite.com/wp-admin).

Here is how it looks right now:

Non secure form submission in Chrome

Non secure form submission in Chrome

If you don’t sell anything on your website and don’t have forums or any other feature which requires people to create user accounts, you are still not off the hook!

Google further says in their announcement:

Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS

Here is how that looks right now:

Chrome broken HTTPS notice - Current

Current Chrome broken HTTPS notice

And here is how that will look eventually:

Chrome Broken HTTPS notice - future

Would you continue through to the website with a warning like this?

No, I didn’t think so 🙂

Even if you don’t feel this is a concern for you as you know your own website and know that it’s safe to visit, try and think from the perspective of the average web user.

Will they stay on your website if their browser (on either desktop or mobile) showed this red warning or will they immediately hit the ‘back’ button?

This can absolutely annihilate your traffic practically overnight once these changes to Chrome are fully implemented!

This is expected to happen by the end of 2017.

What should you do?

You need to start planning how you’re going to turn your website address from one starting with HTTP to one starting with HTTPS.

This is done by installing something called an SSL Certificate on your domain.

The good news is that those SSL certificates are very cheap and you can even get a free one from an organisation called Let’s Encrypt which is supported by the likes of Facebook, Cisco, Mozilla and Google themselves.

If you want more details on how an SSL certificate from Let’s Encrypt (which, as mentioned above, is completely free) works, you can either read this or watch the video below.

(Just keep in mind that it does get a bit technical).

How to switch your website to HTTPS?

As you can see, setting up your website to run on HTTPS can involve some fiddling around and may require technical know-how.

However, many quality web hosting companies, like A2 Hosting or SiteGround, have implemented solutions in their hosting management console that completely automate the installation and regular renewal of SSL certificates from Let’s Encrypt.

This basically means that you don’t have to do any of the technical stuff described in the video above yourself!

I strongly recommend that if your existing web hosting company doesn’t currently have this feature and has no plans to introduce it by the end of 2017, you should consider switching.

My recommendation for most small business owners is A2 Hosting and I explain why here.

If you happen to think that this is a ‘storm in a tea cup’ and I am exaggerating the importance of this feature when choosing a web host, let me assure you that this is not the case.

As a matter of fact, Matt Mullenweg who is the co-creator of WordPress and the Chairman of the WordPress Foundation, holds the same views and has announced that:

in 2017, we will only promote hosting partners that provide a SSL certificate by default in their accounts

As you can see, built-in support for free SSL certificates (either from Let’s Encrypt or another provider), should be a major factor in your choice of a web host in 2017.

This is especially the case if you are not a ‘technical person’.

Having An SSL certificate is not enough by itself

The fact an SSL certificate has been installed for your domain (either automatically by your web hosting company or manually by you or your developer) is unfortunately not enough if you already have an existing website.

There is some additional work that needs to be done before your website will actually start using the certificate and will run on HTTPS instead of HTTP.

However, that shouldn’t scare you or put you off moving to HTTPS as this is not as hard as you may think, especially if you are using WordPress for your website (which is really the only option you should consider as I explain here).

A2 Hosting has a guide on switching a WordPress website to HTTPS as well as information on how to make sure that anyone who enters your non SSL-enabled HTTP address gets redirected to the HTTPS version.

If you don’t use A2 Hosting, this article has instructions for a few other popular web hosts.

Other ‘fringe benefits’ of running your website on HTTPS

As I already discussed in this post, the main reason why you should be getting an SSL certificate and moving to HTTPS is the change in Chrome that will be fully rolled out by the end of 2017.

However, that is not the only reason!

Running your website on HTTPS has some other benefits:

  1. You will be able to take advantage of HTTP/2 which allows your website to load much faster plus has other important benefits. Due to the way HTTP/2 has been rolled out, you effectively can only take advantage of it if your website is running over HTTPS.
  2. Having your website on HTTPS may help you get better ranking in Google. While HTTPS currently only has minor impact on rankings in Google, most SEO (Search Engine Optimisation) experts agree that this impact will increase in the future as Google have openly said that they want to see a 100% encrypted web.
  3. Having an SSL certificate and running your website on HTTPS is very likely to increase trust amongst your website’s visitors. This means it is much more likely they will complete the desired action (known as a ‘conversion’) you want them to take on your website such as agree to receive marketing emails, enter their contact details or complete a purchase.

Whatever you choose to do, the absolute worst option you can go with is to ignore this issue and pretend that this does not concern you.

Let’s connect on social media:

Visit Us On FacebookVisit Us On TwitterVisit Us On LinkedinVisit Us On Google PlusVisit Us On YoutubeVisit Us On Pinterest