To understand the need to switch to HTTPS, it is first necessary to understand the difference between standard HTTP and HTTPS.
HTTP stands for hypertext transfer protocol, a protocol that defines how information is exchanged between a client (browser) and a web server. Every time a user connects to a website, the user’s browser sends a request to the server that lets the server know what is being sought. The server processes the request and either returns the requested resource or takes some other action, such as generating a ‘not found’ error message.
Using standard HTTP, neither the request or the response is encrypted in any way. That makes the protocol vulnerable to hacking. A third party can intercept communications in either direction and can modify what is requested and what is returned.
The S in HTTPS stands for ‘secure.’ When this protocol is used, communications are encrypted before transmission in each direction by means of an X.509 Digital Certificate. This greatly enhances the security of communications between a website and its visitors.
How it works?
To implement HTTPS, website owners must acquire a Digital Certificate. These certificates can be purchased from web hosting companies and from other trusted (by browsers) sales sites. Trusted vendors of Digital Certificates include Geotrust, Godaddy and Verisign.
There are also free options. Let’s Encrypt is an open source option backed by companies like Google and Mozilla.
Purchased certificates are normally valid for one year, and must be renewed annually, at a cost, to continue using them. Let’s Encrypt must also be renewed, but renewal is free of charge.
Once acquired, the certificate is installed on the web server. When it is in place, you can use the HTTPS protocol.
With a security certificate in place, web pages and resources returned will show the web address beginning with HTTPS. For example, if mydomain.com uses the HTTP protocol, all web page addresses will start with http:// in the address bar. If the owner of mydomain.com purchases and implements a Digital certificate, secured web page addresses will commence with https://.
Why being secure is important?
A website may ask visitors to enter their email addresses, usually via a contact form, for example. When the visitors press SEND or ENTER buttons, the email addresses are sent to the website. If HTTP is being used, the email addresses are sent in plain text. If the communication is compromised, that email data can fall into the hands of third parties.
Just as email addresses could be intercepted, any other data can fall into the wrong hands. This could include sensitive personal information. If an unsecured website processes payment details, credit card information could be intercepted with very serious consequences. Encryption makes it almost impossible for third parties to extract sensitive information from users or web servers.
What if my website does not gather any data?
It is still advisable to switch to using HTTPS, because this protocol is likely to become the new standard. Many web users do not have a clear understanding of security implications when using the internet. Such users will feel happier using websites that show the green padlock icon that appears when HTTPS is used.
Unsecured websites are open to many different types of tampering. For example, you may have pay-per-click assets on your web pages. Malicious users or software programs could replace your referrer data with their own, thereby deflecting your earnings into their account. Another vulnerability is that links in your website could be modified to send users to somewhere else.
You should also keep in mind that Chrome and Firefox display a warning message saying the site is not secure when users enter certain types of data on websites or web pages that use HTTP. This may scare some users into leaving the site immediately. It is likely that other browsers will adopt a similar policy in the future.
Search engines may give lower rankings to unsecured sites. Google has already advised that it prefers to show secured sites whenever possible. If you do any search in Google, look at the web addresses in the results on page one. You will see that most begin with https://, indicating that these sites or pages are secure. You may find it difficult to find any generic (not paid for) results on the first page that are not secure. If you rely on organic search results to generate some or all of your business, then you need to make your site secure to make sure you do not slip down the rankings in search engine results.