Talks about the importance of switching to HTTPS have been going on for a long time. However, if earlier this question was critical for specific business areas (for example, payment services) today it applies to an increasing number of the websites. This is due to the tightening of network security requirements, which we will discuss in detail today. Also in this article, we’ll figure out how to make the transition from HTTP to HTTPS, consider all the procedure nuances.
What is HTTP and HTTPS?
HTTP is a protocol for transferring data on the Internet between a web resource and a server (Hyper Text Transfer Protocol). With its help, user requests (via a browser) are transmitted to the server, and the server generates responses, which it returns to the browser. This is a basic set of rules for data transfer.
HTTPS is essentially the same protocol with an important addition. Hypertext Transfer Protocol Secure has an extension named SSL (Secure Sockets Layer). This certificate ensures the safety of data transmission in the network.
How Does HTTP and HTTPS Work?
HTTP provides unencrypted data exchange, which can lead to the information interception by a third party. So, for example, the entered billing information on the HTTP website, during its transfer to the server can get to the attackers.
What does HTTPS stand for? Advanced protocol allows you to transfer information in an encrypted form to prevent data reading and some types of attacks.
The Main Difference Between HTTP and HTTPS
An SSL certificate is a data protection technology that works through encryption keys. It’s placed between the browser and the server as a filter. Why are sites with HTTPS safe? The transmitted information from the user (pages, logins, passwords, card numbers) is encrypted and cannot be read by outsiders. Each new visit to the HTTPS website forms a secure connection between the client and the server.
What is the importance of HTTPS?
The most important factors for using HTTPS:
- HTTPS connection protects the user’s personal data, increases his security on the network. This protective measures increases customers loyalty and trust to the website information.
- From May 25, 2018, the EU General Data Protection Regulation came into force. It regulates the collection and processing of European Union’s users data. One of the basic principles of the regulation is the confidentiality and integrity of user data sent to a website. This means that a web resource that provides services to EU citizens must make due efforts to comply with enhanced security measures. In particular, such websites should use a secure data connection.
- Since 2014, the presence or absence of the HTTPS protocol has become one of the Google ranking factors. Today the overwhelming number of websites in the Google TOP-5 for different categories of requests use HTTPS certificate.
- From July 2018, the Chrome browser marks websites without an SSL as not secure (in the address bar). This measure prevents users from providing personal information to such web resources. Read more about how to check if a site’s connection is secure.
- Some technical features are not available for HTTP sites. For example, browsers support push technology only for websites with an SSL certificate. Under basic settings, unprotected resources can’t use push notifications.
Therefore, efforts to move from an unprotected connection to greater security prevent theft of users personal data, improve SEO indicators, protect against violation of legal regulations, give advantages in the presentation of the product, and expand technical capabilities.
The Advantages and Disadvantages of HTTPS
- Improving the website security. The advanced protocol doesn’t protect against all hazards and hacker attacks, but provides basic protection against data theft due to their transmission in encrypted form.
- Increase the chances of successful promotion in search engines. Google prefers websites with a secure connection, and this trend is more pronounced every year. There are no reasons to lose competitiveness.
- Protection of mobile user data. This factor is especially relevant today due to the rapid growth of mobile traffic and transactions via smartphones.
- Consumer confidence in your product depends on website security. According to surveys, more than 80% of buyers don’t perform operations on websites with an unprotected connection.
- Access to advanced technology. We already spoke about push notifications. Access to user’s Geo Location is not available for HTTP websites as well. Besides, you can’t use Progressive Web Apps technology for a unsafe web resource, or AMP . PWA combines the advantages of mobile apps and mobile website version, eliminating the shortcomings of each.
- A secure connection requires the purchase of an SSL certificate. Today, there are certificates of different levels depending on the organization needs and status.
- When creating new sites, the owners usually choose the HTTPS protocol. But the switching between HTTP and HTTPS requires additional efforts and time.
- The server needs additional time to process the encrypted information, so sometimes it may slightly affect the website speed.
Why is there still a large number of HTTP websites? This is due either to the quality of the web resource, or to owners worry to embark on changes.
How to switch to HTTPS?
Before switching to HTTPS, the preparatory procedures need to be done, Transition implies a change of the website address (URL). Accordingly, it’s necessary to change the internal links addresses on the website from absolute (for example, http://site.com/articles) to relative (//site.com/articles). If the content of your web resource (internal links, pictures) is opened and displayed correctly, you can start buying an SSL certificate.
How to choose SSL certificate?
The choice of certificate depends on two things:
- what data you collect (only names and email, or billing information);
- what services you provide (a blog with a subscription form, an online store or a bank).
For small businesses without payment function, DV SSL is suitable. These is the simplest certificate. You need no documents to activate it, only domain ownership is checked. This certificate is sufficient if users enter their name and email on the website.
OV SSL certificate is for medium business. Before you get it, the company’s documents must be checked. After that, the certificate and the seal of trust will be assigned. You can add it to the website to make users feel safe.
For large companies with payment system, it’s better to take EV SSL. These are certificates with a green line; they have the highest level of trust.
If there are many website subdomains, it is better to buy the Wildcard certificate. It protects all the first level subdomains (blog.domain.com or mail.domain.com). To protect multiple domains at once, you can purchase a Multi-Domain SSL certificate. Often it’s more profitable than buying one certificate for each domain.
Who provides SSL? What is the difference between companies?
The main difference between certificate authorities is the price and the number of supporting browsers. If the user’s browser doesn’t have a certificate of this center, then the visitor will receive a warning when entering the website. Among the major centers: Comodo, GeoTrust, Thawte, Symantec, VeriSign. All popular browsers recognize the root certificates of those companies.
Are there free certificates?
Free certificates exist, but they have their drawbacks.
- Sometimes, the browser don’t identify this certificate as trusted and give an error message to the website visitor.
- It’s necessary to renew the free certificate more often than the paid one or you should to pay for renewal.
- Some free SSL certificates can’t be used for commercial purposes.
How to install a certificate on the website?
First, you need to issue a certificate. Terms of issue vary depending on the type of certificate. For example, when getting a certificate with domain verification, you need:
- perform a CSR (Certificate Signing Request);
- pass a domain name ownership check;
For OV and EV certificates, you need to go through a company check: send documents to the center to the CA.
After release, go through the installation of the certificate. The procedure depends on the hosting rules.
To install the certificate you need:
- the private key (RSA). The key is generated in conjunction with a CSR request;
- the certificate file and corresponding root certificates;
- an access to hosting;
- it is worth asking the hosting support if they have any special features for installing certificates.
Various hosting companies offer SSL certificate installation for an extra fee. You can just skip some steps of the list above; they will do it for you.
How to make your website work properly after switching to HTTPS?
The certificate installation on a new website is easier than on already existing one, because it doesn’t affect traffic. If the website is actively promoted in search engines, you can lose traffic without preparing for the transition.
In order to switch to the new protocol without problems, you should update all settings before:
- redirect HTTP to HTTPS URL
- re-add the website to the Google Search Console,
- set a Geographic Target etc.
What is at stake if you don’t move to HTTPS?
The transition to the HTTPS gives many advantages, both in terms of security and in business promotion opportunities. Protecting user data is gradually becoming the responsibility of webmasters. Following the new trend will allow web resources of different categories to be competitive in their niche, to observe the interests of the customers and the business as well.