Of course, unencrypted connections should never be used to send sensitive data. With the rollout of Chrome version 62 however, the browser will begin labeling websites with any user input fields as “Not Secure.” This includes common text input fields, like contact forms, comment forms, and email subscription forms.
These changes are coming because Google wants to warn users about sending unencrypted messages over the web, even if they don’t contain sensitive information. If you aren’t using a contact form, accepting comments, or collecting newsletter signups on your site, you may not need to worry — yet. Google has confirmed that they will eventually mark all regular HTTP pages as “not secure.” Ultimately, only HTTPS sites will be considered secure. Other major browsers are expected to follow Google’s example.
In this post we’ll cover exactly what an SSL certificate is, how it works, and why you may want to consider installing one on your site.
What are SSL and HTTPS?
As you surf the web, you probably notice that the address for some sites begin with an HTTP prefix that looks like this:
http://example.com
Others begin with the HTTPS prefix:
https://example.com
HTTP stands for Hyper Text Transfer Protocol. This is the connection a user’s computer uses to access a website. HTTPS stands for Hyper Text Transfer Protocol Secure. This means the connection used by a user’s machine to access data on a website is encrypted. The encryption is usually handled by Secure Sockets Layer (SSL) or Transport Layer Security (TLS). To keep things simple, we’ll refer to both types of technology as SSL in this article. SSL is the actual means of securing the data while “in transit” between the site and the user.
Googling how these certificates work turns up a ton of info. To simplify, an SSL connection requires two keys. One is public and one is private. A website visitor’s browser will use the public key to communicate with the server (website). The information being passed from a user to the server will travel as an encrypted message. The server uses the private key to decode the data when it arrives. If the content is intercepted along the way, it’s encrypted and worthless, providing another layer of security.
Why haven’t more sites started using SSL?
Until recently, SSL certificates were thought to only be necessary for sensitive information like credit card numbers and passwords. For this reason, they’ve mostly been ignored and some pretty major sites still do not have SSL certificates installed.
Personally, I believe most people misunderstand what an SSL certificate is and how easy it is to purchase and install one. The cost has decreased dramatically over the last few years as well. I remember seeing basic SSL certificates ranging from $40 all the way over $100 for one domain.
Luckily, things have recently changed. SSL certificates are easier to install and much more affordable than ever before.
The different kinds (and costs) of SSL certificates
If you’ve even looked into adding an SSL certificate and visited your host’s website, it’s easy to get overwhelmed. Here’s a look at some of the options available from popular hosts:
SSL certificates can also be purchased from third party providers, then installed on your hosting environment. Basic certificates allow for a certificate to be installed on a single domain. A wildcard certificate allows you to install one certificate that covers all subdomains (such as https://demo.audiotheme.com). Though the technology is the same, several of the more expensive certificates come with warranties. They range into tens of thousands of dollars of coverage. Be sure to read the fine print on these kinds of warranties though. They often only cover fraudulent charges to the end user that are the fault of “improper validation” on behalf of the certificate.
Benefits to having an SSL
There are a couple of benefits to having an SSL certificate installed. Obviously, the trusted green padlock puts users at ease. You may see more conversions than before, as a user is more likely to interact and provide data on a secure site. Less obvious though, is that in 2014, Google stated that HTTPS is used as a ranking signal. This means your secure site will be favored more than it would as an HTTP site. Additionally, something that may not be obvious is that when information is intercepted from a site without an SSL certificate, it can actually be changed and then passed on to the intended destination. This means that while the information may make it from the user to the server, it actually has a chance of being changed along the way. Encryption prevents that.
Free SSL Certificates
As alluded to before, SSL certificates are becoming cheaper and more accessible. Recently, one organization in particular has been making a name for themselves as a leading provider of free SSL certificates.
Let’s Encrypt is a free program headed up by the Internet Security Research Group. They also have the support and sponsorship of some major companies, including Mozilla, Cisco, Facebook, and Sucuri. Their goal is to make the web a safer place for internet users. One of the great things about Let’s Encrypt certificates is that many web hosts have partnered with them to allow SSL certificates to be installed with one click. Among this list are SiteGround and BlueHost.
If you are hosted by a different company, go ahead and ask if they support Let’s Encrypt. They may be able to install the certificate for you.
As a heads up, the Let’s Encrypt certificates are only good for 90 days at a time, so you’ll have to remember to renew them. That is, unless your host automatically does this for you, like SiteGround does.
What about sites that are already established as HTTP?
Installing an SSL certificate before you start building a new site is easy, but what if your site is already established? If you’re using WordPress, you may run into an issue where the settings of your site under Settings → General still have the HTTP prefix. This can cause some issues in terms of how users access your site regularly. Even if you have an SSL certificate, if the site is accessed over HTTP, the encryption is not active. You’ll also want to keep an eye out for “mixed media”. Images and other files that are still loaded over HTTP instead of HTTPS will cause a mixed media issue. If you’re still getting a “Not Secure” message after installing SSL certificate and the HTTPS prefix is displaying, mixed media is probably the culprit.
There is a one-click plugin that resolves most mixed media issues, and can make the conversion of an HTTP site to HTTPS pretty simple. Really Simple SSL will change your site options and resolve most media paths with one click. There are some exceptions though. For example, if you’ve added a path to a media file via CSS, the plugin will not always find it. Simply updating that URL to include the HTTPS prefix should resolve the problem. You should be able to search the site’s source code, or use Google’s Developer Tools to pinpoint instances of mixed media.
Things to look out for
As a heads up — CloudFlare sites have been known to create infinite redirect issues when SSL certificates are activated. So, if you’re using CloudFlare, do some extra homework before you change your site settings. And as always, make a backup before making any changes.
If you use Google Analytics and Search Console to track your traffic, you’ll want to make sure you add the HTTPS variants to the web properties to ensure you’re getting all of your insights.
Wrapping Up
HTTPS is a step towards a safer and more secure web. You’ll likely be called out with the release of Chrome version 62 if your site isn’t encrypted. Luckily, in the last few years the costs have declined and the installation process has become much easier. We’ve covered some of the basics in this article and a free SSL provider trusted by some big name companies. Your host should be able to provide you with more information on the types of certificates they offer, as well as how to install them on your hosting environment.
Great and well-explained post on HTTPS and SSL Anna. Great to see Really Simple SSL got some love.
That plugin takes the pain in setting configuring HTTPS in WordPress. It literally one-click and you’re done.