Wake-Up Call: It’s Time to Secure Your Website with HTTPS

It’s time to be blunt.

If your business has a website, you need HTTPS. The elephant isn’t just in the room; it’s parked on the sofa, blasting death metal and eating all your Doritos.

It used to be easy to ignore the issue of website security unless you were in ecommerce, the financial sector, or the healthcare industry. Getting certificates, keeping them up-to-date—it used to be a hassle, and hard to see that the rewards were worth the trouble.

Now the issue couldn’t be clearer. Not having HTTPS on your business’ site will hurt your business in direct and concrete ways:

Web Performance Measure

With HTTPS

Without HTTPS

SEO

SEO performance Boost

SEO performance penalty

Security

Secure for visitors

Secure for site owner

Not secure for visitors

Less secure for site owners

Visitor Trust

Visitors trust secure sites

Visitors will be alarmed by ‘Not secure’ warnings

 

Fortunately, it’s also easier than ever to set up and maintain HTTPS certificates for your site. That hassle/reward ratio has flipped upside down.

Most importantly, the web is moving towards an exclusively secure environment. It’s time to join that movement, or be left playing catch-up.

For those who want their business to succeed, using HTTPS is no longer optional. But don’t panic. By the time you reach the bottom of this page, you will know:

  • What exactly HTTPS is

  • Why you need it

  • What will happen if you don’t have it

And, most importantly, how to get it.

What Is HTTPS? And What Is It for?

HTTPS stands for Hypertext Transfer Protocol Secure. You may also hear the terms Transport Layer Security (TLS) and Secure Sockets Layer (SSL), or see people talking about “SSL certificates” or “certs.” All of these terms are essentially talking about the same thing: a protocol for securely transferring data between a web browser and a website.

HTTPS creates secure connections by providing authentication and encryption between a browser and your website. That means it:

  • Lets your customers’ web browser know that you are who you say you are (authentication)

  • Encodes the information your site sends to the customer and vice versa (encryption)

Note that the protection goes both ways: It helps keep your website safe from malicious users, and keeps your users’ data secure. HTTPS makes it harder for anyone to intercept data in either direction, from server to browser, and use that data to malicious ends.

Why You Need HTTPS 1: Everybody’s Doing It

The technology behind HTTPS is over twenty years old. The first browser with SSL built-in was released in 1995. For most of the intervening years, however, HTTPS was used mostly by sites taking credit card payments and sites that dealt with sensitive information like health or financial records.

HTTPS has skyrocketed in the past five years, however, and the adoption rate is steadily increasing. The percentage of the top 500,000 websites serving HTTPS more than doubled in the last year, increasing dramatically in just the last few months (source):

Percentage of Top 500k Sites Using HTTPS Chart

As the trend continues to escalate upwards, we can expect to see the majority of the top 500,000 sites using HTTPS by the end of next year, if not sooner.

Not only that, but looking at websites as a whole only tells part of the story. If you look at pages loaded—the volume of traffic, not just number of sites—you can see we’re already past the tipping point (source):

Percent Page Loaded Over HTTPS in Chrome

Both Mac and Windows users had already passed the 50% point by October of 2016, and those numbers continue to rise.

What’s driving this trend? Small, mom-and-pop shops like Apple and Facebook. Apple requires HTTPS connections for all IOS apps. Facebook uses the protocol for its Instant Articles.

The biggest driver of HTTPS adoption, however, is the company that is nearly synonymous with search on the internet: Google.

Google has increasingly made HTTPS a priority. They started by adopting it themselves, then recommending it, and soon will be requiring it. Here’s a quick rundown of their major movement on the issue:

  • 2010: Google announces HTTPS by default for Gmail and encrypted search

  • 2014: Google calls for HTTPS everywhere, announces HTTPS will be a ranking signal in their search.

  • 2016: Google Chrome adds a “Not Secure” warning in the address bar for sites with password or credit card form fields.

  • 2017: Google announces that future editions of Chrome will add a red “Not Secure” warning for all non-HTTPS sites.

More than half of all internet browsers use Google Chrome, and more than half of all web searches are through Google. So the company’s push for HTTPS, along with partners like the Mozilla Foundation and Let’s Encrypt, is driving the explosive growth in HTTPS adoption.

Of course, “everybody’s doing it” isn’t a ringing endorsement by itself. What’s important is why everyone’s doing it:

Why You Need HTTPS 2: Not Having It Will Hurt Your Business

Businesses run on trust. Potential customers need to feel confident that it’s safe to do business with you online. They need to know your site is genuine, not a spoof site set up to harvest their data. They need to know you’re encrypting and protecting their personal information.

Historically, consumers might have taken that trust for granted. But as the web moves towards HTTPS, sites that aren’t secure will generate alarming messages for their visitors. Here’s what the address of an unsecure site will look like in just a few months:

unsecure site address

Would you stay on a site with that red triangle? Would you trust them with your credit card number? Or would you go back to the search results and pick a different vendor? And more importantly, would you ever check back to see if that site got secure?

Chrome has cornered the browser market. Nearly 60% of internet users choose Chrome. In second place is Firefox, with just 13.5%. Here’s how your non-HTTPS site looks in Firefox right now:

How non-HTTPS sites appear in Firefox

Why You Need HTTPS 3: Without It You Will Lose Search Visibility

However, all of the above assumes that a user clicks on your site in search results. As Google prioritizes HTTPS, they have made it a ranking factor in search. That means Google search results will give preference to sites with HTTPS.

Sites without HTTPS will steadily drop in ranking as secure sites take over the top spots. Since the first four links in search results get over 75% of the traffic, there’s virtually no way to be competitive in search without HTTPS.

The Simplest Ways to Get HTTPS

It’s clear that any company doing business on the web needs to adopt HTTPS, and the sooner, the better. Fortunately, it’s gotten far easier to get set up. Let’s Encrypt is a free, open source certificate authority funded by Google, Mozilla, Pantheon, and many others. You can follow these instructions to get started.

At Pantheon, we believe that HTTPS is no longer optional. We are the only hosting company to include fully managed, free HTTPS certificates for all of our hosting plans. We automate the process to make it seamless and painless, through our partnership with Let’s Encrypt and our Global CDN technology.

The future of the web is secure. It’s getting harder to operate online without HTTPS, and it’s getting easier to implement it on your site. To make sure your customers can find you online, and trust you when they do, it’s imperative to get started now.

Ready to equip your site for the future? Create a free account to explore Pantheon.


You may also like: 

WP enterprise  

Developer’s Guide to Frontend Performance
Learn how to ace an online speed test with Pantheon’s Global CDN in our comprehensive guide.

 

Topics Website Technology, Security, Speed & Performance, Drupal, WordPress

Let’s get in touch

855-927-9387