Still on HTTP? What remainers need to know about HTTPS
On 8 February Emily Schechter, writing on Google’s security blog, reminded website owners and developers that HTTPS encryption is not just a momentary fad, but it is something that Google will be pushing for the long term.
She also stated that “a larger subset of HTTP pages” will soon be marked as “not secure” by Chrome.
While offering her warnings to those who have not yet migrated to HTTPS, Schechter also shared data regarding the percentage of sites that have made the great leap.
Perhaps the most interesting of all, despite the fact that 87% of Chrome traffic on Chrome OS and Mac is now protected, is that 81 out of the top 100 websites are HTTPS encrypted.
Although the figure is certainly in the higher echelons, it does however mean that there are 19 major websites failing to protect themselves and their users with encryption.
Google has been pushing websites to HTTPS for many years and has even gone as far as offering small ranking rewards for those who have.
There’s no doubt that HTTPS makes your website more secure, that’s not in debate, but just how much more secure does it make it?
First of all, let’s take a look at what HTTPS actually does.
What is HTTPS
An adaptation of the Hypertext Transfer Protocol for secure communication over a computer network, HTTPS is encrypted by Transport Layer Security (TLS), which has since (mostly) taken over Secure Sockets Layer (SSL).
This is often known as HTTP over TLS or HTTP over SSL, depending on the configuration.
In laymen’s terms, HTTPS is an authentication of a website and protects the privacy and integrity of data being exchanged.
Anyone trying to view information between the two, is therefore inhibited from eavesdropping, tampering, or collecting the information, which is especially important when financial information is being exchanged.
This kind of breach is otherwise known as a “man-in-the-middle” cyber attack.
So, should companies move to HTTPS?
Absolutely, there is very little reason why any website should remain on HTTP, and Google has identified several reasons why HTTPS should be incorporated into a website migration, including much of what has been written above:
- Encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages or steal their information.
- Data integrity. Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
- Proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
The search engine has also confirmed that sites that cross over to HTTPS can enjoy a small ranking boost.
But it will not make your website secure.
At least, not in totality.
HTTPS does not equal invincibility
It is easy for businesses to presume that because their site is now on HTTPS, that it is protected, or even invulnerable, against hackers. Sadly, this is not the case, as websites can still be attacked by a kaleidoscope of hacking methods:
SSL vulnerabilities
Although a mighty security protocol, like any, SSL is flawed against certain attacks, including Padding Oracle on Downgraded Legacy Encryption (POODLE), and the more well-known Heartbleed bug.
Downgrade attacks
A downgrade attack is an attack on a network or communications protocol wherein encrypted connections are forcibly abandoned in favour of lower quality and vulnerable connections.
DDoS attacks
A distributed Denial of Service (DDoS) attack occurs when multiple computer systems attack a server or a website.
Due to the amount of connection requests or incoming messages, a website can be forced to shut down, denying service to legitimate users.
Brute force attacks
Brute force attacks occur when a hacker attempts to obtain information, such as a user password or PIN.
Using a trial and error method, automated software is often used to generate (sometimes) millions of consecutive guesses to access a website and the information within it.
Software vulnerabilities and outdated plugins
Old software and outdated plugins can leave websites open to breaches and some view hosting them as leaving the back door open for intruders.
Quite recently, the ICO was among thousands of websites that were hacked and infected by a cryptocurrency mining software due to a vulnerable third-party plugin.
But there’s more
There are tens of thousands of hacking methods out there and the above is merely a short list of some of the most common and perhaps well-known.
Just because HTTPS doesn’t protect against these attacks, it doesn’t mean that it should be ignored, for it is entirely beneficial.
That said, there are still many considerations to bear in mind during a migration, especially from a technical SEO perspective.
Actions to consider when making the switch to HTTPS
The first step for many is to buy an SSL certificate, which will create an encrypted link between the web browser window and the website’s server. You can by a certificate from a certificate authority.
When buying one, it is important to bear in mind the kind of certificate that you need, as you might have multiple secure origins which will need to be covered by a multi-domain certificate.
Some of course, are more expensive than others, but they all do the same job.
It’s also recommended that you start with a test server so that you can align your plans with how the process might work come the switch.
You should also crawl your current website to ensure that you have something to compare the new site to once that it is on HTTPS.
From here, you should redirect your users and search engines to the HTTPS page with server-side HTTP redirects, ensuring not to block HTTPS pages by robots.txt files and not to include noindex tags in them.
Google also recommends that HTTPS websites support HTTP Strict Transport Security (HSTS), which tells the browser to request HTTPS pages by automation and for Google to serve secure URLs in the search results.
HSTS can be enabled by:
- Roll out your HTTPS pages without HSTS first.
- Start sending HSTS headers with a short max-age. Monitor your traffic both from users and other clients, and also dependents’ performance, such as ads.
- Slowly increase the HSTS max-age.
- If HSTS doesn’t affect your users and search engines negatively, you can, if you wish, ask your site to be added to the HSTS preload list used by most major browsers.
There will also be a range of updates throughout the website that you’ll need to pay attention to, including canonical tags, hreflang tags, plugins, CMS-specific settings, external links, and references in templates and in content.
It’s also worth knowing that Google will treat the migration as a site move, and if you have the right framework in place, you shouldn’t experience any drop in traffic.
However, you should never combine two moves together.
This means if you want to move your site to another platform, another CMS, or another domain or another server, etc. you should never combine it with moving to HTTPS. Each move is heavy in its own way so should be carried out exclusively.
Lastly, you’ll need to update your Google Analytics and Search Console, changing the default URL to HTTPS in Analytics, and adding the new site with HTTPS in Search.
These actions are of course a brief and incomplete sum of what you need to do to ensure migration best practice, so, if you have any other questions about migrating from HTTP to HTTPS, check out our contact page.