17 Upsides of HTTP to HTTPS Migration
If you want more articles like this, please “Like” or “Heart” me.” Thank you!
❏ Today I will talk about 17 Upsides of HTTP to HTTPS Migration.
When the computer web browser was first invented, it was soon recognized that security needed to be added for online banking, eCommerce, paying your taxes and so much more. In 1994 HTTPS, which is HTTP over TLS (Transport Layer Security), began to be adopted by an ever-increasing security-sensitive web.
Why is the topic of HTTPS important to every website owner?
In late 2018 of the top 1M visited websites in the USA, only 55.1% were using HTTPS. That means 450,000 of the top 1,000,000 visited websites still don’t care enough about their visitors to protect their data during transmission by encrypting it!
Check this link to the BuiltWith site for the latest numbers.
What is HTTP to HTTPS Migration and SSL Certificates?
HTTP: Hypertext Transfer Protocol
HTTP stands for “Hypertext Transfer Protocol” and it defines how computers communicate over a computer network. Data is transmitted between any two systems using “plain text”. The phrase “plain text” simply means that the text is human readable when being transmitted between any two computers. That means that anyone with a simple wifi connection and some simple software can intercept and read (steal) your information when you send it.
HTTPS: Hypertext Transfer Protocol Secure
HTTPS stands for “Hypertext Transfer Protocol Secure” and is an extension of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network. Data is transmitted between any two systems using “encrypted text”. The phrase “encrypted text” simply means that the text is all jumbled up into a non-human readable form when being transmitted.
That means that anyone with a simple wifi connection and some simple software can intercept and they will not be able to read (steal) your information when you send it. All they see is a bunch of jumbled up characters that in no way resembles human-readable language.
In technical terms, HTTPS uses TCP Port 443 by default, whereas HTTP uses port 80. So, HTTP and HTTPS are two separate communication paths.
In layperson terms, HTTPS is all about Web Security in your web browser. HTTPS encrypts the transmission of data between your browser and another website.
A site that displays HTTPS does NOT in any way guarantee that the other website that you are sharing data with is not a hacker or website that could steal your data.
HTTPS makes it very difficult for anyone else seeing your data while you are sending it to the other website. HTTPS websites should stop most data theft by what is called “man in the middle” attacks. This is a very important part of your website security.
Visually, HTTPS is that little “Lock” that is present (or missing) immediately in front of the URL that you enter into your web browser search window field. The “lock” indicates that the website has an SSL Certificate associated with it. SSL stands for “Secure Socket Layer”.
SSL Certificate: Secure Socket Layer Certificate
SSL Certificate stands for “Secure Socket Layer” Certificate (Link). An SSL Certificate signifies that your site supports the HTTPS protocol. The certificate is issued by a number of certified companies. The certificate authority we use for many of our clients is Let’s Encrypt.
SSL is actually the out-dated name for TLS (Transport Layer Security). TLS was created in 1999 to solve many of the issues with SSL. However, the name SSL “stuck” and is still the common name used today.
SSL certificates are issued to websites by a trusted third party referred to as a ‘Certificate Authority’ (CA). SSL Certificates are available in Three Validation Levels and Four Certificate Types:
Certificate Validation Levels
- Extended Validation Certificates
- Organization Validated Certificates
- Domain Validated Certificates
- Single Domain Certificates
- Wildcard SSL Certificate
- Multi-Domain SSL Certificate (MDC)
- Unified Communications Certificate (UCC)
Let’s quickly review each level and each type and their use.
Certificate Validation Levels
Extended Validation Certificates (EV)
EV certificates provide the highest levels of security, trust and customer conversion for online businesses. EV certificates are issued only after the issuing CA has conducted rigorous background checks on the company according to the guidelines laid out by the Certificate Authority/Browser (CA/B) Forum. Because of this, EV certificates contain a unique differentiator designed to clearly communicate the trustworthiness of the website to its visitors.
A website that uses an EV certificate, a visitor will see the address bar turn green and/or a green padlock in major browsers such as Internet Explorer, Firefox and Chrome.
EV certificates are used by all major online retailers and banks and are highly recommended for businesses that wish to immediately build customer trust in their site.
If you think your site has an SSL Certificate and should be showing a green padlock, try the free tool WhyNoPadLock.com and see if it will help you identify the issue.
Let’s Encrypt has no plans to issue EV SSL Certificates.
Organization Validated Certificates (OV)
OV Certificates include full business and company validation from a certificate authority using their established and accepted manual vetting processes. OV certificates conform to the X.509 RFC standards meaning OV certificate contains the full company name and address details.
This means an OV SSL Certificates provides higher levels of assurance to end-users than Domain Validated (DV) Certificates.
Because OV SSL Certificates are not validated to the CA/B forum standards, they do not possess the ability to turn the browser address bar green.
Let’s Encrypt has no plans to issue OV SSL Certificates.
Domain Validated Certificates (DV)
DV certificates provide the same high levels of data encryption as the other validation levels but do not provide assurance about the identity of the business behind the website that an EV or OV SSL Certificate.
DV certs are issued after domain control has been established using an automated, online process.
Because DV SSL Certificates are not validated to the CA/B forum standards, they do not possess the ability to turn the browser address bar green.
DV certs are a popular choice amongst small-medium sized sites because of their faster issuance times and lower price points.
Let’s Encrypt certificates that we use for our clients are standard Domain Validation (DV) Certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.
Single Domain Certificates
A single domain certificate allows a customer to secure one Fully Qualified Domain Name (FQDN) on a single certificate. For example, a certificate purchased for www.IdeaToGrowth.com will allow customers to secure any and all pages on www.IdeaToGrowth.com/.
Single domain certificates are available in DV, OV, and EV certificate validation levels. The single domain certificate is ideal for small to medium-sized businesses managing a limited number of websites. However, businesses that operate multiple websites will benefit from the added flexibility offered by wildcard or multi-domain certificates.
Wildcard SSL Certificate
A Wildcard certificate allows businesses to secure a single domain and unlimited sub-domains of that domain. For example, a wildcard certificate for ‘*.IdeaToGrowth.com’ could also be used to secure ‘payments.IdeaToGrowth.com’, ‘login.IdeaToGrowth.com.
A wildcard certificate will automatically secure any sub-domains that a business adds going forward. A wildcard SSL certificate also helps simplify management processes by reducing the number of certificates needing to be tracked. For growing online businesses, Wildcard certificates provide a flexible, cost-effective option to having to purchase and manage multiple single certificates.
Multi-Domain SSL Certificate (MDC):
Multi-Domain certificates allow website owners to secure multiple, distinct domains on a single certificate. For example, a single MDC can be used to secure domain-name-1.com, domain-name-2.com, domain-name-1.org and so on. An MDC SSL Certificate allows one to secure up to 100 different domains (or wildcard domains) on a single certificate.
This simplifies SSL management as administrators need only track a single certificate with a single expiry date for all domains instead of keeping track of multiple single domain certificates. In addition, MDC has a cost saving over the price of single domain certificates.
Let’s Encrypt Certificates supports Multiple Domain Names (MDC).
Unified Communications Certificate (UCC)
Unified Communications Certificates are specifically designed for Microsoft® Exchange and Office Communications server environments. UCC’s use the Subject Alternative Name (SAN) field to allow customers to include up to 100 domains on a single certificate. This eliminates the necessity for different IP addresses per website that would be otherwise be required. UCC’s also support the Microsoft Exchange Autodiscover service. This is a powerful feature which reduces client administration. As with MDC’s, a single UCC greatly reduces SSL management while realizing cost savings over individual SSL site purchases.
Let’s Encrypt offers UCC / SAN SSL Certificates.
How Do I Know if My Website is HTTPS (has an SSL Certificate)?
If your website or a website that you visit has been secured by an SSL Certificate, the browser URL will look similar to this image below:
Each browser displays SSL Certification slightly differently and the visualizations are changing (2018 / 2019) so consult your browser for their standards. A good site to check for how your browser displays SSL Certification (HTTPS Compliance) is a well-known site like Amazon or Google.com.
At the time of this writing, the lock image was GRAY colored and appeared in front of the text: https://www.amazon.com on the Chrome browser.
At the time of this writing, the lock image was GRAY colored and appeared in front of the text: www.amazon.com on the Safari browser.
At the time of this writing, the lock image was GREEN colored and appeared in front of the text: https://www.amazon.com on the Firefox browser.
So, there are some visual differences you should be aware.
Now contrast the above with a website that is not safe because it DOES NOT have an SSL Certificate as shown below:
If you saw the words “Not Secure” when you went to a website, how long would you hang around? Just long enough to click the back arrow on your browser for most people.
Why Should I do an HTTP to HTTPS Migration?
1. Protect Your Brand
Your company brand is everything to the growth and survival of your company. Think back to when Target was hacked for the first time back in 2013. Their brand was in the mainstream media initially every day and still is used as an example of poor website security. They settled with customers for $18M in 2017 which started another negative news cycle.
The real dollar cost to Target was likely in the hundreds of millions of dollars due to lost customers and sales. Although this attack was not believed to be an SSL Certificate related attack, this example shows the downside of not having a secure website.
Do you want to be a smaller version of the Target poor website security story?
2. Protect Your Users’ Privacy
Users expect, no demand privacy when they visit a website. Website users are slowly educating themselves on the warning flags to look for when they visit a website.
While a user can not see if you have all of the many other things that you need to do to have a secure website, they can easily see if you have an HTTPS SSL Certified website by looking for the little lock next to your URL.
As more and more web visitors become aware of the importance of seeing “the little lock” in front of any domains URL, that will be what forms their first level of confidence in your website.
Sites which lack “the little lock” in front of their domain URL will likely quickly die. In mid-2018, as many as 78% of all website worldwide were using SSL Certificates and displaying HTTPS Compliance.
Do you want to be part of the dying 22% of websites that are not HTTPS compliant?
3. Google Demanding Sites be HTTPS
Over the course of 2016 and 2017, rumors have floated over Google’s formal position on forcing the move to HTTPS encryption.
In 2017, Google began formally warning website owners that non-HTTPS sites would receive consumer visual messaging that identified such a site as non-secure. Sites that remain on the non-secure HTTP protocol will be visually marked with a warning in the URL bar of the surfer’s browser.
The “NOT SECURE” visual mark image was built into release 68 of Chrome, which appeared in July 2018. Other browser manufacturers are implementing similar visual non-compliance signatures in front of the non-compliant URL name.
They literally put the word “WARNING”, “INSECURE” or “NOT SECURE” in front of your domain URL. Other browsers are expected to follow their lead in 2018 and 2019.
Website owners who have a warning image in front of their domain URL in a browser have seen their traffic drop over 90%.
The Chrome browser has over 60% Market Share worldwide.
I would call that sort of action by Google and other browser manufacturers to be a demand to change to HTTPS.
4. SSL is required for PCI Compliance
Do you have an eCommerce website? In other words, do you sell stuff via your website? Well, in order to accept credit card information on your website, you must pass certain audits that show that you are complying with the Payment Card Industry (PCI) standards.
The very first requirement states “PCI requires adequate encryption of credit card holder information while being transmitted”. The only way to meet this requirement is properly using an SSL Certificate to encrypt your data.
5. HTTPS Speeds Page Open Speed
In the early days of HTTPS and SSL Certificates, browsers and the various domain authorities were not well optimized. As a result, you will find many posts about HTTPS and SSL Certificates causing web pages to load slower. By 2015 this was no longer the case. In fact, many tests have shown that HTTPS SSL Certified sites now open faster than HTTP sites.
6. Good for SEO (Search Engine Rankings)
I talked earlier about how Google is marking HTTP sites with a warning moniker. You can bet that whacks a sites SEO rankings! Google uses HTTPS as a key ranking signal.
Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:
- Encryption: Encrypting the exchanged data to keep it secure from man-in-the-middle attacks
- Data Integrity: Data cannot be modified or corrupted during transfer without being detected by the protocol
- Authentication: Proves that the users communicated with the website they intended to communicate
Google states that websites who use HTTPS will have a small ranking benefit because of these security points.
HTTPS sites will carry less weight in ranking signal than other signals such as high‐quality content.
7. SSL is required for AMP
AMP stands for Accelerated Mobile Pages. AMP is the technology that makes mobile pages load almost instantaneously. When you google on your mobile device to a webpage that is AMP enabled, the results have a lightning bolt icon next to the URL.
Most phones are already crippled by slow opening websites due to poor cellular internet connections. AMP technology is how google intends to make sites that enable AMP open as fast as possible.
8. Protection Against Hackers
Using an SSL Certificate to be HTTPS Compliant is a key first step in securing your website against hackers.
Since HTTPS encrypts the communication between your browser and another website, the man-in-the-middle attacks of stealing a user’s data are essentially eliminated.
A common example of a man-in-the-middle attack is the hacker who sits in your local coffee shop and steals your username and passwords. This typically can only happen when you use your browser to go to an HTTP site.
9. Google is Indexing Mobile Access
In 2017 Google started indexing mobile. This means that googles “algorithms will primarily use the mobile version of a site’s content to rank pages from that site.”
In order for a mobile site to be indexable, Google requires several best practices. One of which is to “Start by migrating your website to HTTPS.”
10. HTTP 2
HTTP/2 is a revision of the HTTP protocol. It attempts to resolve the shortcomings of HTTP/1.1.
HTTP/2 benefits include:
- Server Push: The web server can send resources in advance anticipation of the client request, avoiding delays.
- Multiplexing and Concurrency: Multiple requests can be sent back-to-back on the same TCP connection. Responses can be received out of order.
- Header Compression: HTTP header size is drastically reduced, speeding page open times.
- Stream Dependencies: The client can set resource priorities to the server.
The company KeyCDN has a Free HTTP/2 Testing Tool you can use to check whether your server supports HTTP/2.
11. Service Worker & Powerful Features
A service worker is a software script (code) that your browser runs in the background, separate from a web page, opening the door to features that don’t need a web page or user interaction.
Today, they already include features like push notifications and background sync are two such service worker examples.
Because a service worker can run code independently, service workers are only allowed to run on HTTPS protocol sites.
12. Protect Your Revenue (From Proxies)
Proxy hacking (proxy hijacking), is an attack technique designed to replace an authentic Web page with a web page provided by a hacker. An attacker uses proxy hacking to redirect users requesting the targeted web page to a malicious or fraudulent website. It is so easy to redirect a site that is not HTTPS Compliant and protected with an SSL Certificate to a hacker site.
Most site owners find out their site is under a proxy attack when they start getting a flood of email asking why they’ve been charged a higher amount for a product they bought from what they thought was your website! They are demanding their money back. Yet you have no idea what they are talking about because you may not even sell the product they are asking about or any product at all!
Suddenly your site reputation is destroyed and you may find yourself paying lawyers to defend you against something you didn’t even do.
13. Better Analytics: HTTPS Referrers
By the end of 2016 Federal agencies were required to make all federal websites accessible through a secure, HTTPS-only connection. What many don’t know is that the switch to HTTPS actually improves your ability to track which sites are directing web traffic to your website!
The reason for this improved tracking is straight-forward. When a visitor travels from an HTTPS site to an HTTP site via a button or link, the referrer tag information is removed. Google Analytics reports the traffic as “direct” so you do not know how the visitor arrived. But, a trip from an HTTPS site to another HTTPS site DOES BRING the referral data, so you know which URL provided the traffic. DigitalGov also has a great article on how URL Shorteners do the same thing.
14. iOS 9+ API and Android 5+ API – App Compatibility
At the Apple Developer Conference in 2015, Apple announced that starting with iOS 9 they will require all connections to use SSL (HTTPS) connections. In the documentation they state:
“App Transport Security (ATS) enforces best practices in the secure connections between an app and its backend. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forwarding secrecy. If you try to make a connection that doesn’t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app’s Info.plist file.”
Google put a similar requirement on the Android Mobile Operating System starting back in 2015 with Android M.
Bottom line – If your site is still running as a non-HTTPS site, you are late to the party.
15. Mixed Content Warning
An HTTPS page is not allowed to load an (insecure) HTTP resource. A web page that attempts to do so will fail with a “Mixed Content Warning” message. When older websites begin to switch to HTTPS they often find that many of the third-party components they use do not support HTTPS.
This forces the website owner into a somewhat challenging decision. They need to either stay on HTTP or remove the third-party software in question.
While some websites have historically opted to stay on HTTP, this is no longer a viable business decision. If the third-party software provider has not updated their software to HTTPS compatibility, it is time to either find a competing solution or remove the software.
16. Future Proofing
The future of the web lies with every increasing performance and security. HTTPS, HTTP/2, and future protocols will keep building on the security that has started with HTTPS and SSL Certificates.
New web features such as progressive web apps, taking pictures, geolocation, recording audio, all require permission from the user. HTTPS is a critical component to the permission workflows for these features and new ones yet to be imagined.
If you are one of the many website owners that have not upgraded your website to HTTPS with an SSL Certificate please do so now. You may be only a lawsuit away from having your business wiped out financially because you wanted to save a few dollars today.
17. HTTPS SSL Certificates are Inexpensive – But Not Easy to Install Yourself
SSL certificates vary in price depending on the level of security required, but services like Let’s Encrypt now provide free basic SSL certificates.
Installing an SSL certificate is part of the process you need to go through to make your site HTTPS.
Sadly, installing an SSL certificate isn’t particularly easy. We strongly recommend you ask a competent web developer to do the installation for you. The reason for this recommendation is that there are many steps required are most are quite technical. Check out this article featuring a 29-step HTTP to HTTPS Process. If you have some experience you will quickly recognize that this is a fairly high-level description on many of the steps. This means that there is a lot of details missing that without those details a layperson is likely to fail in attempting to implement the process.
You can also check out Google’s support documentation about HTTPS. Google’s documentation is even higher level and lacking most details.
We are not able to offer this service to sites that are not on our hosting service as the SSL Certificate installation process can be significantly more difficult on other hosting platforms. However, perhaps our hosting service is right for you — check out the details and sign up here.
Conclusion – HTTP to HTTPS Migration
I hope you now understand the important reasons to migrate your website from HTTP to HTTPS today! I also hope you better understand the big downside risks of NOT migrating. While we have a very competitive service for handling this migration, no matter who you choose to do it – do it now. Further delay only puts your business at risk.
My FREE Business Coaching Newsletter (Link) covers business problems that I’ve helped clients solve that you are likely to experience. Topics include hiring, firing, managing employees, review processes, finding the right accountant and lawyer, creating your business website and so much more. I predict you will use these newsletters as your go-to-guide when issues arise.
My FREE Startup Coaching Newsletter (Link) covers startup problems that I’ve helped my clients solve that you are likely to experience. Topics include choosing the best entity for your startup, finding co-founders, raising venture capital, creating venture capital pitch deck, finding the right accountant and lawyer, creating your startup website, and so much more. I predict you’ll use these newsletters as your go-to-guide when issues arise.
Learn More About Me: https://linkedin.com/in/kennethervinyoung (Link)
Read Another Post: 1 Networking Rule to Always Get Right! (Link)
Read Another Post: 10 Steps to Avoid Going Out of Business (Link)
Read Another Post: 1: Pitch Deck Cover Slide – 10 Slides to VC Funding Success (Link)