What Is HTTPS & Why is it so Important?

So, what is this https thing that I keep seeing over and over? HTTPS name derives from Hyper Text Transfer Protocol Secure, the original name for the protocol is HTTP, the key letter here is the “s” in HTTPS which means secure.

When you send and receive data through your browser it be done in 2 ways. Either Standard or Secured. When you visit sites that are using standard HTTP it means your communication with the server is traveling un-encrypted. In most instances this is fine since you’re probably only reading the content provided by a website, not providing valuable private data.

But in cases where you are providing personal information (especially billing, banking or identification data) this is not optimal because a potential attacker could possibly intercept that content and change them on the fly. Which in turn can lead to hacking attempts or theft. This means that for online businesses and secure e-commerce websites, using HTTP is absolutely not acceptable.

Exchanging of private data such as credit card transactions demand HTTPS but with the current increase in hacking activities the demand for what google calls HTTPS Everywhere is growing by the day.

Why HTTPS Is Becoming More Important

Now that you know what HTTP is, it’s important to understand why it’s important. To oversimplify: HTTPS helps keep your web browsing activities safe.

An HTTP site that works un-encrypted can be more susceptible to attacks. Sites that are hacked could also lead to malicious software being installed onto them, which affects readers since malware will affect browsers as well. This situation has become a growing concern with automatized hacking attempts taking place all over the world. The use of HTTPS would help negate many of these attacks by converting all data transfers to encrypted connections, which are more difficult encryption mechanisms to break.

Using HTTPS could lead to a safer, more secure web. But so far it’s been a long road, and there’s still a lot to do before HTTPS can become universal. Also, it’s important to remember that HTTPS isn’t the only factor to be considered in creating safe websites – there are many other steps web managers should implement for blog security.

HTTPS Had Many Flaws In The Past

Why is HTTPS becoming more important now? In the past HTTPS has has struggled to gain traction since SSL Certificates (the actual web documents responsible for creating encryption mechanisms) were not free. Instead they needed to be issued by specific Certificate Authorities to be valid.

So the only other option for budget restricted folks has been “self-signed” certificates. These are not been a viable alternative as they throw a warning on your browser. The warning from self-signed certificates is enough to block your readers from attempting to reach your site since it can seem too dangerous to ignore. This makes “self-sign” certificates useless for any serious attempt at growing your online presence. They are however still an options when only used for websites that are part of your own network and are accessed internally, but again that doesn’t do much to grow your brand online.

This has been a huge disadvantage for bloggers and small businesses all around the world. While larger companies have no problem with the cost, bloggers on a budget who aren’t yet generating a sufficient income from their website simply can’t afford to pay for such certificates. And without a reliable alternative they’ve been SOL for SSL.

On top of it all, once a website was loaded with HTTPS the load time of said site suffered. This was due to the additional overhead that the server had to endure by having to encrypt all the data prior to sending it. Not at all an efficient process if you were willing and able to afford it in the first place.

Version 3 of SSL Is Now Obsolete

To add more insult to injury, valid SSL certificates had been operating on an obsolete platform. The last version of SSL called version 3 that started in 1996 had more and more flaws exposed, so much so that the Internet Engineering Task Force (IETF) decided to make it obsolete

The new TLS protocol is much more secure in every way, which has lead to the whole of SSLv3 being banned on major browsers.

More CPU Power, Let’s Encrypt, TLS and HTTP/2 Have Changed The Game

With the advent of new hardware, faster processors, faster webservers (such as nginx & lighttpd) and faster caching mechanisms (such as varnish) the overhead for supporting HTTPS has been reduced a lot. This means that new SSL adopters need not worry about slowed load times.

Additionally, the new TLSv1.2 protocol introduced for SSL has made SSLv3 obsolete and paved the way for a faster SSL adoption.

On top of that, the recent launch of HTTP/2 is going to be the last nail in the coffin for HTTP supporters. HTTP/2 is an improved protocol over the original HTTP which has been thought out and developed for the present day. HTTP unencrypted is an older protocol which works just fine, but is not as optimized for today’s needs (don’t worry – we will talk more about HTTP/2 in a forthcoming article).

HTTP/2 uses multiplexing to improve performance over traditional HTTP. Image courtesy of CloudFlare

These factors (and more) together reduce the impact of having a site running in HTTPS almost to zero. But what about the cost? This last question has been changed by one variable and it’s called: Let’s Encrypt.

Let’s Encrypt

Let’s Encrypt is a free certificate authority. That means it can issue free certificates with a valid duration of 90 days and the certificates cost nothing to implement. Let’s Encrypt recently came out of Beta and has been working perfectly fine since then. This last piece of the puzzle has made the whole “HTTPS everywhere” Google one step closer to being realized. The main problem Google has right now is adoption.

Luckily Let’s Encrypt has several ways to issue a certificate be it via web by ZeroSSL, by a wordpress plugin via WP-Encrypt or by server with the new packages in Debian and other linux distros called Certbot.

WP Encrypt Free WordPress Plugin

The free WP Encrypt WordPress plugin makes installing and managing your free Let’s Encrypt SSL certificate easy. You can use the plugin to create a certificate, register it and them move your website to HTTPS. But the absolute best part is that the plugin will automatically renew your certificate for you every 90 days, so you’ll always have a valid SSL certificate.

Let’s Encrypt Compatible Hosting

The second easy way to add Let’s Encrypt is via your hosting company. Many popular hosts have been integrating Let’s Encrypt with their packages to make it easy and affordable for their customers to add SSL to their WordPress sites. A few of our favorites include Cloudways, WP Engine and Flywheel. These early adopters have made adding SSL and easy part of their already simple website setup processes.

Google is already pushing HTTPS with SEO Ranking Boost

Google had already started considering HTTPS adoption as a part of their own SEO ranking algorithm back in 2015. Then they announced in 2016 that they were going to implement a very minor ranking boost to all websites that switch from HTTP to HTTPS. According to Google this is currently not strong enough to affect rankings in a meaningful way, but it’s an indication of things to come.

As you can see, Google has already made telltale changes in 2015 and 2016, and now they’re going to push the boundaries even more in 2017.

There’s gonna be a warning on Google Chrome in 2017

With the now widely adopted HTTP/2 protocol and perhaps even the proliferation of Let’s Encrypt users now counting in millions all around the world, Google has begun to make it’s next move. Google recently announced that they will start displaying an exclamation mark for all sites that are un-encrypted, beginning with their recent Google Chrome Update.

Then starting in January 2017 they plan to flag HTTP websites that transmit sensitive user data (such as passwords, credit card information, etc) with a red warning sign. This will no doubt, will start creating mistrust with all those sites that don’t make the switch.

The move is a bold one, I am sure of that, but it does say something about where the web is headed. With more and more sites switching to HTTPS and the increase in usage of the internet all over the world, HTTPS is going to be the defacto standard in the coming years.

Recap

New technologies have finally arrived to make HTTPS much more attractive. With the inclusion of faster webservers, faster CPUs, better protocol encryption mechanisms through TLSv1.2, the recently launched HTTP/2 protocol and Let’s Encrypt giving free certificates to anyone who want’s them the way has been paved to faster HTTPS adoption. On top of that Google’s enforcement of the switch by future updates is another push towards HTTPS.

But don’t worry – as mentioned in the first article of this post, for blogs and magazines you shouldn’t feel pressured to rush to HTTPS. You should carefully think through your move from HTTP to HTTPs since it could affect your search engine rankings. But for e-commerce and membership based websites you will need HTTPS enabled and active on your login and checkout pages to prevent users from seeing a warning in 2017.

Did I gave you enough reasons to switch? In my next article, I’m going to examine how to make the switch to HTTPS in WordPress using plugins, how to add your certificate in cPanel, Vesta or your custom VPS with nginx. Stay tuned!