James Marshall Head of Product The Importance of HTTPS for your Business Website To understand HTTPS we need to know about HTTP. Hyper Text Transfer Protocol, or HTTP as it is more commonly known, is simply the structure used by a web browser for transferring and receiving data over the internet, most commonly in the form of the HTML (Hyper Text Markup Language) and CSS (Cascading Style Sheets) that make up each webpage. The long and short of it is that HTTP takes your request and presents you with the files. There’s a whole host of technology behind dating back to the days of Tim Berners Lee at Cern but for the guys on the street, it’s something that just happens, and to be fair, that’s absolutely fine. In fact, let me save you some reading. If you don’t own or manage a website, all you need to know is the following… The green padlock icon in the top left corner of a web page means they are who they say they are and this is a secure webpage. Don’t make a payment online unless you see that icon when asked for your details. For Those Who do Own or Manage a Website I’ll now go into the importance and the benefits of swapping from HTTP to HTTPS for you website and your business. First of all, Google has dropped numerous hints over the years that they want HTTPS everywhere on the web. In other words, for HTTP to become obsolete, and HTTPS to become the new standard. They have also dropped hints that it may even be considered a requirement in future. The Difference Between HTTP and HTTPS The two protocols are virtually identical, both do the exact same job with very little to differentiate the two, the main difference is how the web requests are processed and how that makes them secure. HTTPS or Secure HyperText Transfer Protocol is the next iteration of HTTP. It takes the request and processing functionality of HTTP and makes it secure using what’s known as a Secure Sockets Layer (an SSL) to transport the data rather than simply using a standard port on the server. What this SSL layer does is encrypt the data being transferred from the website while simultaneously preventing this data from being altered in any way during the transfer. In other words, if you were to process a payment on a non Secured webpage, it means that there is nothing preventing a third party from extracting the data being transmitted and reading it normally, making it very easy for internet fraud to occur. Having the SSL in place means that should the data be intercepted, all they would receive is encrypted data that they won’t be able to modify anyway. Other Advantages of Switching to HTTPS Aside from the security, there are also some additional benefits of applying an SSL certificate to your website. A ranking boost – although there was a lot of speculation in the early days whether this was true or not, we’re now nearly three years in since Google first mentioned their plans for HTTPS everywhere on the web, meaning the application of HTTPS to a website has now been confirmed as an attributing factor to improved search rankings. Although currently it’s not a big boost, in future it is predicted that not having one will be a huge negative factor on your rankings. The website and server connection is authenticated, meaning that should your side be hacked cloned and re-routed, it would be impossible for this hacked site to gain the HTTPS authentication, adding an additional layer of protection for your customers should the worst happen. Google will eventually decide that on a certain date they would flag all HTTP websites as insecure, presenting a user visiting your website with their red unsecure website message. Although they will almost certainly give plenty of warning when this will happen, switching to HTTPS will future-proof your website. Making the Switch to HTTPS – What SSL Certificate do I Need? There are currently three levels of SSL Security available at the moment, each one providing a different level of security depending on the needs and services provided by your website. Level 1: DV (Domain Validation) Certificate This is the most basic of the SSL certificates which are provided at the domain name ownership level. If you can log into where you purchased your domain name from as an admin user, you can acquire this level of SSL certificate relatively easily. Pros These are also the cheapest of SSL certificates, with some providers offering them for as little as a few pounds a year. You also don’t need to provide any company information, just proof that you own your domain name. Cons As you might have guessed, this level of validation is not suitable for processing secure payments and is therefore only really suitable for very basic sites that collect no personal data. For example, this would be perfect for a personal webpage or brochure site, but not suitable for a blog or online shop. Level 2: OV (Organisation Validation) Certificates Organisation Verification Certificates are similar to the DV Certifications but with all of the security features turned up another level. For instance, rather than just being an admin on the domain host, you and your company must also be vetted by the provider to ensure you definitely are who you say you are. OV’s would be our recommendation for any site that handles personal information of any sort, e.g. user registration, names and addresses, forms etc. Pros By going through the additional screening you are submitting additional data and information about your company that will be accessible to the site user on the certificate. This adds an additional level of assurance to your customers. Cons You should expect to pay about £50 a year for an PV licence which is about 2-3 times the price of a standard DV licence but well worth it for the additional level of protection. They will also take a couple of days to go through and be approved in most cases. Lastly, they are still not adequate if you plan on taking payments on your website, but perfect if you own an eCommerce site that processes payment externally e.g. (SagePay or PayPal). Level 3: EV (Extended Validation) Certificates This is the best level of SSL you can apply to your website. Owning an EV licence proves to your customers that you take their security and privacy as seriously as possible and as a result, you are rewarded with the coveted green browser address bar in addition to displaying the additional company and security details for your customer. Pros If you want to process payments on your website or keep sensitive details about your customers or users then this is the certificate you will need. The additional security checks you will need to go through to acquire this licence will be frustrating but it’s well worth it for the level of protection and trust you will gain from having the full licence. You may also want to remove third party payment systems from your site, meaning you can even gain back the costs in some cases via cutting out the margin of the middle man. Cons Aside from the cost of between £200-£300 per year, these licences can take a few days from start to finish to process. You will also be required to undergo an even more rigorous screening process on company and individual data before permission will be granted for the licence to be issued. Summary I hope you found this post useful, if you have any questions or would like more information on what you should apply to your own site please feel free to get in touch, ask for James and I’ll be happy to point you in the right direction, or even arrange for one to be set up for you by our team. For more information on our security standards, take a look at our security page. You will need an agency or someone tech savvy to apply the SSL certification for you initially but after that initial cost, it’s a simple case of paying the renewal each year.