How to Implement HTTPS Security on Your Website
Is your website as secure as possible? If it isn't, you could be compromising your content and turning away customers. Read on to learn the importance of implementing HTTPS security on your site.
A recent KPMG study found that more than half (55%) of consumers have decided against buying something online because of security concerns. One way to allay those concerns is to implement HTTPS security on your site.
To learn a little bit more about HTTPS and how small businesses can utilize it on their own websites, we turned to COSE member Vince Salvino of CodeRed to answer six questions we had about the importance of HTTPS.
Question No. 1: What is HTTPS?
Salvino: HTTPS is a secure way of accessing a website. It works using an encryption mechanism called an SSL certificate. You will usually see a green lock icon or green “Secure” status in the top left corner of your browser when visiting websites using HTTPS. If a site has HTTPS improperly configured or invalid, then you will see a big red “Danger” status in your browser.
Question No. 2: What additional security layers does it provide?
Salvino: Simply put, HTTPS provides encryption for everything you view or send on the internet. Think of it like mailing a letter: if you mail a postcard, anyone who touches or comes across that postcard can read what you wrote on the back. You certainly wouldn’t feel comfortable writing private correspondence, or very important information such as credit card, social security number, etc. on the back of a postcard. That is how HTTP works. With HTTPS, it is equivalent to mailing a letter in a sealed security envelope. No one is able to read what is inside it, and if the seal has been broken, then the recipient knows that the letter has been tampered with.
Question No. 3: Should all businesses have HTTPS on their site?
Salvino: Absolutely. If you take payments, have a login, or have any type of form on your website, then it is imperative that you use HTTPS. As a matter of fact, browsers such as Firefox now warn the user with an ugly error message if they try to use a password on a site that does not have HTTPS enabled. But even if your website does not contain sensitive information, most people still feel more comfortable knowing their connection is secure. This is not just an IT issue anymore—even non-technical folks have become aware to look for the little green lock when browsing the web. This point frequently comes up on the evening news when talking about the latest data breach, or during the big shopping seasons.
Question No. 4: Is it difficult to set up?
Salvino: It is relatively simple to set up. Any web developer or IT department would be able to set this up. Even do-it-yourself website hosts such as GoDaddy offer SSL certificates for less than $100 per year and provide instructions on how to set it up. At CodeRed, we provide this to all of our clients for free—that is how fundamental SSL is to online security.
Question No. 5: Will visitors notice anything different on my site after it is set up?
Salvino: It is relatively seamless. Visitors will notice that nice green lock or “Secure” status in their browser. Just be sure to renew your SSL certificate every year—if it expires, the browser will show a warning to visitors.
Question No. 6: Are there any additional benefits to setting up HTTPS (does Google rank your pages differently, will customers be more apt to buy from me if they see it on my site, etc.?)
Salvino: In addition to the security and peace of mind of your visitors, there are additional benefits as well. Google ranks sites higher that use HTTPS versus sites without it. There are rumors that in the future, Google will more severely penalize sites without it as a way of forcing website owners to use HTTPS. This probably won’t happen in the near future, but it emphasizes just how important web security is. Also, if you process credit cards or have HIPAA (health care) data, you are required to use encryption when processing this information to maintain compliance.
Vince Salvino is the owner of CodeRed, a Cleveland-based technology firm specializing in secure Web development and cloud services.