Despite the universal push for encryption, we’re still not using HTTPS properly
It’s the year 2016 and there’s a large push being made to encrypt the entire internet. The public seems to want universal encryption amid growing concerns over personal privacy caused by leaks and breaches. The browser community wants to implement universal encryption as a way to phase out HTTP and move towards HTTP/2.
And you, as the administrator of a website, certainly have no shortage of incentives to start using HTTPS:
- Avoid browser warnings
- Get an SEO Rankings Boost
- HTTPS is faster
- Only encrypted traffic can use HTTP/2
Unfortunately, despite all the pushes for universal encryption, the internet still isn’t using HTTPS correctly. Here are some helpful hints to avoid making common HTTPS mistakes.
A Few HTTP Tips
Before we go too deep, here are a couple easy tips to help keep you from getting that annoying SSL Error that seems to plague a lot of websites:
Buy your SSL Certificate from a Trusted Certificate Authority – This may seem like a pretty obvious one, but apparently, it’s not to everyone. There is a handful of Certificate Authorities that are considered “Trusted” by the browsers. They are trusted because they invest millions of dollars into having the correct infrastructure, abide by a set of guidelines handed down by the CA/B forum and have generally never run afoul of the browser community. Part of the CA’s job is to vet the applicants when an SSL Certificate is purchased. This can be a fairly extensive process and is aimed at weeding out potential cyber-criminals from real businesses. When a CA issues you an SSL Certificate it is essentially vouching for your identity. The browser sees this and trusts it (the browser trusts the CA’s validation of your identity) and allows your SSL Certificate to initiate an encrypted connection. A certificate from a Trusted CA will always be trusted. A certificate from anywhere else will receive a browser warning. That’s why it’s vital you always go with the trusted CA.
Install your Intermediate Certificates properly – This is a common mistake and one that can prove fatal. Some CAs are lucky in that they need only send you your SSL Certificate and that can work directly with its root. However, for many CAs, you’ll have to chain certificates. This means that while their trusted root may already be installed in your browser’s root store, you’ll still have to install one or two intermediate certificates in order to chain your SSL Certificate to its root. This isn’t an exceedingly difficult process, there are guides everywhere and support can certainly assist you, but if done incorrectly it does bring up the dreaded SSL Error.
How Always-On SSL helps to gain a website traffic and ROI?
The final tip to help you get the most out of HTTPS is this: make sure you serve every page of your site over HTTPS. This is called, “Always-On SSL.”
There’s a tendency by many around the web to want to do the bare minimum. In this case that would mean only encrypting the pages where you think information is being transmitted and leaving the rest to be served over HTTP. The reasons given for this are typically either cost or performance. Both a bunk.
For starters, it doesn’t cost you anything extra to serve your entire site over HTTPS as long as you selected the correct security solution at the outset. If you did that, it’s simply a matter of configuring your servers properly, which admittedly can be a bit time-consuming, but is well worth the extra effort considering Always-On SSL enables your site to get up to a 5% SEO rankings boost. Think about it, you probably spend a lot more time trying to get your SEO rankings up than it would take just configuring your servers to serve your entire site over HTTPS. And this is a guaranteed 5%. You can’t afford to pass that up. The latest update is coming from Google webmasters officials, “As of today, 82% of pages loaded in Chrome on Android are served over the secure #HTTPS protocol.”
Google Webmasters Official Tweet
As of today, 82% of pages loaded in Chrome on Android are served over the secure #HTTPS protocol.🔐🔐
If your website is in the other 18% percent, find out why & how to secure your site : https://t.co/V06rAwhI1g
— Google Webmasters (@googlewmc) December 10, 2018
The second reason given, performance, is also a myth. Yes, in years past HTTPS could slow things down. But it’s evolved since then and is now empirically proven to be faster than HTTP. But don’t take our word for it, visit one of the dozens of HTTP vs HTTPS sites available and get a side-by-side comparison for yourself. HTTPS wins out.
And this is really the biggest tips for getting the most out of your SSL Certificate and HTTPS. Make sure to serve every page of your site over HTTPS—make sure to configure those servers properly. Your customers will thank you and your site will be more secure for it. Why invest in a security solution if you’re not going to leverage it for all its worth? Remember, buy from a trusted CA, install your intermediate certificates correctly and serve every page over HTTPS.
That’s how you use HTTPS correctly.