Over the past several years Google has been working hard to migrate all of their properties to work over SSL (Secure Socket Layer). In 2014 Google announced that adding an SSL certificate to your website would give you a minor ranking boost. This is because Google takes security very seriously and wants to make the Internet safer for everyone.
Google’s HTTPS Initiative
In fall 2016 Google began pushing for an encrypted web by requiring websites that collected login or password information to convert to HTTPS by January 2017. The reason for this was to protect the sensitive data that you collect from your visitors such as credit card data, membership logins, passwords, and more. By converting to HTTPS, site owners could protect the sensitive data visitors were submitting from “man-in-the-middle” attacks.
In an effort to step up web security, Google set out with another round of penalties in October 2017.
New Google Penalty for Non HTTPS Sites Effective October 2017
In August 2017 Google sent email notifications to non-compliant site owners via Google Search Console to remind them to convert. Site owners were warned that effective October 2017 Chrome would show the “NOT SECURE” warning to visitors who entered sensitive data in a form on an HTTP page or who visited HTTP pages via incognito mode. (For more information on these warnings, refer to this post.)
Sites collecting this sensitive data that had not converted to HTTPS would now show a “NOT SECURE” warning in the browser.
Third Google Penalty Slated for July 2018 for All Sites
In the latest push for an encrypted web, Google has set a final deadline of July 2018 for all sites to be converted to HTTPS. Whether or not your site is accepting sensitive data from your visitors, you must convert your site or risk being penalized by Google in a few ways.
1. Your site will rank lower than HTTPS sites
2. Your site will show a “NOT SECURE” message in a visitor’s browser
For a complete breakdown of the various phases on the HTTPS initiative, please refer to this excellent post by our friends at R & R Web Design.
Now let’s take a look at what it is and how it works.
What Exactly is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) ensures a secure communication between a browser and a web server through the use of a Secure Socket Layer (SSL). This stops “man-in-the-middle” attacks from intercepting sensitive data such as password and credit card information that visitors submit from your website.
To further clarify the difference between HTTP and HTTPS, refer to this helpful infographic from our friends at First Site Guide:
HTTP vs. HTTPS – Cheat Sheet was created by FirstSiteGuide.com
By the time Chrome 56 rolled out around January 31, websites that had an SSL certificate installed and configured properly began to show visitors a secure connection in the browser bar:
This notation builds customer trust and assures your visitors that their information is protected and secure as it transmits from their browser to your server.
But if you collect sensitive data on your website and your site had not been converted to HTTPS when Chrome 56 rolled out, then your visitors began seeing the NOT SECURE warning in their browser bar:
Seeing the NOT SECURE warning would understandably alarm and cause a visitor to leave your website. This in turn decreases conversions, increases bounce rate, and affects your SEO (search engine optimization).
By now I’m sure you can see why it’s so important to encrypt your website pages and protect your visitors’ data.
Now that you understand why it’s important to convert to HTTPS, the rest of our post will look at the following:
- What is an SSL Certificate?
- Where can I Get a Free SSL Certificate?
- What are the Additional Benefits of HTTPS?
- What about CloudFlare Users?
What is an SSL Certificate?
Per GlobalSign Certificate Authority:
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser.”
You’ve probably noticed the padlock when you’ve made an online purchase and checked out of a big-brand store such as Amazon. Or if you use online banking or paid a credit card online, you have probably seen the padlock. That padlock assures you that the organization has an SSL certificate installed and is protecting your data as you use their site.
If you’re running a WordPress website and have wondered about adding SSL, you might want to read our earlier post to learn more.
Where can I Get a Free SSL Certificate?
For many years the cost of encrypting a website has been expensive and complicated for small business owners. They had to purchase a dedicated IP and a certificate from a Certificate Authority and then pay to have that dedicated IP and certificate renewed each year.
But the Let’s Encrypt initiative has changed all that. Let’s Encrypt began offering free SSL certificates last year, and small business owners have been able to encrypt their websites without incurring extra expenses. And an added bonus is that a dedicated IP is not necessary under Let’s Encrypt.
As HTTPS becomes the standard protocol, more and more hosting companies are offering and installing Let’s Encrypt certificates for free, too. For many small businesses, this is the perfect (and affordable) solution to encrypting their site.
Our hosting company, A2 Hosting (affiliate), automatically installs Let’s Encrypt SSL certificates on client accounts for free. That includes requesting and installing the Let’s Encrypt certificate on our behalf, then updating it automatically every three months.
Other hosting providers have a configuration setting that you need to enable. And still other providers automatically request and install certificates for all their customers.
What are the Additional Benefits of HTTPS?
Historically, websites running under HTTPS experienced slower page loads due to the SSL negotiation. This caused website owners to think twice before they made the decision to convert to HTTPS.
But HTTP/2 has resolved many of those issues. HTTP/2, the latest update to HTTP, brings more efficiency, security and speed to the web. Now these same sites running under HTTPS can take advantage of HTTP/2, which improves performance and overall user experience.
And we can’t forget about Bing. In 2015 Microsoft announced their plans to also standardize HTTPS for web traffic encryption.
What about CloudFlare Users?
Many small businesses take advantage of CLoudFlare’s free plan. CloudFlare users will still be able to use the free plan with the Full (Strict) SSL option. Unfortunately, this is an area of confusion for lots of site owners and web hosts. Many clients are under the impression that they have to upgrade to the paid plan to use CloudFlare under SSL. This is simply not true. You can still use the CloudFlare free plan and a free SSL certificate while reaping the benefits of both!
Convert to HTTPS Now
There are just so many benefits to making the decision to convert to HTTPS now rather than later. To recap, by July 2018 Google will require HTTPS of all website owners. HTTPS sites are currently receiving a small ranking boost. This ranking signal is bound to become greater as more and more sites comply, meaning those who don’t convert will lose out in ranking. And other search engines such as Bing are following suit.
If you’re a do-it-yourself website owner, you need to get started! Please refer to our earlier post on adding SSL to your WordPress site.
Or you might want to check Matt Banner’s detailed and resourceful post on How to Switch from HTTP to HTTPS for further information.
But for those of you who don’t have the time or knowledge to convert to HTTPS, it’s time to get help with converting your site ~ even if you are not collecting sensitive data. Remember, in just a few months Google will be requiring HTTPS of all website owners!
Stay ahead of the game and contact us if you need assistance with your conversion. We’re always happy to help!
Have questions? Please feel free to post them in the comments below!