3 important reasons

If you’re doing online banking or shopping, you probably already know that you should look for the SSL padlock in your browser. Most people are informed enough to know that they shouldn’t put their banking or credit card details into a web browser unless the connection is encrypted. But there are a number of reasons why every website you create should be on HTTPS and protected with an SSL certificate.

There are 3 main reasons you need an SSL certificate on your site:

  1. Privacy
  2. Google ranking (SEO)
  3. Preventing a warning in Chrome

It used to cost upwards of $100 to purchase an SSL certificate for a website, but there’s now a free SSL certificate provider called Let’s Encrypt. You can get a high level of encryption over HTTPS with their free SSL certificates and I’ll show you how to do it. So not only is it more important than ever to have an SSL certificate on your site, it’s also now easier and cheaper than ever.

https padlockWhen you visit a website that uses SSL, you will see a padlock followed by https:// in your browser address bar. The ‘s’ in HTTPS stands for secure, because the information is encrypted between you and the web server that hosts the website. The rest of it – HTTP – stands for hypertext transfer protocol, which is how web pages get to you. The encryption happens using TLS (Transport Layer Security), but is still usually called SSL (Secure Sockets Layer), which is the technology that TLS replaced. It’s a bit like YouTube being the same name, even though no one uses CRTs any more. In layman’s terms, HTTPS means that the information that you type into a web page cannot be read when intercepted by a third party. It can only be read by the owner of the website. You don’t need to know how it works, but you must understand why you need it. Let’s explore why you need SSL.

1) Privacy

You may not have been aware of this, but website traffic is routinely intercepted by multiple third parties, not all of them with malicious intent. For instance, anything you type into a website, such as in a contact form or an email subscription form, will be routed firstly to your wi-fi modem or router, then to your ISP. It then goes over the Internet through a number of Internet exchange points and network access points, the website’s host server, the website owner’s email provider and the their ISP before they actually read the message you have sent them. At each point, the information is intercepted for the purpose of network management (and potentially by unsavoury characters for other purposes).

Convertible showing the driver's hair and clothes
Traffic cameras can see your hair and clothes too. Porsche 911 Turbo Cabriolet (CC 2.0) by Alexandre Prévot

Just as traffic cameras can and should see everything that happens at the intersection they are placed at, network monitoring is an important part of the Internet. The down side of this is that if you are in a convertible, the traffic camera will see what shirt you’re wearing (or not wearing, as the case may be). Using SSL is like having dark tinted windows on your car. So although the traffic cameras still see you as part of the traffic, they don’t know whether you’ve brushed your hair that day (or if you even have hair!).

As far back as January 2010, Google made all access to Gmail on HTTPS. This meant that not only were Gmail users’ passwords protected at login, but that all the contents of the emails they sent and received were encrypted between Google and the themselves.  And if the person at the other end of the email was also a Gmail user, this meant that the email was effectively encrypted from end-to-end, allowing the email to be read by only 3 parties: (1) the sender, (2) Google (3) the recipient.

That same year Google introduced an encrypted search service located at https://encrypted.google.com. They gradually moved all search entirely to HTTPS, firstly by redirecting logged in users to the HTTPS version of google.com in October 2011, and then finally making the HTTPS version of their website the only option when performing searches.

I’ve been teaching my students how to set up HTTPS on their websites for almost a decade. Back in 2010, there was still a choice between using SSL or not for Google searches. I used a network analyzer called Wireshark to capture the data in the traffic over my home wi-fi network. The following two screen shots of Wireshark show the difference between a Google search performed over HTTP and HTTPS respectively.

Wireshark without SSL
Wireshark showing contents of a search using HTTP

This first screenshot above shows (on line 4 with the navy background and white text), that the Protocol was HTTP and the Info (the data transmitted) is “…q=how%20to%20be%20king%20of%20the%20world…”. The q is the query, or search performed on Google. The %20 is URL encoding for a space character. So replacing the %20 characters with spaces, it’s quite easy to see the search that I was performing. Embarrassing, I know.

Now the second screenshot below shows (on line 12 with the navy background and white text), that the Protocol was SSLv3 and the Info simply shows as “Application Data”. Further down in that screen shot, it says “Encrypted Application Data: d4685574d93e0…”. So if anyone were to intercept this traffic, all they would see is some gibberish: d4685574d93e0…, which could only be unencrypted by the server, and read by the owner of the website.

Wireshark showing contents of search using HTTPS
When using HTTPS, the search content just displays as d4685574d93e0…

It’s important to note that this wasn’t an open wi-fi network. It was password-protected using WPA2, the highest level of encryption available. So if you think that what you type into a website is safe from being intercepted, just because your wi-fi is password protected, then think again.

Fortunately, all Google traffic now goes over HTTPS, as I mentioned earlier.

Girl with name and phone number on her shirt
No SSL is like having your name and number on your shirt

What about other websites? Almost all websites have a contact form. It allows you to send a message to the owner of the business (or blog), without them revealing their email address. That’s great to reduce the amount of spam they receive. But what’s not great, is that the contact form usually asks for at least your name and email address. Sometimes it will even ask for your phone number. And the worst thing is, that their entire site is unencrypted – no SSL certificate, meaning no HTTPS and therefore, no security of the information you are sending.

Would you walk around wearing your phone number on your t-shirt? Well putting it in a contact form without SSL is just like doing that. So if the site you build is not on HTTPS, then you are asking your customers to stand on a street corner with their names, email addresses and phone numbers on their shirts. What’s more, you are asking them to use a megaphone to read out their private messages to you. So you really should install an SSL/TLS certificate. The good news is that more and more major websites have moved to HTTPS, including Wikipedia, Facebook, and just a couple of days ago, the Guardian announced that they had too.

2) Google ranking (SEO)

Knowing that having your site (or sites) on HTTPS will protect your site users’ privacy, should be enough to make you want to install an SSL certificate and enable HTTPS. It’s the decent thing to do. But if that’s not enough of an incentive, then here’s a more selfish reason to do it.

Since 2014, Google has used HTTPS as a ranking signal. This means that if you don’t have HTTPS enabled on your site, then your Google ranking will suffer. If you are designing websites for other people, then you’re sacrificing their site’s ranking in Google searches, just because you’re too lazy to tell them about HTTPS. What’s really sad is that there are a lot of “SEO experts” running their sites without SSL.

Maybe cost is a factor in your decision, but the small cost of installing an SSL/TLS certificate could more than outweigh the SEO benefits that they’d receive by having SSL. If you think that $100 a year is too much to pay for an SSL certificate, then you’re probably right. At the end of this article, I’ll show you how you can get a high level of encryption over HTTPS with Let’s Encrypt’s free SSL certificates.

3) Preventing a warning in Chrome

Very recently, Google announced plans to display a warning in the Chrome Browser whenever someone uses a site that is not on HTTPS. This is part of their move towards a more secure web. They’ll start this as early as next month (January 2017), marking sites as “non-secure” if they collect passwords or credit cards. Google plans to gradually roll out warnings based on the nature of the site or on a user’s browsing behaviour – for example, by labelling pages without SSL as “not secure” in Incognito mode. Eventually, all your site’s visitors will see the following if you do not have an SSL certificate.

google-warning

Again, if the privacy of your site’s users is not enough, then this is another incentive to have the site on HTTPS. You might not care enough about the reputation of your customers’ data, but you will certainly care about the reputation of your site. If your site is showing the above error message, that’s not a good look for any business. Of course, there is still time to install SSL on your site, but why wait till Google says it’s almost doomsday? Do it now and start protecting your customers straight away.

FREE Let’s Encrypt SSL/TLS Certificates

lets-encryptLet’s Encrypt is a free, automated and open certificate authority, run for the public’s benefit by the Internet Security Research Group (ISRG). They provide free SSL certificates and are backed by major sponsors including Mozilla, Cisco, Google Chrome, HP and Shopify.

The easiest way to install your free Let’s Encrypt certificate is to set up your hosting with DreamHost. To have the Let’s Encrypt certificate installed, you just have to sign up for web hosting with them. If you don’t already have a domain name, they’ll even throw in a free one. Once that’s done, you just have to log in to their dashboard and select the HTTPS option. I’ve created a video on how to create a website in WordPress. Jump to the part where I set up the Let’s Encrypt SSL certificate with one click. If you use this link, you’ll also get a $50 discount on the web hosting. If you’ve already got your website hosted somewhere else, just sign up with DreamHost the same way and point your domain name to the DreamHost name servers. You’ll also be able to add an extra year to your .com, .net, .org, .info or .xyz domain registration for free.

Now you know why you need SSL and how easy and cheap (free) it is to install an SSL certificate. So jump on in and set up HTTPS on your site now, so that you don’t have to worry about the Google Chrome warnings on sites without SSL.

Why you need SSL
Tags:                

2 thoughts on “Why you need SSL

  • December 2, 2016 at 3:25 am
    Permalink

    Great article. Thanks for the heads up. Why did Wikipedia need to move to https though? They don’t have a contact form AFAIK

    • December 2, 2016 at 8:24 pm
      Permalink

      Thanks Jordan. Good question.

      Wikipedia may not have contact forms, but there are search forms and forms for creating or editing articles. So being on HTTPS protects the privacy of users, authors and editors. In addition to that, HTTPS also prevents your ISP or anyone else on the same network knowing which Wikipedia pages you are viewing.

Comments are closed.