You should know that the two most popular protocols used for communicating between users and web servers are HTTP and HTTPS. What’re the main differences between the two? If your website uses the HTTP protocol, all the exchanged data can be read (and modified!) by third parties (Internet Service Providers, network administrators, hackers). Using HTTPS, your data is encrypted. This means third parties can’t read the exchanged data. Using HTTP is like sending an important letter in an unsecured envelope. In contrast, using HTTPS is like sending important documents by courier, in a safe which only you and the receiver have the combination to.
In fact, HTTPS is getting more and more popular. But still, according to StatOperator, only 37% of the top 1M websites use an encrypted connection (as of July 24th, 2018). In this article, I would like to give you six inarguable reasons why EVERY website should move to HTTPS.
1. Google Chrome Marks all HTTP Websites as “Not Secure”
Starting from version 68, which was released July 24, 2018, Chrome will be marking all HTTP websites as not secure from then on – with no exceptions!
This is a pretty big deal. If you have an HTTP website and your clients get information that YOUR website is not secure, it will definitely diminish the users’ trust in your business. Currently, 6 out of 10 internet users use Chrome and it’s growing. So you can expect 60% of your users will see information that your HTTP website is NOT secure.
2. SEO Boost
HTTPS has been a confirmed, official ranking signal in Google Search Engine Rating Pages since August, 2014. For now, using HTTPs will give you a bit of a boost in Google rankings, and it will most likely increase in the future. In Google’s official announcement we read: “(…) over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.” Note: you may notice a temporary negative side-effect while migrating. This is because Google has to recalculate all the SEO signals. However, if you do the migration properly, you should be fine in the long term.
3. It’s Very Easy to Hack an HTTP Website, Even for a Child
When you have an HTTP website and your users connect to it in public spaces, anybody can hack it, even a 10-year old. It’s as easy as installing a special browser plugin or tools like WireShark. That’s it. Say what? If an attacker is connected to the same WiFi network as you, he or she can have access to all the HTTP packets you send and receive. They can:
- see exactly what content you’re viewing, which articles you read, what type of movies you watch on the internet, etc.
- steal your login credentials
- inject malicious code
All of it is much more difficult if the connection is secure (HTTPS). Do you want to read more? Search Google for “session hijacking” and “cookie stealing.”
4. Preventing Data Tampering
If you use an HTTP connection, internet service providers, or WiFi Hotspots can inject their own ads (and malware!). As far as I know, this is against the law. But, it’s happening, as can be seen in the following articles: Code injection: A new low for ISPs (InfoWorld), Chinese ISPs Caught Injecting Ads and Malware into Web Pages, Comcast’s open Wi-Fi hotspots inject ads into your browser, and AT&T Wi-Fi hotspot caught injecting ads into web pages. Theoretically, if you use an HTTP connection, it’s very easy for governments and Internet Service Providers to spy on the content your visitors are viewing. I write “theoretically,” because despite the fact that it’s technically possible, I have no clear evidence that any government has done it. But, it’s not science fiction. Let me quote James Donohue, a developer at BBC News. “HTTPS makes it far more difficult for ISPs to track which articles and videos you’re looking at or selectively suppress individual pieces of content. We’ve seen cases outside the UK with some of our World Service sites where foreign governments have tried to do this.”
5. If you Use HTTP, Google Analytics May Show the Wrong Data
Google Analytics is a great web analytics service. But, did you know that if you have an HTTP website, it may classify some Referral traffic as Direct and lead you to the wrong conclusions?
Here’s why: Because internet protocols work in the way that the referar data is not passed if a user visits a secure (HTTPS) website and clicks on a link pointing to an unsecure (HTTP) website.
6. HTTPS is the Future of the Web
If you want to implement the most recent technologies like AMP, HTTP /2, or PWA, it’s required to have an HTTPS website. Let me explain what these acronyms stand for:
- AMP (Accelerated Mobile Pages) – is a project designed to improve the performance of web content. AMP allows you to create lightweight pages intended for mobile devices. AMP pages consist of HTML and limited CSS. Only asynchronous JS scripts are allowed on AMP. Major Content Management Systems, including WordPress support AMP. For now, it is used by 25+ million domains.
- HTTP /2 – is a relatively new internet protocol (used by 27% of websites – W3 Tech, July 2018). It provides many performance improvements over the 18-year old HTTP 1.1 protocol. If you want to use HTTP /2, you have to have an HTTPS website.
- PWA (Progressive Web Apps) – if you want to implement a PWA, you have to have HTTPS. What are PWAs? This is an emerging trend of creating websites that act like apps (they respond quickly after user interactions, and load fast even when using a slow internet connection).
Although there are many advantages of using HTTPS, implementing it is not as easy as clicking on the “Enable HTTPS.”
- First of all, you have to set up 301 redirects from HTTP to HTTPS and update all the internal linking to avoid redirect chains.
- Prepare to fix mixed content. If you have an HTTPS website and use images hosted on HTTP, these may not be shown because of mixed content issues.
- HTTPS requires more computing power, so if you have big website, you will pay more for hosting. Be prepared.
- Using HTTPS is very important, but it will not make your website 100% secure.
- Implementing HTTPS may make your website slower. You can mitigate this by using resource hints like dns-prefetch and by implementing HTTP /2.
However, despite some of the aggravation, migration to HTTPS is definitely worth doing. You may want to read how big brands, like BBC and The Guardian implemented HTTPS. Definitely worth a read! Another interesting resource can be found here.
I hope it’s now obvious that every professional website should migrate to HTTPS. It should also be stressed that moving to HTTPS is much easier than it used to be. (If you have a small website, you can even get your SSL certificate for free, using Let’s encrypt or CloudFlare). The takeaway is clear: take the time and move to HTTPS as soon as possible.
Bonus: Websites Still Using HTTP (as of July 25th, 2018)
Still, according to StatOperator, 63% of top 1M websites use an unencrypted connection. Below, I’m presenting some notable websites still using it.
Newspapers & magazines:
http://www.dailymail.co.uk http://time.com/ http://www.latimes.com/ http://www.foxnews.com/ http://www.spiegel.de/ http://www.aljazeera.net/portal http://fortune.com/ http://www.espn.com/ http://www.autoexpress.co.uk/
http://toysrus.com/ (shop) http://imageshack.us/ http://digg.com/ http://www.bookcrossing.com/ http://www.asos.com/ (shop) http://mentalfloss.com/ I believe in the future the list will be smaller and smaller.