Not having your blog or website HTTPS enabled in 2019 is suicidal!

As a blogger or website owner you would know that the world wide web (www) runs using a protocol called Hyper Text Transfer Protocol or HTTP. So, all websites must have an HTTP declaration in their URL.

But it is possible for miscreants to 'phish' or display their website and present it as another, genuine, website. The HTTP protocol is not able to check such illegal actions. Moreover, if the data being transferred between the website server and the user's internet browser, there are 'sniffer' programs that can read the data. So, there is more and more stress on making the protocol secure so that the real website cannot be faked with the same URL. Thus came HTTPS (S in the abbreviation represents 'secure'). Now a majority of websites and blogs have this prefix in their URLs.

What are HTTPS and SSL?


HTTPS simply denotes that your website has been verified to be 'secure'. There are many levels of HTTPS security and not all are of the same level. When you type the web address of a reliable bank site, it shows the entire ID of the website given in full, with a lock preceding it. Now, use another website with HTTPS (not a bank or such high security website) and you find a lock before the URL. Non-HTTPS sites do not have a lock.

types of HTTPS on websites

Both these types of websites with a lock preceding the URL are secure. What the HTTPS protocol ensures is that all communication between the user's browser and the website server are encrypted. In the case of banks, credit cards etc, the security is even more, in the sense that the HTTPS certification agency has ensured that the website belongs to a verified high-veracity entity.

When a user enters a URL on his browser, communication protocols send a request to the server of the target website, asking for the information on the site. In case of HTTPS-enabled sites, there is a security certificate, called SSL (Secure Sockets Layer) or TLS (Transport Layer Security), on the site server. The site sends this certificate to the browser, and the browser checks whether the certificate is trust-worthy. After verification of the certificate, there is 'handshake' between the server and the browser - now all the data flow between the two ends during that session happens through encryption.

Is HTTPS security layer really that important?

 

Having HTTPS implemented on a website means the communication between the user's browser and the website will not be prone to misuse by miscreants. It also ensures that the user visits the actual site he has been wanting to, not a fishing site.

So, when a site shows that it has HTTPS security, it is taken as safe by the visitor as well as search engines. That is a huge credibility improvement over non-HTTPS websites and blogs.

In addition, with encrypted communication, those lurking to snoop into the sessions to know user behavior or data cannot succeed. That includes not only criminals and miscreants but also competitors and those wanting to steal data. It would also not be possible for others to inject ads or malicious code into secure communications.

For businesses and small bloggers alike, HTTPS has many advantages besides making the site more secure. When the site is seen as secure, visitors are likely to be more confident in viewing the content, clicking on links and doing transactions on the site. Being technologically up-to-date also gives a positive signal to the visitors about seriousness and professionalism of the website owner/ business/ blogger.

Internet browsers have started deprecating HTTP sites. Google Chrome (starting version 68) has started showing non-HTTPS websites are 'not secure' starting later this year, that would keep the users under guard. Mozilla Firefox has not come upfront so far but would follow suit. Other browsers may follow.

Google and HTTPS


It is natural that the credibility gained due to HTTPS implementation puts such sites higher in the eyes of search engines. In fact, Google has publicly stated that HTTPS is a quality signal for search ranking.

How to implement HTTPS on your website or blog?


HTTPS certificate is given by certification authorities or CAs who may or may not be the web hosts. Initially, most web hosts were charging heavily for providing HTTPS security, but now they are learning to give at least the basic security free. Many web hosts are now implementing basic HTTPS on their clients' websites free.

Google has implemented HTTPS on all its Blogger blogs. So, by default, blogs with .blogspot domain are behind HTTPS security layer. Blogger now also allows mapped domains to have this security. All Wordpress.com (free), LiveJournal and Tumblr blogs also come now with HTTPS security. Your social media accounts come with HTTPS because Facebook or Google or Twitter have implemented it across the platform.

It is high time to give your blog or website at least the basic HTTPS security if it still lacks it. If your blog is a self-hosted blog or you own a website, you must get HTTPS certificate without losing time. There is an easy way to get HTTPS certification for free. Lets Encrypt, a free certification authority supported by some top companies, provides it free to websites and self-hosted blogs. You can visit this post on Lets Encrypt for more details. However, if your website/ blog offers e-commerce services or you provide premium services through registration, please buy a higher level of certificate from a CA (e.g. Comodo, Symantec, GoDaddy, DigiCert) and implement it through your web host.

SSL security for websites is a must.
Let's make the www more secure with SSL security to websites.

Does HTTPS guarantee against phishing and sniffing?


As said above, there are three types of certificates issues by CAs to cater to different levels of security. Before giving SSL/ TSL certificates, CAs need to validate particulars of the website and its owner.
  • Domain-Control Validation only verifies the domain.
  • Organization Validation verifies the identity of the owner organization behind the domain.
  • Extended Validation does the strongest, highly rigorous, checks of the owner's identity.

Thus, if an HTTPS enabled site has SSL/ TSL certificate with only domain validation, the domain can be trusted as genuine but its owner could himself be of doubtful credentials. So, sites with HTTPS certification of the first type could still be malicious. Moreover criminals could use HTTPS-enabled websites, such as blogs, where third-party content is allowed. There could also be rogue or corrupted certificates getting issued or the same certificate getting used for a good and many bad sites. 

However, if you are not doing a monetary or high-security transaction on a website, HTTPS itself is first level of assurance that you are using a safe site (yes, with rare chances of phishing). For confidential transactions, you must be sure that the website uses a higher level of certification - seen with padlock and company's name before the URL. 

As a blogger or website owner, if you use even the first level of HTTPS certification, that has many advantages as listed above. Not having HTTPS in 2019 is suicidal as you would lose trust and traffic as against your competitors.