WEB SECURITY blog

INFORMATION, TIPS AND NEWS ABOUT WEBSITE security

Website security

Why HTTPS is important?

March 27, 2018 02:03 pm

Agnes Talalaev
Digital Communications

Google says your website address must begin with https. But why is it important?

63,2% of internet users are using Google Chrome as their internet browser. And the latest updates that Google has made on Chrome make sure, that any website that has no security layer (TLS Certificate) will be marked as insecure. In July 2018, Google Chrome browser marked all non-HTTPS sites as ‘not secure’.

TLS Certificate

So what are TLS certificate, HTTP and HTTPS?

HTTP stands for hypertext transfer protocol. It is used to transfer data from a web server to the browser to view web pages. HTTP without “S” means that the data that is transferred is not encrypted. Therefore it can be intercepted by third parties to gather data that is being passed – meaning that hacker can steal your data or login information without encryption.

The data is transferred safely when there is a security layer used – that is called TLS certificate (Transport Layer Security). TLS creates a secure encrypted connection between server and browser, therefore keeps your data safe. Also, it makes your site look trustworthy when you have one.

Without HTTPS, any data passed is insecure. This is especially important for sites where sensitive data is passed across the connection, such as e-commerce sites that accept online card payments, or login areas that require users to enter their credentials.

TLS Certificate

By clicking on the green padlock on the URL, you can check if the certificate is valid, from whom the certificate has been issued and when will it expire.

HTTPS and making sure your site is secure is an imperative at this point… Google will start marking things non-secure… The future of the web is a secure one, and so make sure people in your organization understand HTTPS, and it should be on the roadmap”    – Thao Tran (Global Product Partnerships at Google)

Not just security – having TLS directly improves your website SEO and conversion.

Think about an e-commerce site – when was the last time someone bought something online from a website that they didn’t trust? Buying something online from a page that seems fishy is not what people usually do. So not only the reputation will be questioned, but the empty shopping carts will be left behind too.

So what a website or e-commerce site owner can do is make the “Why to trust?” visible to the customer. Here is where the EV  certificate (will be explained later) comes in handy.

“Fitness Footware, the largest independent footwear retailer in the UK, for instance, saw shopping cart abandonment drop by 13.3 per cent and conversions increase by 16.9 per cent after adopting an EV TLS certificate.” 

(Source: Symantec)

Talking about HTTPS and SEO – well Google has stated, that security has always been “a top priority” for them. Google’s Gary Illyes (Google Webmaster Trends Analyst) said that the company’s HTTPS ranking boost may serve as a tiebreaker when the quality signals for two search results are otherwise equal. So, having HTTPS will give a little head start on the road to the top.

So, looking for an HTTPS certificate?

Firstly, there are different types of HTTPS certificates, so it is needed to find out what kind suits your business the best.

  • OV – Organisation validated, carries out verification checks of the ‘Organisation’, by confirming the organization owns the certificate and correlates the intended recipient. This is best-suited certificate type for medium-sized businesses.
  • EV – Extended validated, which means that a higher level of assurance undergoes a more rigorous validation process. The EV can be recognized with a ‘Green’ web bar before the URL address, making it a reliable certificate to go with. It’s recommended for sites conducting financial transactions, you can say it’s the best certificate for eCommerce.
  • DV – Domain validated, is an automated process for validation and not recommended for sites doing financial transactions. But it’s a cheap certificate and gets issues within a couple of minutes, it’s basically for info-based sites and small businesses.

(Source: Securitygladiators)

So before buying your HTTPS certificate, you need to know what level of encryption is needed for your business. If you have a credit card option on your site – you need a 128-bit or higher level of encryption. We definitely recommend OV for small businesses also, because statistically small businesses are the ones who are attacked the most.

Lastly, make sure your certificate is well configured.

It’s common that some hosts allow you to enable free DV certificate directly from the hosting dashboard. Unfortunately, this will often cause configuration errors where the traffic is being sent to HTTPS by default, but the HTTP access is also still available. This allows a potential attacker to redirect visitors back to HTTP and gain the credentials and traffic in plain text format even when you thought you were covered.

You can quickly check your configuration with our free scanner here: HTTPS SCAN

There are many certificate providers and definitely, we can not say that one is better than the other, but we will recommend two – Symantec and Comodo.

TLS Certificate

 

Website security

suggested articles

100% free to get started

Secure your websites in under 3 minutes - No credit card required.

Get started
WebARX is compatible with following platforms:
PHP
WordPress
Magento
Drupal
Joomla