When you browse the Internet looking for a product, topic, or service, do you check the URL to see if it begins with HTTPS? Do you own a website, and if so, does your URL begin with HTTPS? If not, it won’t be considered secure soon. If you want people to find your website on Google, it’s important to fix your website now.
What Is HTTPS?
HTTP is an abbreviation meaning “hypertext transfer protocol.” It allows communication between different systems on the Web. It transfers data from a web server to your browser so you can view the website’s pages. HTTPS in the URL indicates that a layer of security exists on a website. The “S” stands for secure.
But according to a Google report in October 2017, many sites still use HTTP instead of HTTPS. In fact, about 79 of the top 100 non-Google sites use HTTP instead of HTTPS. And 67 of these are using outdated encryption technology or no encryption at all.
Developers are making steady progress converting HTTP sites into HTTPS sites, but it may be a long time until there’s 100% compliance. Google is striving to have HTTPS on all websites.
So, What’s The Big Deal Anyway?
When you view an HTTP URL, the page content you’re viewing can be detected by anyone who gains access to your network. They can also tell what other sites you’ve visited.
Essentially, your web browsing isn’t private when you go to HTTP sites. When you visit an HTTPS site, the only thing the hacker or intruder can view is the domain of the website, not what you’ve done on the website (like purchasing something from Amazon).
For this reason, it’s especially important that you only use HTTPS sites when you’re purchasing anything or performing tasks like accessing your bank account. Without encryption (HTTPS), your confidential web activity can be intercepted, changed, and stolen by attackers using the same network.
What Will Happen If We Don’t Use HTTPS On Our Website?
It’s very important that your business website begins with HTTPS. Many people won’t visit your site if it’s not secure.
And starting this month, (July 2018) Google will label your website “not secure” unless you use HTTPS. On February 8, 2018, Google posted this message:
“Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure.”
This means anyone using Chrome will automatically be directed away from non-HTTPS encrypted websites, regardless of whether they’re a legitimate site or not.
Trust is important to consumers and business professionals who might visit your website. If they don’t believe it’s secure, they could move on to your competition.
Plus, websites like GitHubGist keep a running list of all the sites they’ve found that aren’t secure. How damaging would it be if your website was on their “shame list?” It could ruin the reputation of your business.
Will HTTP Affect Our Website Ranking On Google?
Yes, if you don’t switch to HTTPS, Google will drop your ranking. They started doing this back in 2014. They even published best practices for secure websites. The list of things you must do is pretty long and complicated. So, make sure whoever is managing your website knows what they’re doing.
Here are some of the basics Google suggests:
- Decide the kind of certificate you need: single, multi-domain, or wildcard certificate.
- Use 2048-bit key certificates.
- Use relative URLs for resources that reside on the same secure domain.
- Use protocol relative URLs for all other domains.
- Check out our Site move articlefor more guidelines on how to change your website’s address.
- Don’t block your HTTPS site from crawling using robots.txt.
- Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.
Google also suggests that you test the security of your website.
What Do We Look For When Testing The Security Of Our Website?
There are many free and paid-for tools on the Internet you can use. But, basically, this is what you want to know.
You should check your website’s security on a regular basis. These are some of the things you should always test. There’s another term for this; it’s called web application penetration testing. This is where a team of ethical hackers (your IT Provider should be able to help you) test your site for security. Ethical hackers know where to locate the weak points in your website. And they know how to remediate any vulnerabilities and protect your website against security attacks.
Some of the website security tests they conduct include:
- Login Testing: If this is compromised it can reveal confidential user information to hackers. Also, be sure to test unsuccessful login attempts to make sure people are locked out if they enter the wrong credentials after a specific number of attempts.
- Feedback Form Testing: Ensures your online forms are working properly and tested for security. Again, your IT professionals can help you with this.
- Credential Testing: Ensures the integrity of your credential encryptions and that a hacker can’t access them.
- User Session Timeout Testing: Ensures the integrity of user sessions. For example, you want to make sure that when someone logs out of your site, that the session is truly terminated.
- Testing For Website Attacks: Ethical hacker will run popular website attacks to see how strong your site holds up against them.
- Access Tests: To ensure the permissions you‘ve set are actually working and that users only have the access you’ve specified.
Switching to HTTPS and running website security tests aren’t enough. You also need a Web Application Firewall for assurance.
What’s A Web Application Firewall?
This is a type of firewall deployed between your web servers and the Internet. Your IT Provider can set this up for you. It’s usually a standalone device that filters each incoming and outgoing message. However, there are now cloud/software based solutions for this. These monitor and block malicious data as it’s transmitted to and from your website.
The Web Application Firewall (WAF) inspects data packets and only lets them through if they meet specific rules in the firewall rule base. It will stop attacks and breaches coming from the Internet and external networks.
A rule base can be set to allow all traffic through unless there’s a rule to prevent it. The most commonly used method is to set the rule base to not let traffic through unless it meets an explicit rule to allow it.
We know this is a lot of information to take in and it can be confusing. Plus, Google is always changing their ranking rules, so this is a “moving target.”
The team at Steadfast Solutions is always available if you have any questions about your website or web activity.
In the meantime, check out our other interesting articles. We’ve posted them to keep you abreast of what you need to know about technology today.