September 6, 2017
By now, unless your site is already set up with an https url, you’ve very likely received an email from your host company or from Google encouraging you to “MIGRATE TO HTTPS”.
This is part of Google’s mission to make the web a better, safer place. It’s the equivalent of homeowners in a previously sleepy, crime-free town waking up to a new big-city reality and putting locks on doors that were previously left unlocked at night.
The “s” in https” stands for “secure” and means that a site has installed a “secure sockets layer” (SSL) that encrypts the conversations that go back and forth between your website and your visitors and prevents unauthorized parties from observing or listening in to them. It also prevents corruption of data and provides authentication to ensure that communications reach the intended recipient directly.
It used to be understood that you needed this only if your web pages included forms that requested highly sensitive information (like logins, credit card details, social security numbers, etc) but it is increasingly becoming a good idea for all sites (and all pages).
It’s quite likely you have clicked a link from a mildly alarming email that seemed legitimate (but wasn’t) and have come upon a credible-looking but fraudulent site at some point. Cyber-criminals can slip into any non-secure conversation and do things like serve your trusting visitor a modified version of your site just like these and lure your visitors into clicks and transactions other than those you have created.
Highly-trafficked websites that process a lot of payments may attract criminals more than smaller sites but the trustworthiness of smaller sites can be hijacked for criminal purposes in all kinds of ways—and it is very easy for those with criminal intent and the technical know-how to trawl the web with robots looking for any sites with any security openings and exploit them. This is why Google is making an even bigger push than before.
Your site will still function without the added secure sockets layer—but here’s why it will become a bigger and bigger issue if you leave your site unsecured:
Google began down-ranking unencrypted sites in 2014, although to a minor degree. According to the data in the Google Transparency Report, over 50% of all pages viewed by desktop-users are now encrypted and 83% of the U.S. traffic that goes through Google is now encrypted (it differs for other countries). This suggests not only that the trend to making the upgrade is real, but that the Google search-rank penalty for remaining unencrypted (or weakly encrypted) is already significant.
The new, more aggressive penalties will be put in place early in October (2017), so the time is now to make the change if you haven’t done it already. You’ve probably opened a website and seen that “Your Connection is not Private” notice, followed by a warning that “hackers might be trying to steal your information” and offering you a big button saying “Back to Safety”. This probably won’t be exactly what will happen to your site in October without HTTPS, but you will definitely start seeing red “Not Secure” warnings like this in the address bar.
The first step in migrating to HTTPS is to obtain a Secure Sockets Layer (SSL) certificate.
All hosting companies now offer SSL certificates and signing up for the basic-level certificates will cover all needs except transactions that involve credit card and other sensitive information (for this you need the Comodo-level certificates). Going with what your hosting company provides is the simplest solution.
There are free options for SSL certificates (Let’s Encrypt being the best-known) but not all hosting companies make it easy/possible to use them. Dreamhost stand out for making the use of Let’s Encrypt almost a one-click (and completely free) operation. Bluehost, Hostgator, GoDaddy and others all have different offerings—so check the website of your hosting company.
Once your certificate is purchased/installed, your site still needs to be reconfigured to use the new address.
Changes that need attention include:
With all this done, the site should be checked and monitored for a while for any breakdowns. For example, if there are any images within the site that still have “http:” in their path, the page on which they are found will continue to display as insecure. You can run a “site:[yourDomain].com” search on Google to see if all the pages Google is indexing on your site are being found as https: urls. Google will re-index what it considers your most important pages pretty much instantly when you use the Search Console to “Fetch as Google” but you may find some of your less-important pages take more time to get fully re-indexed.
With everything done right you will benefit by:
If you’re tech-savvy and want to understand this better than I have outlined here, you might like to read this very thorough outline: Google Warnings For Form Input Over HTTP Coming in October
If you made your own site and can understand the technicalities, you’ll be fine making the migration by yourself. If not, get in touch with your designer/developer and have her do it for you.