Should your site use HTTPS encryption by default?

Should your site use HTTPS encryption by default?

HTTPs is a protocol for secure communication over a computer network. The underlying technology is TLS and sometimes HTTPS is known as HTTP over TLS (Transport Layer Security). In 2014, Google started to talk about HTTPS Everywhere. This is their effort to make the web a safer place by encrypting data when it's moving and at rest. So far it has made Google search, Gmail and Google Drive all encrypted with the HTTPS protocol. HTTPSIf you're not a developer or involved in the workings of the web, you will probably have noticed it as part of the web address that appears in your browser. If a site is using the HTTPS protocol, then it will normally show a padlock to the left of the address. The only time you're likely to have seen this on a website is when you're entering sensitive data like a credit card numbers into a webpage. Having HTTPS as the protocol means the data is encrypted before it travels back to the server for processing. Google's big idea with HTTPS Everywhere is to encourage the use of HTTPS for all communications from the web, like your website, your music playlists and your tweets. HTTPS doesn't just deal with encrypting the data coming to and from a website. All three of the following form to make a secure website. Authentication - Am I talking to who they claim to be? Am I interacting with my bank or a website that just looks like my bank? Data integrity - Has anyone tampered with the data whilst it's being returned to me or sent from me. Encryption - Can anyone see my conversation. Is it protected from eavesdroppers? One of Google's concerns is that the information flowing between server and client when we browse websites is generally, in itself, pretty boring and a single intercepted communication will not reveal a great deal of information. However, if millions of pieces of data are intercepted and an aggregate picture is formed, the data becomes far more revealing about our browsing practices. HTTPS stops someone in your local coffee shop snooping in on the data flowing over the public wifi connection. Instead of listening in passively on data over your local coffee shop's wifi, some hackers target a particular user by tricking them into visiting a site that is not the site they expect it to be. HTTPS helps us in this situation with server authentication. When a secure HTTPS certificate is installed on a website you are providing a guarantee that when the client (your laptop's browser) connects to the server (computer in a big building somewhere) they are actually talking to the right server. This is what provides the padlock in the browser. So in conclusion HTTPS provides us with three important safety features on the web
  1. Passive & active attackers can't listen in
  2. Active attackers can't tamper with the data
  3. Active attackers can't impersonate the destination
As Google is so large it feels it has an obligation to improve the infrastructure of the web. Our feeling is that it's protecting the environment within which it trades to secure its future profitability. For this reason, when Google says it's going to do something to change the way the web works, we web developers have to listen. Furthermore, Google has announced that it will use HTTPS as a lightweight ranking factor. So if you don't have HTTPS on your site then you may not rank as highly as one that does. Google says at the moment it will affect less than 1% of global queries, and carries much less weight than a pages E.A.T as a page ranking factor which we discussed in a previous post. Google will give site owners time to make the move, but will no doubt increase the weight of the ranking factor as it aims to make the web a safer place in the future. The process of moving is fairly straightforward as long as some steps are followed carefully. For example you have to tell Google that all your pages have moved to a new URL. If you'd like to make the switch please get in touch with TJS who can handle every aspect of the process.