Google HTTPS Everywhere: A Case for SSL Certificates

| Posted | Comments | , ,

Note: This post has also been published on Medium.com

A few years back, Google announced their HTTPS Everywhere initiate at Google I/O 2014. Their message was clear: in an effort to promote better security and privacy on websites, HTTPS as a ranking signal will be used more and more in the years to come. Recently, it was announced that Google will start indexing HTTPS pages by default, effectively favoring them over non-secured pages. I’ve been questioning the reasoning for Google’s emphasis on HTTPS since it was announced, trying to understand the reasoning, and what it all means for my clients. I’ve come to the conclusion that Google’s HTTPS Everywhere initiative is a good thing.

Now, many SEO experts, online marketers, and other have jumped on this claiming that everyone now has to install an SSL certificate on every site. Many of the claims just seemed bogus, like the sky was going to fall if your website didn’t have an SSL certificate on it. At first, I was highly skeptical and didn’t understand the need to put a cert on every site. At the time of the announcement it felt excessive, especially on sites that don’t have any functionality that would require securing information with encryption. Not only that but Google was clear that the bump one would get from this was relatively minor. It just isn’t a strong ranking signal. At least not yet.

Setting aside any misinformation and bogus claims, there are some highly legitimate reasons why you should install a SSL certificate on your website:

Privacy

One of the key benefits of HTTPS is the ability to protect users from eavesdroppers. All data is encrypted between the server and browser thus making it really difficult for a hacker to intercept and steal any information. This is especially important if you are capturing any visitor information using a form on your website. Without a SSL certificate, any unencrypted information passed over a series of networks could potentially be interrupted, captured, and collected which is no bueno! Regardless of how passive you think the forms on your website might be, if you’re using them in an unencrypted manner be very mindful of how your visitors might take to having that information being captured by someone other than you.

Another key benefit lies in the ability to inform the user that the site they are accessing is who they say they are. A SSL certificate can be validated by the domain or the organization. This helps the visitor of your website know that the domain they are on is legitimate and gives them a greater level of confidence in performing certain tasks on your website…like filling in and submitting a contact form.

If you have a personal site, Facebook app, a simple contact form, or the like, you can probably get away with having a Domain Validation (DV) SSL certificate. Otherwise, if you run a business then it’s worth looking into either an Extended Validation (EV) or an Organization Validation (OV) SSL certificate. The difference is primarily in the extra steps required to validate your company. OV and EV SSL certificates do cost more but they also imply more trust which might be good for your business…especially if you’re running an e-commerce site.

Security

Security is by far the biggest reason to have a SSL certificate installed on your website. If you are using any sort of CMS at all, you need to secure and encrypt transmissions to and from your website. There isn’t a month that doesn’t go by when I don’t hear about a security issue and/or patch being issued for one of the more popular CMS platforms (cough! WordPress!). Most of these involve either SQL Injection or Cross-Site Scripting (XSS) hacks. Granted, having a SSL certificate won’t alleviate all hacks but it might help to curb off attacks that can’t be done due to the encrypted nature of an HTTPS connection.

Another security problem has to do with the potential for javascript injection at wi-fi hotspots. Within the last year or so, there have been numerous reports of advertising injection on free wi-fi hotspots. AT&T, Comcast, and Time Warner are all guilty of this behavior. In fact, I recently stumbled on a TWC wi-fi hotspot and received this ad:

Did TWC just hack my website?

This has opened up a huge can of worms! The problem I have with this is that if companies with free hotspots can do this what’s to stop a hacker from setting up a fake hotspot that does the same thing? Imagine hopping on what you think is a free TWC hotspot, visiting an unencrypted site, only to learn that your computer just got hacked or, worse, the site you just visited gets hacked!

Google is aware of this and other issues related to the hacking of websites. In fact the whole HTTPS Everywhere initiative revolves around the idea that if every site you visit is encrypted then hackers can’t hack your or them so easily. Thus if I visited a site with a SSL certificate installed I would not have seen that TWC ad on their hotspot. After all, how can they circumvent the loading of a script if the communication between me and the server is encrypted?

Let’s be clear though: Having a SSL certificate alone does not make you invulnerable to hacking. It will certainly slow down a hacker but, even then, if there’s a way to hack your site even with encryption in place a good hacker will know how to exploit it. Regardless, the cost of running a website without encryption is higher than without. Bottom line is that a SSL certificate is a relatively cheap deterrent from hackers on your website.

Conclusion

I’m going to be frank: Not having a SSL certificate installed on a website is getting close to being considered irresponsible. If you are capturing visitor information on a form in an unencrypted manner (Which I have been doing for years! Sigh.) then you’re doing something wrong. It’s so easy to simply say “It’s just a simple contact form!” and not encrypt the page with an SSL certificate. But in doing so you do your visitors a great disservice. Beyond that, there are other privacy and security issues that go well beyond just the encryption of form submissions. The cost of having your visitor’s personal information stolen or your website getting hacked is so much higher than the cost of a SSL certificate each year. In most cases, you can secure a personal site for as little as $10 a year. There’s just simple no excuse not to do it anymore.

Be nice to your visitors and enhance their experience with better privacy and security on your website! Install a SSL certificate and be a part of the HTTP Everywhere initiate! :)