What is HTTPS?
While you’re probably familiar with the HTTP part of a URL, you may not be as familiar with HTTPS. The added 's' stands for secure. This means the website uses a protocol called transport layer security (TLS) to encrypt information going between the site and the user’s computer. This means that if an attacker intercepts this information, they can’t read or change it.
You may also hear people refer to SSL, which is an outdated version of TLS.
What HTTPS looks like in a browser
You can tell when a website’s information is encrypted by looking at the address bar at the top of your browser. Depending on which browser you use, there may be a green padlock on the left or right of the address bar, and often the word 'secure' next to it. It’s important to note that this means that your connection with the website is secure, rather than the website itself.
The benefits of using HTTPS
There are several benefits to adding HTTPS to your website, and it doesn’t cost much to implement.
Trust in your website
The public recognise that a website with a green padlock is more trustworthy than one without. It shows your website’s visitors — and potential customers — that you take their privacy seriously. According to Google’s security blog, 81 of the top 100 websites globally use HTTPS by default.
However, some scammers take advantage of this by adding HTTPS to their website, to make it seem more legitimate. Remember that the green padlock shows that information is sent securely between the site and your computer. It doesn’t mean that the website is safe.
Limited browser warnings
If your website doesn’t have HTTPS, your visitors may get a warning message telling them that your site is not secure.
For example, when you visit a website or web page that doesn’t use HTTPS on Chrome, it warns you that the connection isn’t secure. A 'not secure’ message displays in the address bar next to the URL. Chrome started showing this message in October 2017, and Google’s security blog reported that visits to these pages dropped by 23% over the next six months.
Information on a webpage goes through several points between a browser and a web server. An attacker could intercept the information at any of the points along this path. By encrypting the information using TLS, you can stop them:
- stealing your customer’s data, or
- putting their own data onto your website.
If your site uses HTTP instead of HTTPS, an attacker could insert ads or malware into any of your webpages without your knowledge. Your customers could also unintentionally download this malware to their computers. This is known as a 'man-in-the-middle' attack.
Better search ranking
Search engines include the use of HTTPS as a factor when they’re ranking your website in search results. This means that using HTTPS gives your website a boost in search results over similar sites that don’t.
As more sites implement HTTPS over time, it’ll become obvious if your website doesn’t have it — and it’ll be harder for your customers to find.
To make your website use TLS you’ll need a digital certificate, called a TLS certificate. It's sometimes called an SSL certificate too.
If you have technical support staff, talk with them about moving to HTTPS. If you manage your own website, ask your hosting company if they provide SSL/TLS certificates. If they do, they can probably help you implement it as well.
They’ll need to:
- get and implement a SSL/TLS certificate for you
- add a permanent redirect to your site (from HTTP to HTTPS)
- update any links to third party scripts to include HTTPS.
You’ll need to:
- update any links inside the content to include HTTPS. This includes links to images, downloads, and tools
- set a reminder for a month before the certificate expires. This will make sure you renew it in plenty of time, and avoid letting it run out.