Breadcrumbs

Benefits of making your website use HTTPS

HTTPS gives your website added security and privacy. As more websites move to HTTPS, more of your website visitors will expect your site to use it. From July 2018, Chrome will display ‘not secure’ on all web pages that don’t display over HTTPS.

What is HTTPS?

You are probably familiar with the HTTP part of a URL, the added ‘s’ stands for secure. This means the website uses a protocol called transport layer security (TLS). This technology encrypts the information going between the website and the computer. This means that if an attacker intercepts the information, they can’t read or change it.

You may hear people refer to SSL, which is an outdated version of the protocol.

What HTTPS looks like in a browser

You can tell when a website’s information is encrypted by looking at the address bar at the top of your browser. Depending on which browser you’re using, there may be a green padlock on the left or right and often the word ‘secure’ next to it.

Note: this means your connection with the website is secure, rather than the whole website.

Benefits of using HTTPS

There are several benefits to adding HTTPS to your website and it is affordable to implement.

Trust in your website

The public recognise that a website with a green padlock is more trustworthy than one without. It sends a signal to website visitors and potential customers that you take their privacy seriously.

81 out of the top 100 websites globally use HTTPS by default. Source: Google External Link

Some scammers take advantage of this by adding HTTPS to their website, to make it seem more legitimate. Remember: the green padlock says the information is sent securely not that the website you’re interacting with is safe.

Limit browser warnings

From July 2018, Chrome will show any website not using HTTPS as insecure. This will show in the browser address bar, next to the URL, on any webpage that uses HTTP. You can avoid any potential customers getting this warning on your website if you implement TLS by 30 June 2018.

Graphic of how Chrome displays a non secure website in the browser

Figure 1 How HTTP pages will appear before and after July 2018. Source: Google External Link

 Chrome is already marking any web pages with text fields (such as a form) as Not Secure in the browser if they are not using HTTPS. Since it was implemented in October last year, Google reported visits to these pages has reduced by 23%. External Link

Security

Information on a webpage goes through several points between a browser and a webserver. An attacker could intercept the information at any of the points along this path. By encrypting the information using TLS, you prevent anyone from stealing your customer’s data or from putting their own data onto your website. On sites that use HTTP instead of HTTPS attackers can insert ads or malware onto a webpage without the website owner knowing, this is known as a man-in-the-middle attack. Sometimes visitors may not realise they have unintentionally downloaded malware from your website.

Man-in-the-middle-attack External Link

Google’s Why HTTPS External Link

Search ranking

Serving information over HTTPS is a factor search engines use when ranking your website in search results. This means using TLS (or HTTPS) will give your website a boost in search results pages when compared to similar pages that don’t use HTTPS.

As more sites implement HTTPS, it will be more obvious when your site doesn’t have it and it will be harder for customers to search for your page.

Implementing it

To make your website use TLS you will need a digital certificate, called a TLS certificate. It's sometimes called a SSL certificate, which is what the older protocol is called.

If you have technical support staff, talk with them about moving to HTTPS. If you manage your own website, ask your hosting company if they provide SSL/TLS certificates. If they do, they can probably help you implement it as well.

They will need to:

  1. get and implement a SSL/TLS certificate
  2. add a permanent redirect to your site (from HTTP to HTTPS)
  3. update any links to third party scripts to include HTTPS.

You will need to:

  1. update any links inside the content (e.g. to images, downloads, tools) to include HTTPS
  2. set a reminder for a month before the certificate expires, so that you can renew it in time and avoid any warnings when it runs out.