15 December 2016

Transitioning your site to HTTPS

Historically, it's been common practice for sites to be running on HTTP, the standard for data communication on the World Wide Web. As such, in this scenario, an SSL certificate is not implemented to provide HTTPS; a secure form of the aforementioned protocol. 

Last quarter Google advised that all HTTP sites transition to a secure connection via HTTPS:

Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.

Google treatment of http pages

Most users are apprehensive when it comes to submitting sensitive information without this security in place. Encrypting even CMS passwords can help prevent a hacker from intercepting your password when you log in. For instance, any user accessing your website from a public wifi connection (such as at a cafe) can be eavesdropped on fairly easily by other users at the same location. Eavesdroppers can see what is typed into forms on non-SSL sites, so the risks will depend on what sorts of forms you have available. Even if the risk is low with regards to your site itself, you should also consider that some users will re-use passwords on many websites, so the risk may extend to sites and situations that are beyond your control.

Even if your website doesn’t contain sensitive information, using SSL is still a good idea. Providing a more secure browsing environment will make the user feel safer while on your website. Furthermore, Google's search ranking algorithms are beginning to favour sites using SSL over those that are not. A trend that is likely to strengthen and become common place over time.

As a programme of work in the new year, Sparks will be working with clients to investigate and implement security certificates. Implementing a SSL certificate can be a complicated process - there are quite a few traps each individual site may present such as with externally loaded resources (iframes), or hard-coded resources in content (predominantly via the WYSIWYG). Some servers can support a free certificate using services like LetsEncrypt while others require purchasing a certificate for annual renewal.

Rolling out the changes requires extensive testing, collaboration with the hosting company and client time to heavily test the site before and after deployment.

If you have concerns about your site security, email your producer today to find out more.

By Chris Everett

More from the blog

Sparks Interactive working from home spaces
Dave Sparks Covid-19 Update: Working on...

 
Sector CMS distribution logo
Dave Sparks Winners NZOSA 2018 for Open Source Use in Business

 

The 2018 winners of the New Zealand Open Source Awards were announced at the gala dinner held at Te Papa in Wellington on 23 October 2018. 
Simplytest.me
Dieuwe de Boer Module A Week: Team Feedback with Simplytest.me

Writing the code is the easy part in open source contributions. Near the end of our very first "Module A Week" week we realised that we needed a way for everyone to be able to effortlessly get involved in testing and providing feedback. This is where simplytest.me came in.
GitLab
Dieuwe de Boer GitLab CI with Behat

This demo uses a basic Docker PHP image, shows you how to pull other repositories using a secret SSH key, change some PHP settings, install Composer, and then run Behat. We are not going to use MySQL to build an entire site, so Behat will be running against a persistent development site that sits elsewhere.