15 December 2016

Transitioning your site to HTTPS

By Chris Everett

Historically, it's been common practice for sites to be running on HTTP, the standard for data communication on the World Wide Web. As such, in this scenario, an SSL certificate is not implemented to provide HTTPS; a secure form of the aforementioned protocol. 

Last quarter Google advised that all HTTP sites transition to a secure connection via HTTPS:

Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.

Google treatment of http pages

Most users are apprehensive when it comes to submitting sensitive information without this security in place. Encrypting even CMS passwords can help prevent a hacker from intercepting your password when you log in. For instance, any user accessing your website from a public wifi connection (such as at a cafe) can be eavesdropped on fairly easily by other users at the same location. Eavesdroppers can see what is typed into forms on non-SSL sites, so the risks will depend on what sorts of forms you have available. Even if the risk is low with regards to your site itself, you should also consider that some users will re-use passwords on many websites, so the risk may extend to sites and situations that are beyond your control.

Even if your website doesn’t contain sensitive information, using SSL is still a good idea. Providing a more secure browsing environment will make the user feel safer while on your website. Furthermore, Google's search ranking algorithms are beginning to favour sites using SSL over those that are not. A trend that is likely to strengthen and become common place over time.

As a programme of work in the new year, Sparks will be working with clients to investigate and implement security certificates. Implementing a SSL certificate can be a complicated process - there are quite a few traps each individual site may present such as with externally loaded resources (iframes), or hard-coded resources in content (predominantly via the WYSIWYG). Some servers can support a free certificate using services like LetsEncrypt while others require purchasing a certificate for annual renewal.

Rolling out the changes requires extensive testing, collaboration with the hosting company and client time to heavily test the site before and after deployment.

If you have concerns about your site security, email your producer today to find out more.