Why Your Website Developer Failed You Without an SSL Certificate
The browsers are done asking politely-time to migrate to HTTPS.
For all the websites out there that are still using HTTP, we want to talk about the importance of providing secure connections to your website by migrating to HTTPS before Google Chrome gives you an ugly surprise by slapping a "not secure" label next to your URL in its address bar.
You likely have heard about HTTPS, which is the secure version of HTTP (the internet communication protocol that is used to "talk" to websites). You may even know why it's important, but think that it does not apply to your site. We are here to tell you that in 2017, HTTPS is going to be a requirement for every website on the internet. No exceptions.
If you have not been keeping up with developments in web standards, you may have missed the initiative that has been emerging over the last few years: the web community is making SSL encryption a baseline security requirement, and it realistically won't be possible to stay on HTTP much longer.
We have put together a thorough and up-to-date argument about the benefits of acquiring SSL (and serving your site over HTTPS) and how key internet players (the likes of Google, Mozilla, Microsoft, Apple) have put it at the core of the web.
If you think adopting HTTPS is still only about adding secure connections to your site, you need to read this:
First, the basics: HTTPS encrypts your visitor's data and provides integrity, so that the no one can modify or read what's being sent and received or perform a man-in-the-middle attack. It helps protect you from attackers big and small - from governments to coffee shop hackers.
Security is the core purpose of HTTPS. So, while we are excited to tell you about the other benefits (better performance, better SEO) we don't want you to forget about this one.
If you are handling any personal information at all - passwords, addresses, financial data, etc. - using encryption ensures that the data is securely traveling to your servers without the risk of tampering or theft. You MUST start using encryption if you are collecting this type of data or it's only a matter of time before your users' safety will be jeopardized. Any business or organization that has a reputation to maintain (or build) needs to be serving its site over HTTPS to secure its connections and protect communication-a data breach could be devastating to your brand. Per the National cyber security Alliance, 60% of small businesses that suffer a hack or breach end up going under within six months of the incident.
Secure by Default
But HTTPS is not just about protecting personal data. Every byte that travels to and from your server deserves equal protection. We have entered the "secure by default" era - where security is becoming a core piece of a system's design instead of an afterthought.
With evidence of wide-spread internet surveillance, governments paying millions of dollars to hack political activists, and phishing campaigns hitting everyone, it's no wonder that our industry has realized that security is a necessity and not an option.
Encryption has gained a ton of traction and adoption since Edward Snowden leaked documents showing just how much of our plaintext internet activity was being monitored and recorded. Major civil liberties advocates and privacy groups have adopted the call to encrypt the web to protect us from this threat.
"[W]e plan to label all HTTP pages as non-secure."
But encryption isn't just for protecting yourself from the big bad guys. Comparably benign threats - like ad injection - can also be stopped by HTTPS. It's unfortunate, but service providers have shown they will modify your webpage and abuse your privacy if it's not protected. By providing authenticated connections, HTTPS prevents that sort of network-level tampering on your site. This ensures you can give a consistent experience to your users and that the bytes you are sending are the only ones your visitors receive.
Finally, when someone connects to your site, it is their data that is being put onto the internet. You should give them the option to keep that data secure by providing encryption. This is particularly relevant in situations where a user may want to keep his or her browser history private. Without HTTPS, it's easy to track what pages someone was viewing on your site. With HTTPS, some degree of anonymity can be maintained while browsing.
The Internet of Tomorrow Will Be Encrypted
Now, internet giants like Google, Facebook, Mozilla, and the IETF are planning on making sure the future of the internet is using HTTPS. Meaning that soon, unsecure HTTP will become a thing of the past.
Perhaps the largest reason for this, at least long-term, is that all the major browsers - Chrome, Firefox, Edge, and Safari - have decided that HTTP/2 will only be available to sites that use HTTPS. This major upgrade to the HTTP protocol (the first in nearly two decades) brings huge performance improvements (here is a brief introduction to HTTP/2). For the internet, this jump from HTTP/1.1 to HTTP/2 is going to be like upgrading from horse-drawn carriages to motorized cars.
While it will likely take years, the entire internet will slowly migrate to HTTP/2. When that does happen, the death of unsecure HTTP will be official. Migrating to HTTPS isn't a question of "if," it's a question of "when."
We think we have a pretty good case for why 2017 should be the year you adopt HTTPS:
Insecure Sites Will Be At a Disadvantage
So far we have talked about how encryption protects you, and why the internet community is moving towards an HTTPS-only future. But what we haven't mentioned is that sites that remain on insecure HTTP will be at a competitive disadvantage.
In order to effectively motivate the millions of websites out there to migrate, there are both incentives for adopting HTTPS, and penalties for failing to.
The biggest penalty will be coming from Google and Mozilla, who's Chrome and Firefox browsers- which make up 50% of the browser market - will be warning users when they visit HTTP sites.
This behavior is already starting.
Both upcoming releases of Chrome (v56) and Firefox (v51) - which are due out the last week of January - will display a warning for any HTTP page that contains a password field or credit card form. Chrome's warning will be more severe - on the left-hand side of the address bar it will read "Not Secure." Firefox will show a broken padlock icon.
As a website owner, you need to seriously consider what the effects of your users seeing that their browser has called your site "Not Secure" will be. We don't like to cause undue fear, but this is serious and will negatively affect conversation rates, bounce rates, and your users' confidence.
In addition, Google has been applying a SEO rankings boost to pages using HTTPS since 2014. Some data has shown as much as 5% jump just from this ranking signal.
On to the benefits of SSL…
HTTPS is faster than ever
TLS is the protocol that powers HTTPS. The next version, TLS 1.3, will be finalized and supported by consumer libraries like OpenSSL this year.
It's the first major upgrade to TLS in nearly a decade, and it brings with it a lot of improvements and optimizations. TLS 1.3 will implement new "zero round-trip" handshakes, which will make connections faster. In fact, HTTPS can already be faster than HTTP, and TLS 1.3 will only broaden its lead.
The TLS 1.3 designers have also done their own version of spring cleaning - ridding the new version of aging encryption methods which added more complexity than true security benefits. This means simpler configurations and less blank-staring at huge lists of settings.
HTTPS is easier than ever
Five years ago, developers would have probably winced when asked to set up HTTPS. But today it is a totally different story. HTTPS has gone from an essential yet sidelined technology, to one of the most important aspects of your website.
Internet giants like Google and Mozilla aren't just mandating HTTPS with a memo. They are building suites of tools and new browser behaviors to make it easier than ever to get your site migrated to HTTPS.
Google started by simplifying its security UI to make it easier for average users to understand. Then it built a brand new "Security" section in Chrome's Developer Tools to make troubleshooting HTTPS painless. Then it worked on open standards like Content Security Policy to provide more security.
Mozilla built a tool that automatically generates secure SSL/TLS settings for your webserver. Facebook built a free tool to monitor Certificate Transparency logs to make sure you know when and where certificates are being deployed for your domains.
After you have your certificate installed, free tools like SSL Labs can test your server to make sure everything is working properly.
There are more benefits than ever
There are so many reasons to migrate to HTTPS that it is honestly hard to cover them in one post. Since we have already talked for a while, we are going to give you a rapid-fire bullet-point list. Every single one of these links to a great resource where you can learn more (and to convince your colleagues that migrating is a great idea):
- HTTP/2, the literal future of all web communication, requires that you use HTTPS.
- Google gives you an SEO rankings boost for using HTTPS.
- Your site can be faster with HTTPS than HTTP. Seriously.
- Google Chrome will slowly turn up the heat on HTTP, eventually marking it "Not Secure."
- Browser features that expose more sensitive user information - including location data, webcam access, and persistent storage - require HTTPS.
- Cutting-edge technologies like AMP, Service Workers, and Progressive Web Apps require HTTPS.
- All iOS apps will require HTTPS connections to backend servers.
- Of course, let's not forget the core benefit of HTTPS: encrypted data and an authenticated connection.
- Many other security and web experts agree: HTTPS is the right choice.
A lot of these developments, while important, are not exactly headline material. It's easy to miss that an existing feature you use, or a new feature you like, is going to be HTTPS only.
But now it's time to see the bigger picture. All these small changes are adding up to a very big change: the end of HTTP. In 2017 we are going to see a massive number of sites adopt HTTPS, and the list of benefits will continue to grow. We don't want to see anyone get left behind, so put an HTTPS migration on your development roadmap today.