Enabling HTTPS on your website: The importance of secure connections

HTTPS (Hypertext Transfer Protocol Secure) provides secure communication between a website and a visitor. In a heavily connected world where threat actors are hyper-opportunistic, HTTPS provides a layer of protection to websites and the people who use them.

HTTPS on a website is enabled with an SSL certificate, which hosts nowadays include in their hosting packages. SSL certificates are used to establish a secure connection between a web server and a visitor’s browser, ensuring that all data exchanged between the two is encrypted and secure. 

Why you should enable HTTPS on your website

The presence of an SSL certificate is usually indicated by a padlock icon in the address bar, followed by https://. If it’s in place on your website, you’re in luck because it brings a number of important benefits to the table:

HTTPS means tough-as-nails encryption

Encryption is at the heart of an HTTPS connection, keeping information between your website and a browser private. Here’s how an HTTPS connection works:

1. A visitor’s browser sends a request to connect to the web server using HTTPS
2. The web server responds by sending its SSL/TLS certificate to the browser. This SSL/TLS certificate contains a public key that is used for encryption
3. The browser verifies the certificate’s authenticity and uses the public key to encrypt a random symmetric encryption key
4. The encrypted symmetric encryption key is sent back to the web server
5. The web server uses its private key to decrypt the symmetric encryption key
6. The web server and client now share the same symmetric encryption key, which is used to encrypt all data exchanged during the secure session

In this way, SSL makes it almost impossible for anyone to intercept and spy on traffic between a website and a browser since they’ll need a key to decrypt information.

More trust from visitors

According to a GlobalSign report mentioned in this Web tribunal article, 85% of online consumers say they refuse to do business with unsecured websites. This makes sense given the rise of credit card fraud and the various ways criminals are trying to get their hands on your hard-earned cash.

It is for this reason that many financial institutions recommend that businesses that receive payments online ensure PCI DSS (Payment Card Industry Security Standards Council) compliance. Although PCI compliance refers to a set of standards that encapsulate a much wider range of security measures, SSL is nevertheless a key requirement. In fact, PCI DSS states that merchants cannot ask for cardholder data on non-HTTPS pages. It is also recommended to use a more recent SSL/TLS version such as 1.2.

Better Google rank

Back in 2014, Google announced that it will be using HTTPS as a ranking signal. You can read that post here. While HTTPS was initially only a lightweight ranking factor, Google has since then placed more emphasis on it because, according to Google, “we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.“ 

If you’re using Google Chrome, you’ll likely also see a “Not secure” message in the address bar for sites that are not HTTPS-enabled. Other browsers may simply refuse to open sites that aren’t HTTPS-enabled.

Types of SSL certificates

It’s important to understand that SSL and HTTPS are often interchangeable. After all, you can’t have a secure connection without an SSL certificate. Not all SSL certificates are created equal, however, and while there may be disparities between different providers, what’s most important to know is that there are three main types of SSL certificates: Domain Validated (DV), Organisation Validated (OV), and Extended Validation (EV). The main difference between each of these is the level of verification or ‘validation’ that occurs before the SSL certificate is granted, Let’s take a closer look:

Domain Validated SSL

DV SSL certificates are the easiest to obtain since they hardly require any type of validation. The certificate authority (CA) simply checks that the person requesting the certificate has control over the domain name.

DV SSL certificates are the most affordable, if not entirely free. They are best suited for small businesses and personal websites.

Organisation Validated SSL

OV SSL certificates require more extensive validation. The CA will typically verify company information, including physical address(es) phone number(s), and so on. These certificates are more expensive but provide more security and trust, and may also display the vetted company information and the organisation’s name.

OV SSL certificates are typically used by eCommerce websites and other sites that collect customer card or banking details.

Extended Validation (EV) SSL

These certificates are the most comprehensive and provide the highest level of trust and security. The certificate authority conducts a rigorous vetting process which includes verifying the legal and physical existence of the organisation. The browser displays a green address bar to indicate that the website has an EV SSL certificate, providing users with visual confirmation of the website’s legitimacy. EV SSL certificates are most commonly used by financial institutions and other high-security websites.

Should you enable HTTPS on your website?

If you’re reading between the lines you’ll agree that an SSL certificate, while optional, really isn’t that optional – it provides added security and engenders trust. And as said previously, many hosts include free SSL certificates with their hosting packages. The real question is whether your host’s free SSL matches the purpose of your site – do you perhaps need an OV SSL certificate or even an EV SSL certificate for the ultimate in protection and user trust?