Xumulus Blog

Website security in the age of “HTTPS Everywhere”

The data exchanged between your browser and a website can be accessed by a third party like your internet service provider or an attacker. Hypertext Transfer Protocol Secure, or HTTPS, encrypts this data, either with a Secure Sockets Layer certificate or a Transport Layer Security certificate.

As an internet user, you probably know to look for the small padlock icon next to a URL to determine if a page is secure. As an online business owner, there are a few things you should know about HTTPS.

Google has been pushing for the use of this safer protocol for years. HTTPS became one of the many ranking signals used by the search giant in August 2014. Google launched the “HTTPS Everywhere” initiative to make the web a safer place. The impact of using HTTPS is relatively small on search rankings, but Chrome flags pages as not secure if this protocol is not present on a page that asks for credit card and other personal information. It is possible that steeper penalties will be imposed in the future.

Google is gradually implementing measures that foster HTTPS adoption. Chrome 50, released in 2016, does not support the Geolocation API for web apps that do not have a safety certificate. This makes sense since a user’s location could be visible to an attacker.

This measure will likely be extended to more APIs, including device motion and orientation, media APIs like Encrypted Media Extensions, or getUserMedia. It would also make sense to limit access to notifications and AppCache to protect users’ privacy. If you currently use HTTP for your website, you may lose access to these APIs as new versions of web browsers are released.

And using a mixture of HTTP and HTTPS pages for your website will not be sufficient. Internet users are aware of safety and privacy issues and know they should look for the padlock that indicates their connection is encrypted.

Speed might be one of the reasons why you use a mixture of HTTP and HTTPS. The truth is that users won’t notice much of a difference. Virtual hosting can be an obstacle to implementing HTTPS, but it is possible to make your site safer thanks to a TSL certificate. This is not a perfect solution, but there should be improvements in the near future for virtually-hosted websites.

Using HTTPS everywhere on your site is beneficial for SEO ranking since this is one of the signals that Google tracks. Besides, using a mix of HTTP and HTTPS can lead to skewed analytics since data about traffic origin disappears when a user navigates from a HTTPS page to a HTTP page.

Most of Google’s APIs are currently designed to work only with HTTPS and more developers will adopt this model. Anything less than a complete transition to HTTPS could limit your access to some APIs in the near future.

Magento store owners should check their current backend configuration to make sure they are not using HTTP for some pages and HTTPS for checkout. You can switch to HTTPS by checking “yes” for the ‘Use Secure URLs in Frontend’ option in your store configuration. There is a detailed tutorial here.

Google looks at switching to HTTPS as a site move with a URL change. You will have to update your webmaster tools with the new secure URL for your store.

Switching to HTTPS also requires you to make a few adjustments. You will need to use robots.txt so Google can crawl your site, register an SSL certificate for your domain, and make sure you are not using the no-index meta tag so your site can appear in search results. You can also avoid losing traffic by using 301 redirects for your old unsecured links.

Switching to HTTPS will probably negatively impact traffic and ranking in the short term since it is considered a site move with a URL change by Google. However, using HTTPS will positively impact your ranking in the long term, prepare you for a next generation of API that demands this safer protocol, and offer a better experience for shoppers.

For another great article on this, check out this one.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.