I recently added a security certificate to the Webdancers site, which put me on a bit of a crusade to help make more sites ‘secure by default’.
I attended an excellent presentation last year at WordCamp Sacramento by internet security expert Zack Tollman, of Wired, Inc., on the benefits of converting websites to use SSL/TLS* encryption (watch the video and you can see the back of my head). This is the technology that displays the familiar little padlock icon in the browser (or URL bar), showing that the connection is secure. For years, this has been a requirement for any websites that collect sensitive information like credit card numbers. People know to look for that padlock.
Today, as concerns about internet security and information protection make headlines in the news, there are three powerful reasons that website encryption makes sense for all websites.
1. Improved customer confidence. Your customers are more likely to do business from an encrypted site for 3 reasons:
- They can be assured that the data received from the site has not been compromised.
- They know that any information that they send to the site is safe.
- They can easily confirm who owns the site that they’re viewing.
2. Better search engine rankings. Google recognizes sites that are fully encrypted and considers it a positive signal for search engine ranking. For now, it’s a small additional advantage, but Google has put its considerable weight behind the concept of ‘secure by default.’
3. Faster connecting to your site. Faster connections speeds are coming soon with the adoption of HTTP/2. Modern browsers will only use these faster connections on a secure site. Site loading time is also another strong signal for Google rankings.
As you move around the Internet, take a look at how many sites are now ‘secure by default.’ The giants like Google, Facebook, Yahoo, LinkedIn and Microsoft are all using SSL/TLS. And as the public has become aware of the risk of intercepted communications, adoption is also growing among smaller sites. In the past, most small businesses addressed website security by trying to fly “under the radar”, counting on their small size to keep them safe. Today, the cost of implementing true encryption and authentication is extremely low and there’s no reason not to enjoy its benefits.
The safe and smart choice for your business and your customers.
There are three steps to adding SSL/TLS security:
1. Purchase an SSL/TLS Certificate. These are issued by a Certificate Authority, who verifies that the certificate purchaser is also the owner of the website. There is also a higher level certificate which verifies the authenticity of the business itself. There are many resellers of certificates, including most hosting companies and domain registrars.
2. Configure the website to use the certificate. This includes installing the certificate on the web server and changing all site links from http:// to https://. Your web host can provide specific instructions and some will do the installation for you if you purchase the certificate from them. A website badge can also be added to remind visitors they are on a secure site.
3. Update all links to reflect the new security. The outside world, and especially Google, must be informed of the change. As far as Google is concerned, your site now has a new address. All links should be automatically redirected from their http:// versions to https://, using a permanent redirect. Use Google’s recommended practices for changing addresses to preserve all existing search engine rankings.
Frequently Asked Questions
Does a secure site load more slowly?
Barely. Each server request takes a little more time when using SSL/TLS, about 1-2%. This used to be more noticeable on older computers and servers. Most site visitors will see no difference at all, aside from the trustworthy little padlock icon.
Why encrypt the entire site? Why not just the pages that collect sensitive information?
- Encrypting only certain pages can be confusing to visitors, who may not understand why some pages are secure while others aren’t, and it may raise concerns about the overall security of your site.
- A fully secure site makes it nearly impossible for bad actors to impersonate your site or shady advertisers to insert ads into your visitor’s connection while they’re visiting your site (a particular problem at hotel and public hotspots).
- It’s technically easier to encrypt everything and it requires less ongoing administration.
Will anything stop working?
Some ad networks and content providers don’t provide their embedded content over a secure connection. This can result in “mixed content” messages that make your website look insecure. These may need to be addressed on a case-by-case basis.
Do I need SSL/TLS if all of my products are sold using PayPal “Buy Now” Buttons?
Technically, no, since the entire transaction takes place on PayPal’s servers. But do your customers recognize this? They will feel safer buying from a site on which the secure padlock icon is always visible.
Will my customers see the change?
The transition to a secure site is seamless from the customer’s viewpoint. What they will see is the reassuring little padlock on the browser bar. We can also add a certificate “badge” that displays verification information about the site when clicked. Plus, we strongly encourage our clients to announce the change, because it will impress their customers and strengthen their relationship.
Show your customers that you care about their safety and security while preparing your site for the future. It will be a powerful marketing tool, and give you a valuable service to share with them once the change is completed.
Enjoy a prosperous and secure New Year.
*TLS (Transport Layer Security) has replaced SSL (Secure Sockets Layer), however the two terms are used interchangeably.