Reasons Why Websites Are Moving To SSL - The Complete Website Security Guide

16 Oct 2018 / Freeparking Team

A growing number of webmasters are upgrading from HTTP to HTTPS because of security reasons. In case you are wondering what the additional ‘S’ is for and why more security-conscious websites are choosing HTTPS, there are a plethora of reasons ranging from increased conversions to better search engine optimisation (SEO) rankings. In the world of e-commerce, any business looking to not just survive but thrive must move to HTTPS without delay.

SSL explained

SSL is an acronym for Secure Socket Layer. It is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remain private.

What this means is that this technology protects your website’s users from interceptions or man-in-the-middle attack where someone steals the information being sent to a website, such as passwords, bank transactions, credit card information or logins. With SSL, internet connection is secure and all data sent between parties are safeguarded, preventing criminals from reading and modifying any information transferred.

How SSL works

A fraudster or a hacker can intercept and steal the personal information of web users in a split second if the website is not protected with SSL. However, if your website has SSL certification, your web server will be able to establish an encrypted link between the website and your customer’s web browser. The following steps summarise how SSL works:

•             When a browser attempts to connect to a website secured with SSL, it requests that the website identify itself.

•             The website sends the browser a copy of its SSL certificate.

•             The browser checks to see if it trusts the SSL certificate. If it does, it sends a message to the website.

•             The website sends back a digitally signed acknowledgement to start an SSL encrypted session.

•             Encrypted data is then shared between the browser and the website.

The intricacies of SSL protocol are invisible to your customers. They, however, know they are protected by an SSL encrypted session by the padlock icon visible on the corner of their browser.

The differences between HTTP vs. HTTPS

You may know that HTTP stands for Hypertext Transfer Protocol. The additional S in HTTPS stands for Secure, making it Hypertext Transfer Protocol Secure. Both are essentially the same in the sense that they both refer to the same hypertext transfer protocol that enables requested web data to be presented on the screen, however, the demand for data privacy and a more sophisticated internet security system gave birth to HTTPS.

1.            The major difference between HTTP and HTTPS is that HTTP has no data encryption implemented whereas HTTPS does, therefore making HTTPS more secure. HTTP can be  intercepted and potentially modified, making both the information and the information receiver vulnerable to attacks. On the other hand, HTTPS is a secure extension of HTTP powered by TLS or SSL. With HTTP, sensitive data entered into sites will be sent as plaintext and by so doing be susceptible to interception.

2.            HTTPS requires certificates to verify website identity while HTTP does not require certificates.

3.            HTTP is mostly used in educational sites and open discussion forums where secure access is not required because no sensitive information is exchanged while HTTPS is mostly used in bank websites, login pages, payment gateway and corporate sector websites.

Types of SSL certificates

There are three types of SSL certificates and they offer three different levels of user trust. They are:

•             Domain Validated Certificates (DV)

•             Organisation Validated Certificates (OV)

•             Extended Validation Certificates (EV)

Domain Validated Certificates (DV)

Domain validated certificates are certificates that are checked against a domain registry. This means that the certificates validate domain ownership only and not the person or entity behind the business. A website secured with a DV certificate offers only a locked padlock in the address bar but does not show the details of the organisation. DV certificates can be acquired anonymously; many websites using DV certificates are linked to fraudulent activities.

Organisation Validated Certificates (OV)

Besides domain ownership, the organisation is validated by real agents and during the validation, documents are exchanged and personnel are contacted to prove the right of use. The certificate details can be viewed on most major web browsers which give users information regarding the authenticity of the site they are on. Because of this, OV certificates are trusted and regarded as the standard type of certificate required on a commercial website.

Extended Validation Certificates (EV)

This is the highest level of trust and security. They come with the most comprehensive verification checking, such as crosschecks that tie the entity to a physical location, domain verification and documented confirmation. EV certificates are defined by  Guidelines for Extended Validation  and leave a paper trail which the user can fall back on in cases of fraud. In addition to the locked padlock, sites with EV certificates have a Green Bar and their organisation name and country ID can be seen in the web address bar.

How to choose the right Certificate Authority

Each Certificate Authority has different products, levels of customer satisfaction, prices and features. Your first instinct may be to go with the cheapest CA or the most popular brand; however, that is not all there is to choosing the best security partner for your website. Beyond the big names and the low prices, here are the important things to look out for before choosing the right CA.

Industry standards and verification practices

CAs are audited annually to ensure they meet certain baseline requirements and are graded on their ability to do so. Find out if the CA you are considering meets or exceeds industry standards established by  ETS  or  WebTrustTM Programme  for Certification Authorities.

Make sure that the verification practices of the CA are firm and have not been breached. Find a CA that does verification the right way so as to ensure no fraudulent entity gets a hold of their certificates.

Dependable customer service

At some point, you are going to need help with the installation, deployment or management of your certificate. If your server goes down or if there is some sort of technical glitch with your SSL/TLS security, you will want to have access to immediate support. That is why it is important that your CA be accessible around the clock and ever ready to help. Look for a CA that offers 24/7 support hours and has a short validation period as opposed to what is obtainable out there.

Good reputation and reviews

One of the qualities crucial in selecting a CA is to choose a company with an excellent reputation. You want a company that is tested and trusted. Go through their reviews and ask fellow webmasters which companies they use and how good their services are. If their customers speak highly of them, then they must be doing something right. Sites like  SSLshopper  help you checkout the CAs that have  high reputation.

List of reputable SSL providers to consider

If you are wondering which SSL provider to go for seeing as they all basically do the same thing – which is to secure and encrypt the data of your web users, here are some of the reliable SSL providers to consider:

•             Comodo

•             DigiCert

•             Entrust

•             Positive SSL

•             GlobalSign

•             RapidSSLonline

•             GoDaddy

•             Geotrust

•             Thawte

•             SSL.com

•             Namecheap

Manage SSL certificates

Managed SSL is a SaaS solution that reduces the effort, time and cost associated with managing SSL certificates. The platform was designed around enterprise-specific security requirements and gives access to all types of SSL Certificates. It supports the enterprise's need to host Extended Validation (EV) SSL for public websites and other types of SSL for non-public and internal servers.

Managed  PKI  (Public Key Infrastructure) offers the benefit of faster certificate issuance, automatic certificate deployment, lower cost of SSL and many more. Most SSL providers offer centralised certificate management for multiple users.

How to know if SSL is needed

SSL is becoming a must-have for every site but some sites are in urgent need of it more than others. If your website is provides general information about your products and does not require clients to login or if it is just a public forum for discussion or education, you likely do not need an SSL certificate.

However, if your website falls under these categories, then chances are that you do:

Forms

If your site has forms that ask for sensitive or personal information, such as social security numbers or addresses, you should have an SSL certificate. The data may be transmitted without being encrypted and can be intercepted in its clear form by malevolent people.

Also, a large percentage of your visitors will not follow through if they find out their data is not secure and you would be missing out on leads.

E-commerce sites

Research found that  13% of all cart abandonment is due to payment security concerns, therefore, if you run a site where customers put in their credit card information and then forward it to a payment processor like PayPal, you need an SSL certificate. When customers go to a page on your site to fill out their financial details, their credit card information is stored on your site as you send it to the payment processor and you need to encrypt it before you send it to the payment processor, so you need an SSL certificate.

Login pages

If your site allows or requires users to login with a username or password then you should use an SSL certificate on the login page. Without it, their passwords are transmitted in plain text and could be intercepted by the most amateur hackers anywhere along the path from the computer to where your website is located.

Visual implications of SSL

Even though the encryption process remains imperceptible to the naked eye, there are visual cues that help clients understand that security is implemented in sites that have SSL certificates. They include:

1.            Padlock icon: At the corner of the browser, in the address bar, there is a padlock icon that lets visitors know their transactions are secure. When visitors see it, they understand their communication is private and protected and they can see the CA, the physical address of the website, and the company’s name if they click on the padlock.

2.            Seal: CAs offer Site Seal along with the certificate and the seal is a visual indicator that all transactions are protected. The Site Seal is displayed by companies as a sign of trustworthiness and security.

3.            HTTPS: Protected sites have HTTPS instead of HTTP displayed in the address bar of the browser. Also, sites that use extended validation certificates (EV) have the address bar of the browser turn green to indicate they are protected by the highest level of internet security.

Trust and your business

Trust is the bedrock of a successful online business. Visitors will only do business with a website or a brand they trust. The reason why big name brands, such as  eBay  and  Amazon  have more customers than other online retail businesses is because they have cultivated the trust of their clients and have grown a loyal clientele base so much so that their customers would rather wait for them to restock a finished item than patronise another business.

Demonstrating trust and security is a prerequisite for a successful online business especially as customers have fears about the security of their data. This does not only apply to small businesses but also huge retailers. Target, for example, once got hacked and it resulted in a  security breach of over 40 million customers.

One important way you can allay their fears and build their trust is by securing your website using SSL. Displaying your SSL certificate badge would go a long a way to assure them that your business is legitimate.

Tests done by conversion rate optimisation professionals (CRO) have shown that placing the SSL badge somewhere visible on an e-commerce website increases sales. It is a great way of telling your visitors, “I am authentic and I care about your security”.

Why websites are moving to HTTPS

A lot of old websites are moving to HTTPS in droves and the new ones are automatically set up with HTTPS. It is not just because they have the interest of their customers at heart, but also because there are a lot of benefits for sites that move to HTTPS. They are:

Google now demands it

It is no secret that the number one search engine, Google, favours HTTPS. Google announced that Chrome will mark all HTTP sites as non-secure and this was implemented in June 2018. Imagine the negative influence this could have on your marketing and brand. Google also announced the newer features it is rolling out for websites will only be available for servers and browsers using the HTTP/2 protocol. With all of this, it is less of a choice and more of a demand to switch to HTTPS.

Web users are more tech-savvy than before

Web users are smarter and understand the intricacies of tech and information technology better than before. With the advent of smart mobile phones and notepads, more enlightened web users are aware of the dangers attached to non-secure sites, so switching to a more secure option is in your best interest.

Protects the integrity of a website

SSL provides data integrity and server authentication to give you and your customers peace of mind. Website integrity involves ensuring that messages or documents have not been modified. If your website is not secure, during a restricted transaction like online banking, a hacker could change the recipient’s account to theirs before the banking server receives the request. SSL uses MAC (Message Authentication Code) to verify that data has not been tampered with during transit.

Protects the privacy and security of users

When a user’s browser connects to a website server, sensitive information, such as usernames, account information, passwords, account information and payment methods are kept confidential; even if there is an intruder spying on the network traffic, they would not be able to decipher the information.

Other advantages of SSL certificates

Other advantages of using SSL certificates are:

SSL certificates help to ensure website security

The major reason Google favours HTTPS is because of the protection it offers to not just web users but websites as well. That way, you do not have to worry about waking to the news that your company has suffered a data breach.

It enhances the search engine ranking for your website

Apart from securing information between the visitor and your website, SSL boosts your SEO ranking. Google publicly stated that SSL is now part of its search ranking algorithm. This means that if two websites are equal in search results, the one with SSL would receive a boost to outrank the other. As a result, there is a  clear SEO benefit  to enabling SSL on your website.

Your customers will see you as a trustworthy brand

The SSL certificate promotes customer confidence in your website. Due to the influx of information about HTTPS and its security, most users particularly look for a website with a secure connection when web surfing, therefore, when they come upon the padlock symbol in their URL bar, they know your website is secure.

SSL certification improves the speed of the website

Enabling HTTP/2, which is only available to HTTPS-compliant websites, means you will have access to the best protocol for speeding up websites. The Content Delivery Network (CDN) included for SSL sites gives them the ability to load faster by storing files at multiple locations across the server so that the user receives the file from the nearest site.

The speed of a site directly affects the rate of conversion of its customers as most web users leave a web page within  10 to 20 seconds  and have no patience for a slow site to load.

It helps encrypt sensitive information

SSL uses encryption algorithms to obscure data so that sensitive information appears to be a distorted jumble of characters to a cyber-criminal. Using end-to-end encryption means only the web server and the user’s computer can see what data gets transmitted. This is because encrypted information can only be read using a secret key or password that allows you to decode it, without which it is meaningless. It also ensures that the user is on the right server and the Internet transactions are secure.

You’ll avoid the “Not Secure” message

Google Chrome now flags down websites which are not SSL-enabled, yet contain password and credit card input fields, giving the user an indication the website is not safe with the  "Not Secure” warning. Web visitors are now familiar with this warning and study showed that up to 85% of people will leave a site once they see that message. You may think this is only restricted to only Chrome users but since Chrome has approximately 57% of the browser market share, it is enough to cause concern.

Even Mozilla Firefox now warns users to stay away from sites that are not secure. Imagine the traffic that non-SSL-enabled sites stand to lose.

The ultimate checklist for migrating from HTTP to HTTPS

When you switch from HTTP to HTTPS, Google treats the migration as a  site move with a URL change, which, in essence, identifies the HTTPS’ URL as a new site. Because of this, preparation is required to alleviate any damaging outcomes. The checklist will help you navigate the migration and avoid mistakes that may decrease your site’s traffic.

Buy an SSL certificate

The first step is buying an SSL/T certificate and configuring it on your server. Before you do that, you have to  determine the type of SSL certificate your website needs. Depending on your website, it could be a single certificate (for a single certificate), a multi-domain certificate (for multiple well-known subdomains), or a wildcard certificate (many dynamic subdomains).

Then select a trusted certificate provider who offers tech support, and choose the right level of security. Google recommends getting a certificate with a 2048-bit key or for those with a 1024-bit key to upgrade, so go for a standard level of security.

Acquire an SSL certificate installation

To install an SSL certificate, you have to follow these guidelines:

1.            Generate a CSR (Certificate Signing Request): A CSR identifies which server will use your certificate, together with the domain names you will use for the SSL certificates. How you generate a CSR depends on the type of certificate you are requesting, and your control panel. In some cases, your CA generates the CSR for you.

In the process of generating a CSR request, a special file is created on your computer which is called the Private Key. It allows you to read encrypted messages sent to you from the visitor’s browser. It should be guarded carefully. If lost, installation would be impossible.

2.            Request an SSL certificate: After buying an SSL certificate, you have to request it for the website’s domain name you want to use.

3.            Verify your certificate request: After requesting your certificate, you have to validate all the information in your request by providing documents which correspond to the information you provided. The verification takes between 1 and 7 days.

4.            After generating a CSR and requesting a certificate, you can download your SSL certificate files and install them on your server.

Do a full back-up

Before initiating your HTTPS migration, be sure to do a full backup. A lot of things could go wrong during the migration so it is important you backup your CSS and JavaScript files. You should have a current copy of all your key site’s files and a full export of your database. This can be done using automated tools such as  Duplicator.

 Ensure your backup includes:

•             Wp-config.php file

•             Robots.txt file

•             .htaccess file

•             The entire wp-contents directory excluding other backups and cache folders

•             Database

•             Extra files for Google verification

Change your HTTP links to HTTPS

You have to replace any single instance of HTTP resource link pointing to your website or external domains with HTTPS. When an HTTPS website tries to load a HTTP resource, it can cause a mixed content issue. To avoid this, make sure that none of these types of website resources points to an HTTP endpoint:

•             Internal JavaScript files and CSS files inside the HTML code

•             iframes

•             Internal images, videos or audios

•             Web fonts

•             Form actions

•             Internal URLs used in CSS/JavaScript files

Check code libraries

This step applies only to more complex sites that use additional software in the background. Check with your developer to be sure they update any software that generates HTTP pages and change them to HTTPS.

Update any internal links you control

Be sure to update all the links pointing to your site from your social media accounts. Also, all listings in authority directories have to be updated. Focus only on the ones you can control and do not stress over getting them all done at once.

Create a 301 redirect

A301 redirectlike the name implies, redirects traffic from one web page to another permanently. Once the certificate is configured and tested, set server-side 301 redirects to the HTTPS version of your website in order to prevent users or search engine bot from landing on an HTTP page anymore. None of the HTTP pages should be available as it may lead to content issue and will send confusing signals to search engines.

(optional) Update CDN SSL

If you use a Content Delivery Network¬, there is a URL setting where you can update your website to an HTTPS version in order to synchronise your SSL with the system. Most websites do not use a CDN, therefore, the migration for each CDN is different and has to be done in accordance with the instructions specified by the CDN provider.

Update any other tools and transactional emails

Prepare a list of the software programmes and tools your business uses, and find any mentions of web pages that refer to HTTP and update them to HTTPS. Also update all your transactional emails, such as invoices and password emails. Even though the 301 redirect will take care of them, it is more professional to present your users with the correct URL.

Update Google Analytics and Search Console

Update your Google Analytics account and your Search Console account. In Google Analytics, the “website’s URL” settings have to be changed to HTTPS while in Search Console, the new site with the HTTPS has to be added.

Biggest mistakes webmasters make when migrating a website from HTTP to HTTPS

Migrating from HTTP to HTTPS is a delicate process. Here is a list of the biggest mistakes webmasters make when migrating.

1.            Using a self-signed certificate for commercial sites

2.            Choosing an unverified CA

3.            Making a mistake when creating a CSR request

4.            Losing your Private Key

5.            Forgetting to test the SSL certificate after installation

6.            Installing the SSL certificate without heeding the specific instructions

7.            Using a 302 instead of a 301 redirection

8.            Not preparing for the verification process

9.            Forgetting about the certificate renewal date

10.          Not updating internal links

How to properly move WordPress from HTTP to HTTPS

To move your WordPress website from HTTP to HTTPS, you can either set it up manually or use plugins. To use plugins, you need to install and activate theReally Simple SSLplugin. When activated, the plugin will automatically detect your SSL certificate and set up the WordPress site to use HTTPS. To set it up manually, follow these steps:

1.            Back up your website: Before making major changes to your site, back it up. This way, you can go back to the working version should something go wrong.

2.            Implement your SSL certificate: In the administrative shell in your server, select the type of web server and operating system you are using or follow the instructions of your hosting provider to implement the switch.

3.            Add HTTPS to the WordPress admin area: To do this, open wp-config.php in your WordPress root folder and add {define(‘FORCE_SSL_ADMIN’, true);} somewhere before it says That’s all, stop editing! After updating the site, test to see if it worked by accessing your site with HTTPS in the URL. If it did, you have a secure connection now.

4.            Update your site address: After moving the WordPress backend to HTTPS, do the same for the rest of your site. Add HTTPS to the beginning of the WordPress and the site address then save. You may have to log in afterwards.

5.            Change links in your content and templates: Update any link in your content and database that include the old HTTP protocol. You can use the  Search and Replace script  plugin to do this. Also, change links to external resources and assets in your theme templates and function files with absolute HTTP links.

6.            Implement 301 redirects in .htaccess: Set up a redirect that automatically sends visitors over to the secure version. This is done using htaccess which contains settings for using permalinks. To find it, make sure you allow your FTP programme’s Help File to display hidden files.

7.            Test and go live: To test if everything works correctly, use SSL Test  to verify there are no errors. Insert your domain name and click submit and it will give you an overall score on how well you implemented SSL on your site and if there are potential issues to fix. After that, crawl your site using a tool like  SSL Check  to find any leftover links that you forgot. If all is well, go live.

8.            Updateyour site environment: The final step to complete the transfer to HTTPS is to update your site’s environment. This can be done by updating your sitemap, updating your CDN, making the switch in your analytics and adding the secure site to your webmaster tools.Top website security myths

Top website security myths

There are myths surrounding website security that are untrue, and, in some cases, ridiculous. However ludicrous they may sound, they are believed by more than a handful of people. Here are some of those myths.

1.            Small business owners do not need SSL.

2.            A firewall and an antivirus provide enough security.

3.            If you don’t store customers’ credit card info, you do not need an SSL certificate.

4.            Using fully patched desktops will eliminate any hacker-related worries.

5.            File backups will protect the site from harm.

FAQs

When do you need to worry about SSL?

Now. If you have not moved from HTTP to HTTPS, you should. Apart from the security risks you are exposing your website to, there is also the added worry of browsers marking your site as not secure to your throng of visitors.

Not sure which SSL certificate to choose?

Your business, not necessarily your budget, should determine the type of SSL certificate you choose. The more sensitive information you handle, the higher the type of security you should consider getting.

What is an SSL certificate and how does it work?

An SSL certificate is the standard security technology for establishing an encrypted link between a web server and a browser. It works by encrypting the data to be transmitted between a website server and a browser so that it cannot be intercepted by malevolent people.

Why are SSL certificates critical?

They are critical because the sensitive information you send on the Internet can be diverted or intercepted if it is not encrypted with an SSL certificate.

What’s the difference between SSL and TLS?

Transport Layer Security (TLS) uses stronger encryption algorithms than SSL and has the ability to work on different ports.

What’s wrong with my certificate?

If you are experiencing a problem with your certificate, it could be that it was improperly installed or there is a problem with the certificate. Contact your CA.

My certificate is valid but why isn’t Google indexing my HTTPS URLs?

Google doesn’t crawl all the pages on the web and they don’t index all the pages they crawl. It is normal for all the pages on a site to not be indexed. However, you can ask Google to reconsider your site .

Do I need to change Google Analytics and Search Console after migrating to HTTPS?

Yes, you need to update the Google Analytics settings and the Search Console setting after migrating from HTTP to HTTPS.

How secure is my certificate?

Your SSL certificate is secure and provides your website and your users with confidentiality, integrity and authenticity.

 

For more information about Freeparking's SSL's please visit:https://www.freeparking.co.nz/web-security/secure-server-certificates/


At Freeparking we take pride in making it easy to get online.


Need Help?

0800 FREEPARK (373 372)

If you need more help we want to hear from you. Get in touch and we'll respond not just quickly, but with the right information in language you understand. Contact Us

Check out the step-by-step  How To Guides  and  FAQs  on our Support Site


Your subscription request has been received, please check your email for confirmation.