Reasons why you should convert your HTTP website into HTTPS
September 23, 2018
In an article I published on August 22, 2018, I explained the changes I made to convert my long time HTTP website into the more secure HTTPS protocol - by activating a free SSL certificate (read the article). It took a lot of time to clean up old links that were preventing my site from showing a green lock in the address bar. This article will concentrate on the benefits of converting vs the potential losses for staying with just HTTP.
HTTP, introduced in 1991, is the original data transfer protocol employed by computer servers for transmitting web pages that have rich text, layout, multimedia content and images and rendering them in a visitor's web browser. HTTP is the foundation of the World Wide Web (a.k.a.; www). Over the ensuing decades since 1991, the web has evolved in huge leaps, while the HTTP protocol itself has barely changed, from HTTP/1.0 in 1991 to the current HTTP/2.0, adapted in 2015.
While HTTP is great for displaying web page content and input forms, it lacks one important feature. It has no built-in encryption to scramble data that is being transfered between those pages and a viewer's computer browser, or vice versa. Rather, all data that is sent both ways is done so in plain text. This wasn't much of a problem in the days of dial-up modems, before wireless broadband became the norm. Short of obtaining a wiretap warrant, in order for a person to intercept a dial-up data exchange they had to plant spyware or a keylogger on the target computer. The keystrokes and contents of web pages, emails, or private chat programs were saved to hidden text files that they had to come and get later on. There was always a chance of getting caught when they retrieved the stolen data.
Nowadays, data thieves sit in adjacent apartments or houses, office cubicles, coffee shops, mall cafes and restaurants where they connect wirelessly to improperly secured broadband routers that provide Wi-Fi connections to their customers. The programs that capture the data are called "packet sniffers" and the electronic technique used to spy on and capture data flowing between a website and computer user is called a "Man In The Middle Attack" (a.k.a., MITM) Basically, the people conducting these attacks use a hacking program to find vulnerable wireless routers to connect to and make a copy of any data they are interested in capturing (just like a tape recording of an old time phone line wiretap).
In order to improve privacy and data security, an extension of HTTP was developed by Netscape in 1994 and called HTTPS. HTTPS means Hyper Text Transfer Protocol Secure. Basically, it is the secure version of HTTP where communications between the browser and website are encrypted by Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL). According to the Wikipedia page about HTTPS, "The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication."
Who cares about this?
As a web user these facts are important for your security as you browse and enter details into web forms. Whether it is your name, email address and phone number, or your credit card numbers and security codes, you want to make sure that the web page you are on is using the HTTPS protocol to encrypt your input as it is transmitted and when it is stored on their web server. Remember, anything typed, or copied and pasted into any input field on an HTTP only web page is sent to the server in plain text. In the event that somebody is spying on your online activities, they could intercept, read and alter any data sent to or from your computer. You should check the Address/URL bar to make sure you see a green lock icon to the left of the URL, which should begin with "HTTPS," before typing any personal contact or payment details into any form fields. If the page in not secure, you are taking a chance that your information could be compromised.
As a website owner, or webmaster, you should have the best interests of your visitors in mind. You don't want them to be at risk as they enter details into forms you provide, do you? In case you aren't already aware, current versions of Google Chrome and Mozilla Firefox browsers not only mark HTTP web pages as not secure, they also interfere if you try to enter or paste anything into an input field on those pages. By blocking users from entering data into your online forms they are hurting any potential business those people might bring to you. I know that a lot of websites I visit have a sign-up form to add new visitors to their email lists. Many users will be put off and will exit your site if they use Chrome or Firefox and are blocked from using your form fields.
In the recent past, before July 2018, most web domain owners had to pay a monthly fee (and get technical assistance) to have an HTTPS security certificate installed. They had to move from shared hosting to dedicated or semi dedicated hosting packages that cost much more per month. Of course most commercial businesses did just that and wrote off the added costs as a business expense. But, the same wasn't true for your average hobby website owner, or blogger, or artist, or a band, or a musician promoting their expertise. But, since late July 2018, most web hosting companies worth their salt are offering free Let's Encrypt SSL/TLS Certificates and allowing their shared hosting customers to have HTTPS websites at no additional charge. Ask your web hosting company if they are now offering the free Let's Encrypt SSL Certificate. If they are, ask if you are unsure how to activate it. If they don't and have no plans to offer it, consider changing to a web host who does provide a free SSL Certificate.
Note for website owners running affiliate programs
If you run into problems getting a green secure site lock because of old code affiliate links and/or imported HTTP images, read my article explaining how I fixed old HTTP links to get green locks on my vast number of website and blog pages. In the event that your affiliate program is still showing the same old HTTP protocol for their links, try changing them to "https://" and see if they still work. I did this with my Commission Junction affiliate links and their 1x1 pixel tracking images and they all work fine under https. Note, that when it comes to large blogs, you'll need to use your blog's search engine to search for (and replace or remove) old embedded http images and multimedia links that deny you a green lock.
Recap
By converting your websites into HTTPS you will avoid losing contacts from potential or returning customers due to form fields being blocked by new secure browsers. Your visitors will have any contact details they share with you encrypted, protecting them against MITM attacks. Last, your rankings in search results won't get pushed further down (penalized) because your site in not identified as secure.
Finally, if you need help converting your website to HTTPS, beyond what your web host can offer, contact me via my Webmaster Services form. I am a freelance Webmaster.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.