Online Security

HTTP vs. HTTPS: What's the Difference and Why Should You Care?

The difference is that encrypted HTTPS is the basic price of security these days.
HTTP vs. HTTPS: What's the Difference and Why Should You Care?
Image credit: Shutterstock

You may have heard people urging you to switch your website to the HTTPS security encryption. They cite Google’s announcement that HTTPS is a ranking signal and that failure to switch could mean your ranking will take a hit.

Related: 5 Growing Cyber-Security Epicenters Around the World

And that would mean less traffic and less business.

But, can a product that costs around $100 per year really make that much of a difference? And if so, how straightforward is it to make the switch?

Let’s face it, until recently, HTTPS was really used only by ecommerce sites for their payment pages. Things can get confusing, and the question many business owners face is whether or not the hassle of switching to HTTPS is worth it.

So, let’s look at the arguments for and against. But first of all, what exactly is HTTPS?

What is HTTPS, and why do you need it?

HTTP stands for hypertext transfer protocol. It’s a protocol that allows communication between different systems. Most commonly, it is used for transferring data from a web server to a browser to view web pages.

The problem is that HTTP (note: no "s" on the end) data is not encrypted, and it can be intercepted by third parties to gather data being passed between the two systems.

This can be addressed by using a secure version called HTTPS, where the "S" stands for secure.

This involves the use of an SSL certificate -- "SSL" stands for secure sockets layer -- which creates a secure encrypted connection between the web server and the web browser.

Without HTTPS, any data passed is insecure. This is especially important for sites where sensitive data is passed across the connection, such as ecommerce sites that accept online card payments, or login areas that require users to enter their credentials.

What’s the process for switching to HTTPS?

If you are familiar with the backend of a website, then switching to HTTPS is fairly straightforward in practice. The basic steps are as follows.

  1. Purchase an SSL certificate and a dedicated IP address from your hosting company.
  2. Install and configure the SSL certificate.
  3. Perform a full back-up of your site in case you need to revert back.
  4. Configure any hard internal links within your website, from HTTP to HTTPS.
  5. Update any code libraries, such as JavaScript, Ajax and any third-party plugins.
  6. Redirect any external links you control to HTTPS, such as directory listings.
  7. Update htaccess applications, such as Apache Web Server, LiteSpeedNGinx Config and your internet services manager function (such as Windows Web Server), to redirect HTTP traffic to HTTPS.
  8. If you are using a content delivery network (CDN), update your CDN's SSL settings.
  9. Implement 301 redirects on a page-by-page basis.
  10. Update any links you use in marketing automation tools, such as email links.
  11. Update any landing pages and paid search links.
  12. Set up an HTTPS site in Google Search Console and Google Analytics.

In terms of the setup of the SSL certificate -- points one and two above -- this is fairly straightforward, and your hosting company will be able to assist you.

Also bear in mind that for a small website this will be fairly straightforward, as some of the above points won’t apply in scenarios such as code libraries and CDNs. However, for a larger site, this is hardly a non-trivial event and should be managed by an experienced webmaster.

Up until this point, the only decision you’ll make is whether you want to use an SSL that has a green "secure" browser bar. These types of SSL usually require some form of identity verification before they're issued. This is one of the reasons they tend to cost more. Besides that difference, SSL certificates work under the same principle.

If you are not technically adept, you will probably need assistance with the above steps.

It’s worth pointing out that, for a small site, say less than 50 pages, this process won’t take too long. However, for larger sites, the full update of links and page redirects should be performed by an experienced developer.

The case for switching to HTTPS

Simply put, the strongest case for switching to HTTPS is that you are making your website more secure.

Sure, there are limits to this. HTTPS is not like a web application firewall. It’s not going to prevent your website from getting hacked. It’s not going to stop phishing emails getting sent, either.

If you’re using a content management system (CMS), like WordPress, or you have any other login where you host any kind of sensitive data, then setting up a secure HTTPS login is the absolute minimum precaution you should take.

In reality, HTTPS is the basic price of security these days. It’s the very minimum you can offer your visitors.

Aside from security, HTTPS also improves trust.

Related: 6 Reasons Smart Small Business Owners Invest In Security

According to research performed by GlobalSign, more than 80 percent of respondents would abandon a purchase if there was no HTTPS in use.

That’s fine for ecommerce merchants, but does HTTPS improve conversion and trust for businesses which don’t take online payments? There is evidence that the use of security seals can improve lead generation by over 40 percent.

Not only do your visitors pay attention to your site's security, but so does Google. Security is at the heart of what Google does these days. That’s why the company has listed HTTPS as a ranking factor.

So the biggest reason to switch to HTTPS is to future-proof your website. Sooner or later, you’re just going to have to bite the bullet, and make the switch.

The case against switching to HTTPS.

Recent research has shown that for smaller B2B websites, the uptake of HTTPS is low.

Reasons include a lack of awareness of the growing importance of SSL or the perceived complexity of switching to HTTPS, and in particular, the potential negative SEO impact.

And SEO is one of the most important considerations, especially for websites that have a good ranking. As the saying goes, "If it ain’t broke, don’t fix it."

It's easy to empathize with this point. In fact, research that we conducted on more than 540 UK B2B businesses showed that the uptake of switching to HTTPS was in the 2 to 3 percent range. There was not a strong correlation between using SSL and getting a higher ranking, though. 

Other factors, such as on page optimization, number of Google reviews, total number of pages and the number of backlinks, had far more bearing on a high ranking than switching to HTTPS.

In short, we concluded that HTTPS as a ranking factor is of low importance right now.

My personal view is that if your website is not seeing any significant impact from not using HTTPS, then you will not experience any significant negatives if you do not switch now or in the immediate future.

However, this comes with an extreme health warning. Failure to make the switch could leave you open to a sudden algorithm change. A worst-case scenario would be to see your rankings disintegrate overnight.

Google's notice of mobile friendliness gives some reassurance that this wouldn't happen overnight.

A contingency would be to engage with a skilled developer to plan everything and document it so that you can move quickly in the event that Google were to start to give significantly more weight to HTTPS signals with short notice.

This is an especially good idea for larger sites. As mentioned above, the SEO changes required, such as updating internal links, are not trivial matters, and in the case of updating htaccess, these should not be performed by a non-technical person. If they were to be performed in a rush, or by a less skilled developer, you could experience a hit to your rankings.

Also bear in mind that in the unlikely event that there were to be an overnight algorithm update which penalized non-HTTPS sites, skilled developers would be in demand and would have the whip hand in terms of dictating the costs. Planning to switch now would be a prudent move regardless of whether you implement the change immediately or later.

But it's worth reiterating that failure to switch is just postponing the inevitable.

HTTPS offers the base level of website security. Whether or not you should switch to HTTPS is a decision increasingly being driven by Google’s search algorithm.

Switching to HTTPS is fairly straightforward for smaller websites. For larger websites, it’s more complicated, from an SEO perspective and requires skilled technical staff to make the changes.

Related: Here's How to Build a Strong Security Team to Keep Your Company Safe and Sound

However, the direction of travel is clear. Using HTTPS will increasingly be the norm rather than the exception, and you should plan to migrate sooner rather than later.