If you have an e-commerce website, you’ll be familiar with the need for your website to have an SSL certificate to make it secure. It’s absolutely mandatory when people are sharing their credit card details with you along with other sensitive information. (How do you know a website is secure? In the address bar you will see https://webadress.com as opposed to http://webadress.com).
But what about non-e-commerce websites? Should they be secure too?
The short answer is yes.
And the main reason is because Google has stated it is important to them. Here’s what they had to say on the topic in August 2014:
Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Google Drive, for example, automatically have a secure connection to Google.
Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure …
… we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
At the end of 2015, Google moved to preferencing the https version of a site or page in its search results if one existed.
These are clear signals that they are moving towards preferencing sites that are secure (over sites that are not) in their search results.
But it’s not just Google you should care about
You should care about the cyber-safety of the people browsing your website too.
With every click of our mouse as we travel around the web, we are passing on information about ourselves. Sometimes it’s as ‘low-risk’ as entering our first name and email into a web form. Sometimes it’s a bit more personal (when we enter home addresses and phone numbers). When we visit an insecure site (one without the little padlock icon next to the browser), all interactions between us and that website are not encrypted so hackers can effectively ‘eavesdrop’ on any interactions we have with that website and if we share any sensitive information, that information can be intercepted, sometimes even changed, and opens us up to ‘man in the middle’ attacks.
If you have a website and your website is insecure – it could be facilitating the above.
As you can imagine – this is undesirable, and makes the cost of installing an SSL certificate on your site (so that any data passing between you and the person viewing/using your site is encrypted) seem pretty minimal.
That’s great. We’ve recently moved all our sites to SSL secure and think you should too. Here are some tips from Google for making the switch:
- Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
- Use 2048-bit key certificates
- Use relative URLs for resources that reside on the same secure domain
- Use protocol relative URLs for all other domains
- Check out our Site move article for more guidelines on how to change your website’s address
- Don’t block your HTTPS site from crawling using robots.txt
- Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.
If you have a SSL certificate already, you can ensure it is working correctly by using this Google recommended checker.
If you’re keen to make the switch there are a few things to keep in mind when doing so
- Do you have absolute urls in your website code? (If yes, the page will display a SSL certificate error on your https pages).
- Is your robots.txt set up to accept https urls?
- If you have both https and http urls on your site and the http is not redirecting to the https properly, this could results in social shares for a page or post being split between the two.
If you’re unsure about what the above means, or whether your site is affected, it’s worth paying your web host or a similar type expert to install your SSL certificate for you and ensure it’s working the way it should be.