A complete guide to running your website securely on https

https

Google is about to get hard on website owners who don’t take their security seriously. For a long time, most websites have been running on non-secure http protocol. But increased security breaches and privacy concerns among users are forcing browser vendors to get hard on security.

Beginning with Google Chrome version 68, HTTP Sites will be marked as “Not Secure” according to the Chrome blog. This alert will be visible to online users and consequently website owners. Google hopes that this will motivate more webmasters to switch their existing website to the more secure https protocol, thus improving the web as a whole.

Advertisement - Continue reading below

Why switch to HTTPS

Better security and privacy: HTTPS ensures secure communication channel between users’ browser and the server that’s hosting a specific website. This is done through TLS encryption which scrabbles all data you send and receive to and from the server.

Sensitive information such as usernames, passwords, credit/debit card details have been a treasure trove for malicious hackers who intercept this information when it’s been entered in non-secure sites. They can even inject malware to your computer without your knowledge. And it’s not just the bad guys who can exploit you. Even legitimate organizations such as your Internet Service Provider(ISP), hotels can use this non-secure communication channel to spy on your browsing habits or inject Ads you don’t want to see

However, HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers.

Improved search rankings: Websites owners who switch to https will be pleased to learn that Google is now using secure https websites as a ranking signal. This is critical because for a lot websites since search is still one of the major traffic sources complimenting direct visits and social media.

Fast load speeds: With with your web server configured to server websites over HTTPS, you ca benefit from second generation of the http protocol called HTTP/2 which according to AKamai is two times faster than its predecessor HTTP/1.1. Currently all major browsers support HTTP/2, so you won’t run into compatibility issues.

How to Move your website to HTTPS

For your website to run on https, you must buy and install an SSL (Secure Sockets Layer) certificate.  SSL is a security technology for establishing a secure link between users’ web browsers or Apps and server hosting the website/App. An SSL certificate verifies the identity of a website and encrypts information sent between the browser and the server using SSL technology. This prevents malicious hackers from intercepting communication between you and the website by pretending to be the website you are visiting.

The SSL certificate is issued by Certificate Authority or CA, which is a third party company that verifies the identity of websites on behalf of online visitors. There are several CA online among which include; Comodo, Digicert, GeoTrust, GloballSign, Let’s Encrypt, Symantec, Trustwave. You can review more providers on SSLshoper.

How much does an SSL certificate cost

There are different kinds of SSL certificates each with varying costs.

  • Single domain SSL certificates only cover a single domain such as dignited.com.
  • Muti-domain SSL certificates cover more than one domain such as dignited.com, www.dignited.com, answers.dignited.com.
  • Wildcard SSL certificates cover a single domain and all its subdomains. So a wildcard SSL certificate will work for any dignited.com subdomain such as the ones listed above.
  • EV SSL Certificates gives more details about an organization. It will display the name of company that owns the website in the address bar. A good example is when you visit https://www.paypal.com, you will notice Paypal Inc [US] showed along with the url in the browser address bar.

Single domain SSL certificate is the cheapest and it can go from Free to anywhere around $50 while EV SSL is the most expensive and can cost as much as $500 per year.

Those looking for Free SSL certificates should consider letsencrypt.org. Let’s encrypt  is a free, automated, and open certificate authority (CA) that’s provided by the Internet Security Research Group (ISRG).

Non-technical users can just consult with their website hosting company to help them with the switch to https.

After the switch to HTTPS

Once you install an SSL certificate for your website, you might still have some issues. Google chrome will display either of the following icons on the address bar;

  • Lock Secure
  •  Information Info or Not secure
  • Dangerous Not secure or Dangerous

Secure means everything checks out. Congratulations You now have encrypted communication between the browser and the server.

The info or not secure icon means there’s still more work you need to do. Usually this happens when you have “mixed” content on your website. This occurs when you have some resources such as images, Ad banners, css, js files served over non-https urls. You need to ensure that they are served from https url.

Not secure means the SSL is not installed or is incorrectly installed. Dangerous usually means the website is infected by malware and needs immediate attention.

SSL Testing tools

If you want to know what’s wrong with your SSL certificate, then you can use any of the following online tools;

  • https://www.ssllabs.com/ssltest/analyze.html
  • https://www.digicert.com/help
  • https://www.sslshopper.com/ssl-checker.html
  • https://whatsmychaincert.com

They should be able to tell you the CA, renewed date, expiry date, Encryption technology or Cipher Suites, Signature algorithm and ofcourse the domains the SSL covers.

HTTPS is the future of the web. There’s no doubt to that. We recommend that you start by running your website both on http and https and then gracefully enforce redirection to https with time. This will give you the opportunity to test things out without breaking things. At least that’s how we have done it.

Image: aba.direct