What is HTTPS and how does it affect my site?
Google recently announced that it has begun to factor the availability of HTTPS into a site’s search ranking. Data transfer on the web is a mysterious process indeed, and the additional process of securing that data makes it that much more cryptic. In light of this, you may be interested in an overview of ‘What is HTTPS’, ‘Why do I need HTTPS’, and ‘Will HTTPS affect my site’s performace?’
Well, let’s jump right in. First, let’s talk about plain old HTTP. You’ve seen it in front of web addresses for years, and maybe never even thought twice about it. In short, it’s a fancy bit of text that tells your web browser how to talk to the server where the website lives. The important part of HTTP for this discussion is that this method of talking to the web server (this transfer protocol) happens in plain text. Imagine you’re at a coffee shop using their free Wi-Fi. You head over to The New York Times to read about last month’s World Cup. Your request for the website is sent out as readable text: “Hey! I’d like to see the website at http://nytimes.com/search?world cup” and the web page that comes back would also contain readable text of all the stories The Times thinks might be relevant.
This doesn’t seem like such a big deal, right? I mean, it’s only the most popular sporting event in the entire world. Who cares if some cyber-snooper at some coffee shop knows you’re a football fan? How about this scenario though:
You’re at the same coffee shop, but you’ve recently been feeling pretty unwell. So you head on over to http://www.webmd.com and search for ‘chronic fatigue’. The address of the web page you land on looks like ‘http://www.webmd.com/search?query=chronic+fatigue’. You see a summary that looks like it fits your symptoms and click on the page for ‘http://www.webmd.com/brain/chronic-fatigue-syndromemyalgic-encephalomyelitis’. This seems to fit the bill, and so you investigate further…
From these 5 minutes of web browsing, a cyber-snooper can begin to piece together certain things about you that may or may not be accurate, but certainly you’d like to keep private.
What is HTTPS
Now lets take a look at HTTPS. The additional ‘S’ in the website means SECURE. For the sake of this discussion, it’s only important that you know HTTPS is not plain text. When you ask a server to talk to you via HTTPS, your web browser and the web server go through a complicated exchange of really big numbers that allows all of the information you send and receive to be completely unreadable to anyone except you and the web server. So let’s look at a Google search for ‘chronic fatigue’. I’m going to use Google as an example, but the idea is the same for any site that uses https://thewebsite.com. It’s important here to note that Google automatically switches all conversations over to HTTPS, making sure that everything you search for remains private between you and Google. Here is what your coffee shop experience might look like using HTTPS:
You type google.com in to your web browser, and Google’s web server gets the request. It first notices that you’ve made an insecure request and tells your browser, “Hey! Let’s talk about this securely.” Your web browser and Google’s web server exchange really big numbers and BANG!, your session is secure. You’re now free to type ‘chronic fatigue’ into the Google search box and the only thing that the cyber-snooper can see is that you’re asking Google something. However, that something is completely unreadable by anyone in the whole world except you and Google’s web server.
Yes. It really is that simple.
Why do I need HTTPS?
If you’re not already convinced that HTTPS is important, read on.
As a user of the internet, you should be aware that everything you send and receive over an insecure connection has the possibility of being read by just about any cyber-snooper worth the name. However, in addition to obscuring the content of your comings and goings, HTTPS also provides several other protections. One such protection is the assurance that somebody has not intercepted your web request and is now posing as the web server you think you’re talking to. Using HTTPS, you’re also protected from the possibility of somebody changing the information that is sent between your web browser and the company’s web server, with nobody on either end any the wiser.
As the owner of a website, there is a really long list of reasons that you might need to provide a secure connection to your client. These include reasons such as knowledge that your client really is who they say they are, or perhaps ensuring the privacy of federally-protected private health information or federally-regulated financial information (for example, healthcare providers or online merchants). You should also care about HTTPS because of demand from your clients. Remember the scenarios we discussed above. It’s important for website owners to understand that HTTPS connections cannot be achieved by your client unless you actively provide them the option to use it. It’s the responsibility of website owners to create a world in which all web traffic can be protected from snooping, interception, and misrepresentation.
Will HTTPS affect the performance of my website?
According to Adam Langley at Google, even way back in 2010, then-modern hardware was sophisticated enough that,
“On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers will help to dispel that.” [https://istlsfastyet.com/]
In other words: No. HTTPS will not affect the performance of your small-to-medium-sized business’ website to any degree noticeable by any actual human being. The additional requirements of HTTPS are noticeable only by machines or on websites working at massive scales.
Remember that it’s the job of a website owner to provide the option for clients to use HTTPS. This is where Google comes in. I mentioned at the very beginning of this article that Google is now factoring the availability of HTTPS into a site’s search ranking, and may continue to increase its importance in the future. Anyone interested in keeping their website optimized for search engine ranking is going to have to start offering HTTPS as an option on their web server. In the same way that Google’s ranking criteria have (arguably) created a better web where sites must publish relevant and useful content in order to receive a higher ranking in Google’s organic search results, this new inclusion of HTTPS as a ranking signal shows that Google wants “all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
How can you get HTTPS on your website?
If you already have a Basic Support plan with Local Fresh Hosting, you’re in luck. It’s a simple matter of submitting a ticket to our service department and we will set up a managed, auto-renewing security certificate. We’ll make all the necessary changes to your WordPress installation to ensure that every page is served to every visitor via HTTPS. This protects you, your clients, your search ranking, and makes the web a safer place for everyone. If you’re subscribed to our Premium Support plan with Local Fresh Hosting, we have a great introductory offer and a special renewal rate while you remain on our Premium Support plan. Head on over to our WordPress Support page at LocalFresh.net for more information and to sign up.
Post script: If you’re interested in a more detailed discussion of the necessity of HTTPS, you can watch the presentation given by Ilya Grigorik and Pierre Far on this topic from this year’s Google I/O conference. Their basic message? An unsecured data source can’t be trusted, the data itself could have been modified, and its contents are not private. Photo Credit: Dusty J via Compfight cc