Should I Use HTTPS for My Site? 10 Things to Consider

HTTPS, sometimes known as HTTP secure, is a modern adaptation of the old protocols that have been running the web for decades. HTTPS uses Transport Layer Security (TLS) to encrypt data passed from server to host, providing a basic level of protection for sensitive information. It’s most commonly seen on sites that offer services like online shopping, banking, or webmail, though more and more publications are turning to HTTPS to keep their visitors’ information secure.

HTTPS has been around since 1994. Back then it was almost exclusively used for corporate communications and financial transactions. No one really thought the unencrypted and easy-to-intercept nature of HTTP transactions was a real liability. Just over two decades later however, half the web is encrypted and over 43% of the internet’s most popular websites use HTTPS in one form or another. As of November 2017 nearly 27% of the internet’s top websites use site-wide HTTPS by default, and those numbers are constantly on the rise.

A Few Details about HTTPS

Before you dive head-first into HTTPS, there are a few minor details you should be aware of. Even though HTTPS is largely invisible to both end users and site owners, your daily admin routines could shift slightly once you make the switch. It’s nothing that will make you want to pull your hair out, but if you run a large site and want to upgrade, you could have a lot of work ahead of you.

  • Sites secured with HTTPS use a different URL than unsecured pages (https:// instead of http://). You may need to manually configure your site to redirect visitors from http:// to https://. You’ll also need to change internal links to reflect the additional letter.
  • You need full admin access to your server via cPanel to install the HTTPS certificate. If you don’t know what this means, you probably don’t have full admin access.
  • Firefox, Chrome, Safari, Opera, and most other modern browsers support HTTPS on desktop and mobile platforms. Compatibility issues should never arise.
  • You don’t have to use HTTPS on your entire site. This can be useful if you only have logins or shopping access through certain pages.

Before Switching to HTTPS

The more you learn about HTTPS the more complicated it seems. Fortunately, you don’t have to be an expert in web security to take advantage of HTTPS on your site. Most hosting providers even offer automated installation for certificates via cPanel, all you have to do is create some accounts and copy/paste everything into place. You should still gain some familiarity with what HTTPS changes and what will stay the same, however. Keep reading for some of the major ins and outs of the full HTTPS experience.

1. If Your Site Handles Sensitive Information, You Need HTTPS

The HTTPS protocol was developed to provide security and integrity for packets of data, especially things like credit card numbers or shipping information. With TLS/SSL in place, packets are wrapped in a layer of encryption as they travel to and from your site. This base-level security feature makes it harder for third parties to steal data. Even if they do get their hands on it, they won’t have the necessary cryptography keys to unlock it, making it useless to steal in the first place.

If your website sells products or handles financial transactions in any way, there’s no question about it, you should be using HTTPS. In fact, savvy web users know that if private data is about to change hands and the site isn’t using any form of encryption, they’re better off keeping their money and their information to themselves. Not having HTTPS can cost you customers.

2. HTTPS Protects Login Information

During the early days of HTTPS few people saw the protocol as much more than a way to protect credit card details. As time passed and the internet became more widespread, HTTPS quickly expanded to encrypt more than just the essentials. Any type of login information, even just passwords and usernames, should be protected by HTTPS transfers.

Without encryption, the HTTP protocol is easy to intercept. Data passed between server and host is sent in a raw format without any kind of protection. Basically, anyone with the right tools can pick up transfers between your site and your visitors and have immediate access to all those sensitive details. Even if you only use login details for commenting or other basic membership access, site wide HTTPS (or at least on the sign-in page) is crucial to keep your users safe.

3. HTTPS Makes Your Website Trustworthy

Most end users think of HTTPS as nothing more than the little green lock icon at the top of their browser. If it’s there, they can submit account information or shop with increased privacy, end of story. What they don’t think about is that HTTPS provides a crucial verification service in addition to basic encryption. When that lock icon appears, it also means the site they’re connected to is the site they requested, not some phishing page set up through a man in the middle attack.

Do you know who doesn’t use HTTPS on their website? Scammers. Fortunately, you don’t have to operate under the same restriction. Adding HTTPS lets the world know you are who you claim to be and your site can be trusted as legitimate. Even if you don’t offer online shopping or even membership logins, users feel more at ease seeing that green icon in their browser.

4. Offering Large File Downloads? HTTPS Could Be Slower, or Faster

One thing HTTPS isn’t known for is speed. Encryption adds extra data and quite a bit of overhead, slowing down transactions from server to client. This is barely even noticeable with standard traffic. Even image- or script-heavy sites won’t suffer from slowdown with HTTPS enabled. Anything more than that, though, and you could be asking for trouble.

If you run a high traffic service that hosts large files users can download, HTTPS may introduce site wide slowdown. The main bottleneck isn’t the downloads themselves, but the initial transmission setup. The HTTPS handshake takes longer to initiate than a regular HTTP connection. When managing thousands of ongoing connections, your server may struggle to handle new handshake requests, adding as many as three or four seconds to your site’s time to first byte (TTFB) score.

The good news is that this won’t be the case for long. The newer HTTP/2 protocol, a rewrite of the classic HTTP, pairs wonderfully with TLS. Speed tests comparing handshake and download times with and without encryption show HTTPS with the new protocol can be as much as 81% faster. This only applies to HTTP/2 connections, but since the rate of adoption is steadily increasing, in a few years the new protocol will be the standard. Almost all major browsers support HTTP/2, including Chrome, Opera, Firefox, Safari, and Edge. If you know your server is using the updated version, adding HTTPS can actually speed up your site, even with large downloads.

5. HTTPS Certificates Aren’t Free

Security doesn’t come for free. To use HTTPS on your site, you need a certificate from one of the major Certificate Authorities. This forms the backbone of site verification and is necessary to prevent scammers from setting up their own HTTPS sites. In other words, without CAs anyone could fake a secure site, ruining the protocol for the entire web.

The cost of buying an HTTPS certificate can vary, but it averages around $50 per year. This may not seem like much in the grand scheme of things, but if you run a small site that may not see any direct benefits from HTTPS, it can definitely be harder to justify.

6. HTTPS Certificates Have to Be Installed and Managed

Getting an HTTPS certificate in one thing, but you also have to activate it and install it on your website, both of which take time. You don’t need to be a tech wizard to get things up and running, it’s just difficult to justify the maintenance if you’re not sure you need HTTPS in the first place.

The basic process for securing part or all of your site with HTTPS goes something like this:

  1. Host your site with its own virtual private server.
  2. Buy a certificate.
  3. Activate and install the certificate.
  4. Update your site settings to use HTTPS.

Steps two and three have their own share of hoops to jump through. Some hosting providers take care of this for you, but if they don’t, you have to generate a CSR, fill out form data, enter certificate codes, and hope it all goes without a hitch. Once you start configuring your site to use HTTPS, you’ll bump into even more settings that need to be tweaked. Again, none of this is impossible or incredibly overwhelming, it’s just something to be aware of once you head down the HTTPS road.

7. HTTPS Doesn’t Work with Shared Hosting

One limitation of the HTTPS protocol is that it doesn’t work well with multiple sites hosted on the same server. The initial handshake that makes HTTPS operate relies on server level certificates, not domain data. Put simply, this means that if you run a smaller website on a hosting provider and don’t have your own dedicated virtual server space, you can’t encrypt your site with HTTPS.

How do you know if you’re on shared hosting? Chances are if you don’t know, you probably are. Services that offer free blogs, free website space, or super low-cost versions of either utilize shared hosting to make this possible. Your site is stored on a computer with hundreds or even thousands of other sites, all of which share the same IP address and hardware resources. Shared hosting means you won’t have direct access to the machine, making it impossible to customize or install HTTPS certificates. To secure your site, you’ll need to upgrade to a virtual private server (VPS) or cloud hosting.

8. You’ll Need a Dedicated IP Address for HTTPS

Related to the point above, HTTPS relies on server identity, not domains. When the initial handshake takes place the protocol tries to verify your server exists and is who it claims to be. This requires a certificate tied to a steady IP address. Most hosting providers do not provide this by default, you have to contact them and pay for a dedicated IP address in addition to your hosting plan.

9. HTTPS Doesn’t Secure Stored Server Data

A common misconception is that HTTPS encrypts the data on the server, making it harder to retrieve and impossible for hackers to crack. HTTPS doesn’t actually do anything to the information sitting on your server, however, it only encrypts data as it’s transferred to and from a remote client. You’ll need to take further measures if you want to lock down your database or server files.

10. Core Financial Considerations of HTTPS

As we touched on above, upgrading your site to use HTTPS involves a number of additional costs, especially if you’re coming from a small shared server space with little to no overhead. Your financial investment will vary depending on your site’s needs, but it’s worth taking a look at the minimum requirements

  • Certificate – The core of your HTTPS connection averages between $30-$50 per year.
  • Domain name – Securing a URL is crucial for your site. A yearly cost of $10-$20.
  • Basic hosting space – Varies depending on the provider, but usually around $20 per month.
  • Virtual private server – An upgrade from the basic plan that can add $20-$50 to your monthly bill.
  • Dedicated (static) IP address – Another variable add-on cost that runs between $8-$15 per month.

Add all of that up and you’ve got a bill on par with your home utilities, all just to get your website online and secured with HTTPS. Depending on the size of your project this may be prohibitively expensive. There are some workarounds for a few of these obstacles, but none of them are easy to use or very reliable. If you’re going to do HTTPS, you need to do it without cutting corners.

The Future of HTTPS

At some point, every website owner has to ask themselves if HTTPS is worth the investment. It takes time to research and set up, it costs money, and there’s a chance it may introduce some slowdown to certain sites. It also secures private data and tells users that your content is trustworthy. In the end, HTTPS is a worthwhile upgrade for nearly all online destinations. The web is rapidly moving towards a fully encrypted future. Don’t let it leave your site behind!