It’s amazing the difference one little letter can make. For example, changing http to https can mean the difference between security and insecurity, even though it’s a little squiggle up in our address bar that many of us may not even look for when we’re making sensitive transactions. But there’s a movement that’s saying that all sites should use https by default, and here’s why they’re right.
An https server authentication certificate essentially checks that you’re being sent to the right server, rather than a fake, malicious one. More and more companies are turning https on by default as the demands for security and transparency rise and customers become more aware that it’s important, and will take their business elsewhere if they don’t get it; but there are still many sites that are left unprotected. It’s possible that they haven’t adopted it yet because of concerns about how much it slows site performance, but most worries about speed or how it affects SEO have been resolved.
Google may be in the bad books for privacy but in this case it is helping redeem itself, as it’s been saying that all traffic should be https by default. But they aren’t the first to argue the case. In January this year Yahoo made https the default for all its mail, following Google and Microsoft’s change; as of July last year Facebook also made all traffic https by default too (not that this stops them snooping on you instead!) and Mozilla has had Firefox set up this way for the last two years.
The Electronic Frontier Foundation has launched the ‘https everywhere’ initiative with the Tor Project, and is promoting “an extension that allows users to more consistently use HTTPS by forcing always-on HTTPS connections by default on websites that only support the feature on an opt-in basis”. So if https is an option for that site it would automatically protect you. [https://www.eff.org/https-everywhere]
At a recent talk, Google described three layers to online security:
Authentication – are they who they claim to be?
Data integrity – has anyone tampered with it?
Encryption – can anyone see my conversation?
And there are lots of reasons why it might be important. For starters, even if someone can’t snoop on your most sensitive data, what they can piece together from unencrypted sites still paints abig picture of who you are and could affect your privacy. If you have a site, it affects not just you but your traffic too.
Here are some tips from Google on how to get started securing your site:
- Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
- Use 2048-bit key certificates
- Use relative URLs for resources that reside on the same secure domain
- Use protocol relative URLs for all other domains
- Don’t block your HTTPS site from crawling using robots.txt
- Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag
- Check out the Site move article for more guidelines on how to change your website’s address
Google advise making sure you do all the steps and in order; so have a little investigate and make sure that you’re protected as we work toward a safer web.
Now that Google is putting extra weight on security, specifically HTTPS/SSLs, it’s worth getting your site in order. Find out more, and get your SSLs sorted with us.
If you’ve got any security questions give us a call on 0800 045 4945 or contact your account manager.