2017 is the year HTTPS should be the default for all your websites.
HTTPS is the secure version of the protocol used to deliver web content across the Internet. The default protocol HTTP has been long been used as the standard mode for transporting information across the web. You may identify secure sites (running over HTTPS) because they offer the secure green lock icon next to the URL (in Chrome/Firefox). In the past it was seen only as necessary to require secure transport only when sites were asking for private information: login or financial being most prominent. This has now changed.
For a number of reasons HTTPS is now no longer viewed as an optional security add-on to your website, rather it is now the proper default transport format. Absent a compelling reason, your websites should now all be HTTPS by default.
To enable HTTPS on your website your host must support it (*almost* all do, looking at you GitHub), and you will need a SSL Certificate. This certificate is a digital item generated by a trusted authority that will verify (at minimum) that you are the owner/administrator of the domain for which it is issued.
- Verification: When you install a SSL Certificate you are proving to your users that the site they expect to be visiting is, in fact, the site they are visiting. Leveling up for an Extended Validation Certificate adds greater verification concerning the entity behind the website (namely you!). Site identity verification is vital for avoiding phishing attacks for your users among other things.
- Privacy: The underlying technology for SSL (more properly known as TLS) is used to keep prying eyes (and prying computers) away from viewing the contents of the content being transmitted between your servers and your users. This keeps secret information secret: like passwords and credit card numbers.
- Integrity: This transport security also keeps malicious systems located between your server and user from modifying your content to suit their own ends. You can be safe in knowing the content you intend to send your users is what they receive.
- SEO+: Google uses the presence of a HTTPS site as an indicator that web best practices are being followed and correspondingly give those site a little bump.
Why doesn’t everyone run HTTPS all the time?
For reasons mostly historical:
HTTPS was resource intensive
Early on the encryption required for HTTPS was intensive. You needed more HTTPS servers to serve up the same amount of content. Market forces created continually faster hardware, sometimes even special hardware. This results in a HTTPS site not having much more overhead than a HTTP site.
Certificates were expensive
It once cost hundreds or thousands of dollars to obtain a SSL certificate from some authorities. Recently a Certificate Authority, LetsEncrypt, was created to increase the adoption rate of SSL by issuing them for free.
Setup can be difficult
Configuring webservers to use SSL can be difficult and complex. As more tooling has arisen around this process, configuration has become easier. For some providers it is now automatic or a single click away.
Why is there a push to HTTPS now?
The progress of technology has reduced the cost of running HTTPS. Both the performance (thanks to Moore’s Law) and the financial costs (thanks to LetsEnctypt) are negligible. As security by default is a preferred model than security later, major browsers are disincentives the use of non-HTTPS page delivery.
Already underway are initiatives by major browsers to publicly highlight potentially insecure form submissions. Even if your site accepts innocuous information over HTTP your users will get a notification that you are “not secure”. If this is not a message you wish to have associated with your brand 2017 is the year to make your sites HTTPS by default.