As a web user, chances are you have noticed a padlock show up in the address bar of your internet browser while visiting or logging into particular sites. On some browsers a green highlighted section in the address bar can accompany this but on every browser it means a change in the domain name from HTTP to HTTPS.
Almost every web user has visited one of these sites before, but perhaps many without knowing it. Think Facebook, Amazon.com, eBay and importantly your online banking platforms. These sites all use the HTTPS domain extension, which adds a significant level of security to the domain.
But how does having a different domain extension add security to a site? In short, the HTTPS protocol extension means that all data that is captured by the site must be encrypted. When data is encrypted it cannot be understood by a third party. This differs to data sent over a HTTP domain, which is sent as plain text.
Why does data need to be encrypted?
When it comes to transferring data online, there is a risk that unencrypted data could become intercepted during transfer, which potentially allows personal details of users including credit card details to be stolen. This can lead to identity theft, fraud and gives cyber criminals the data they need to perform countless other types of online crime.
On the other side of the coin, when data is encrypted, if it is intercepted, it resembled a mess of jumbled code which is essentially useless to hackers and cyber criminals.
These days it’s pretty much a given that most reputable sites will have a HTTPS protocol for secure sign in areas of the site, which allows the user to verify the security of the server by viewing a SSL certificate. (Just click the padlock to view this.) However, for online log in areas of lesser-known sites, it’s always a good idea to check for the HTTPS extension, and the padlock icon in the address bar, and if still in doubt checking the credentials of the SSL certificate.
HTTPS domains are hosted with a valid SSL certificate that has been issued by a digital certificate authority. VeriSign and DigiCert are two of the most well-known certificate authorities used by sites like Facebook, IBM and Intel to namedrop a few. For anyone with their own website, the question is does this apply to me?
Figure 1 – An example of an SSL certificate used by Amazon
Do I need my own HTTPS domain?
If your site doesn’t capture data from users, or is simply a blog, or site advertising your products/services to generate enquiries to a physical business, a HTTPS domain does not need to be used.
If however, you are running an ecommerce website where you collect people’s credit card information, then the answer is a resounding YES. Customers expect to see the padlock icon and as more people become web savvy, and conscious of online security, not having these domain security features will mean buyers are less likely to trust your site, which will ultimately mean a loss of customers.
One exception to needing a secured domain is if your site forwards customers to a third party payment provider like PayPal who will have their own SSL certificate and domain security. It’s not necessary to add the HTTPS extension to all pages on the site, but forms that capture customer information and details should be secured.
Even if you have a log in area to any part of the site it’s important to do the right thing by your customers and ensure their username and passwords are NOT stored as plain text, even if it the security of your own domain is not directly affected. Since many people use the same log in details for various sites, having a valid SSL certificate will give customers the peace of mind that their details are unable to be intercepted by a third party.
To host these secure pages under HTTPS domain you do need to purchase a SSL certificate – the next question then becomes: Which one do I choose?
How much does a SSL certificate cost?
It’s no secret that certificated vary widely in price, with some as cheap as $10.00, and other in excess of $500.00. Most are valid for a year and then will need to be renewed – similar to website hosting.
Essentially a $500.00 SSL certificate will do the exact same thing as one that costs $100.00 – the only difference is in the perceived trust that some of the big names may have, as well as the service and support offered. If having a well known entity like VeriSign or DigiCert as the issuer of the certificate is important to you, and something you think is likely to be important to your customers it can be worth justifying one of the more expensive certificates which also allows you to use their ‘trust seal logo’ on log in pages as an extra way to offer assurance to your customers.
Figure 2 – It’s worth comparing the service, support and features of your SSL certificate, and avoiding low cost self signed certificates, which despite doing the same job as a more expensive certificate, are less trusted
It is wise to avoid the cheapest of the SSL certificates as these need to be self signed by you as the site owner as the certificate authority. On many web self signed certificates can flag a warning message to pop up which can encourage your customers NOT to trust the site, even when it is otherwise secure.
Broadly speaking spending around $100.00 per year will enable you to have a SSL certificate and host secure pages on your ecommerce site to give your customers peace of mind.
Does having a HTTPS site influence SEO and performance?
There has been some debate whether HTTPS sites can positively or negatively influence your site’s SEO and rankings. Some people claim that HTTPS sites are more ‘trusted’ by Google and are automatically favoured in search engine result pages, although it’s hard to make meaningful comparisons to HTTPS sites and general HTTP sites in similar fields that couldn’t be the result of hundreds of other variables. Edit – as of August 2014, Google themselves have added that an HTTPS is a signal for the search engine’s algorithm, however it is very much a minor one.
Others in the industry and some site owners however, claim that HTTPS sites cause more strain on the server and cause the load time of your site to slow. Since page speed is an important factor in determining site performance and rankings it’s important to ensure your server has the correct bandwidth and infrastructure to support securely hosted pages.
So to conclude, for those operating a site that captures data from users, factoring in the cost of domain security is something definitely worth accounting for. However for sites that capture credit card information on a ecommerce platform, domain security is absolutely critical to ensure online trust and so customers feel confident to do business with you.