What Can Happen When You Are not using an HTTPS Protocol?
Imagine that you are logging on to an unsafe site and your password is somehow snatched on the way. Now someone will have your account login details. Everyone can probably imagine what a spectre such a situation may be for banks and for its users logging in their electronic banking.
But this is not the only risky situation you might face. Imagine that you send to your users some data and the attacker alters it on the way.
For example, after a customer fills in the order details, the attacker slips another payment gate link under the original one and the unsuspecting customer sends money to someone else. There are a number of such risk scenarios during unsecured transfers.
Users who connect to an unsecured site may be viewing modified transmitted data and see any "harmful" content (viruses, banners etc.). Hypothetically, every time a user will want to view your site, your competition could display pornographic material, or harm you in any other way they may please.
In What Situations should HTTPS Protocol Be Used?
Strictly speaking, it should be used on any sites where data theft or alteration could cause irrecoverable damage, i.e. virtually on all websites :-). Yet, those who should pay to data protection due attention are especially:
- E-shops where you fill out online order forms and pay by credit cards. Avoiding misuse or theft of important personal data and payment information is crucial here.
- Banks and financial institutions, working with payment data and personal details of customers.
- Civil service and state administration, since these institutions often work with sensitive information (dates of birth, addresses, social security numbers, etc.) as well as all other institutions they must protect your data properly
- All other websites that process customer data online, (emails, addresses, phone numbers, payment details).
These segments should consider data protection their priority.
Growing Interest in HTTPS Thanks To Marketing
Almost two years ago Google released a statement, in which it warned that from the perspective of SEO sites using HTTPS (SSL = certificates) would be slightly favoured, and will probably appear higher in search results.
Which, naturally, caught attention of marketers thinking that such a switch to HTTPS will help them gain competitive advantage.
For the record - Google supported the switch to HTTPS already in 2012, i.e. two years before the term HTTPS started being widely used, mainly thanks to SEO.
To set the record straight - although Google announced that it would prefer HTTPS, at the same time Google itself also argues that HTTPS has very little importance and affects about one percentage of queries. Therefore, switching to HTTPS "only" because of search engines does not make any sense.
There are hundreds of similar signals a search engine evaluates. And if the use of HTTPS is only one per cent in the resulting evaluation ranking on Google it may simply not be worth it. Another point is that it means a huge amount of work. I will give you a closer idea below of what for ordeal you have to deal with if you switch to HTTPS.
You don’t really have to worry that your site would drop a dozen ranks down. Neither you get penalised if your site is still running on an unsecured HTTP. It's just something you can do to get a little advantage. But if you don’t, no disaster will happen. Actually, almost nothing will happen, as the results show, of most users who got convinced to switch to HTTPS "because of SEO".
You should switch to HTTPS because of your users, to protect their privacy. Nothing looks worse than when some security problem leaks, and users‘ data then inexorably run on the Internet, and everyone knows it may have been YOUR fault! The problem can be even worse if you are a company that provides hosting, makes websites, or if you run an Internet wallet...
The price of the certificate - when switching to HTTPS you need to purchase willy-nilly an SSL certificate that you have to update regularly (and pay for it, or get a certificate from an entity that will provide it for free).
You can also purchase an SSL certificate even for several years ahead. Then it is not necessary to manually update it every year, unless you want to. This entire process can be automated, but it will cost you some extra time to figure out how.
Unless you need to secure hundreds of websites, you don’t have to worry that you would be paying a staggering amount. Also, there are several companies offering trusted certificates for free. So you don‘t always have to pay for it.
And if by chance you are an owner of a large number of domains that you want to secure through HTTPS, then a few thousands are probably not a big issue, as you are at least a medium-sized company, for which such amounts are a drop in the ocean.
Certificate Prices Vary Depending On the Type:
Automated trusted SSL certificate from Let’s Encrypt – the cheapest (free) version, which cannot do Wildcard.
It is worth mentioning that some Czech hosting providers already offer auto-SSL. I.e. all hosted sites can make use of an SSL certificate (Let's Encrypt) of their hosters, which is either free or for a symbolic fee. Dušan Janovský from Seznam has made the following list.
Basic Commercial SSL – The certificate can be purchased at about CZK 150 per year, which applies mostly to a single domain.
SAN / UC (Subject Alternative Name / Unified Communications)) - These certificates enable securing multiple domains with a single SSL certificate.
SSL Wildcard Certificates (also known as Star certificates) – Are a universal type of SSL certificate that allows securing all subdomains under one main domain. Wildcard certificate contains an asterisk before the name of the main domain (e.g. * .lundegaard.eu). Its use saves costs for purchasing additional SSL certificates; and at the same time, it saves the time required for their installation and management.
SSL IDN (Internationalised Domain Names) - Are certificates used to secure domains that use characters that are not in the standard Latin alphabet (A-Z). IDN SSL certificate can secure, for example sites, which have in their names Russian or Chinese characters.
The certificates then differ not only in the price and amount of domains, which can be secured by one certificate, but also in the type of authentication:
DV SSL (Domain Validation)- The most affordable SSL certificates that use for their verification only basic authentication at the domain level, which is sent in verification e-mail. A huge advantage of DV certificates is quick issuance, which can be done in minutes.
OV SSL (Organization Validation) - SSL Certificates offer a higher degree of credibility compared to DV certificates thanks to complete identification of the company for which the SSL certificate is issued. Verification of the company stresses credibility of the web site owner. The visitor has the option to verify the site operator at any time.
EV SSL (Extended Validation certificates) - This certificate switches the browser bar of S EV SSL certificate to green. In addition, the company name appears next to the www link.
Note: Someone else can deal with your SSL worries, if you opt for intermediary services (i.e. Offload SSL). Encryption is done before the server. This communication can be enabled / disabled through firewall used only by the intermediary, thus minimize the risk that someone will be able to tap or change your data.