Imagine sitting down in a café for a drink while you talk to a friend about something confidential, like your love life, financial situation or how you store your money. It’s an everyday scenario, right?
Imagine that he is sitting a few tables away and you have to raise your voice a little to tell him all the things that you want. You’ll still have a pretty decent conversation but others will hear it loud and clear. But you wouldn’t want others in the café to hear all the confidential information you’re sharing, right?
You wouldn’t want anyone else knowing about your love life or your finances, yet they hear it because you’re not using a secure medium for conducting your conversation.
This is what can happen to a user when they’re using HTTP instead of HTTPS / SSL. Every browser’s traffic is visible. What you’re reading right now could be viewed by someone else in the process if you’re not using SSL certificate. With a regular unencrypted HTTP connection, the communication that is happening between your web browser and the website you’re viewing is visible.
What Is HTTPS?
HTTPS, also known as Hypertext Transfer Protocol Secure is a communication protocol designed for secure communication over in a computer network. It is widely deployed on the Internet. It is not an individual protocol in itself. HTTPS is the layering of HTTP over SSL/TLS. It is HTTP with the added security of SSL/TLS protocols. HTTPS is designed to stop anyone from listening in to the communication that’s happening between you and a server.
HTTPS is mainly used in places where sensitive and classified information transmission is happening. For eCommerce sites, banks, schools, social networks or any other website that deals with credit card numbers, personal information and security credentials HTTPS is mandatory.
You can secure your website with HTTPS to protect the confidentiality and integrity of your users’ information. If a user provides you with their data through a form on your site, through a purchase or through their subscription, your site will protect that information and ensure that no one else is receiving information from that communication.
It is important to note that HTTPS only protects against a few vulnerabilities and it provides a solid solution against wiretapping only. It basically makes it harder for the government or hackers to listen in to what you’re doing.
Learn more about SSL certificates in the linked article.
Why Should You Use HTTPS / SSL?
Every website you run should be protected with HTTPS even if your users are not sharing any sensitive information. Your website should have all the critical security measures embedded and both you and your users should be shielded from anyone who wants to tinker with your communications. HTTPS is also required to use a lot of browser features, new apps and it is also great from a SEO perspective.
Makes Unprotected Networks Safer
Using HTTPS is an exceptionally important security measure when you’re using unprotected networks as anyone can sniff around your communications and recover some sensitive information.
If you’re serving your content through HTTPS, no one else can alter the communication and the way your user receives that content. If you’re running a web store, this is particularly important as it also sparks confidence in your users, saying that they can shop safely.
HTTPS Keeps Your Users Secure
By using HTTPS you protect all of your users from anyone who would be passively listening into sensitive communication. An unprotected HTTP request has the risk of others listening into it.
For example, your boss or the organization whose Internet connection you are using could get to know sensitive information about your health, based on the health article’s you’re reading. Or they might know that you’re looking for another job if you’re browsing an unsecure job site.
HTTPS is More Future proof
Most modern applications that gather data from the user and send it to various servers require an explicit permission from the user before they can do so. Applications that use geo location, send pictures or record audio have HTTPS as a key component.
It Gives Your Site a Minor SEO Boost
Google gives websites a small ranking benefit that use HTTPS and use an SSL 2048-bit key certificate on their site. It is a “very lightweight signal” but it does count in Google’s ranking algorithm.
How To Move Your Website To from HTTP to HTTPS
Here, I’m going to go through the steps of moving your website from HTTP to HTTPS
Get Everything and Everyone Ready
Getting ready for the migration should be done first and foremost. Check if your host is actually capable of delivering a HTTPS website. You can do that by simply calling their support team.
Make sure that your team, developers and sales know about the site maintenance that’s going to take place. Inform everyone involved. Make sure that you’re ready as well, because it is a long process and reverting it is much more time consuming than pushing it forward. Although there is nothing you can do that you couldn’t recover from.
Start Out With a Test Server
It’s best to keep it safe and you won’t risk screwing anything up in the real deal. It’s best to test out everything before implementing it in real time.
Look Through Your Current Website
Crawl every page of your website so that you can compare it with the HTTPS version once it’s done.
Read Through Some Documentation
Find any documentation about your server and the content delivery network for HTTPS.
Buy and Install Your SSL Certificate
Usually, your web host has a detailed documentation about installing SSL certificates. In fact, most of them sell SSL Certificates and will do most of the work and configuration for you. All you have to know is the difference between www.yourwebsite.com and yourwebsite.com because a standard SSL certificate won’t cover both of them.
If your current hosting provider does not offer SSL certificates, you can acquire one from GoDaddy or NameCheap. At NameCheap you can purchase a one-domain SSL certificate as low as $9.00 / year. If you want to use the certificate for multiple domains, you have that option too, for additional charge.
More expensive SSL “Extended” type certificates will make your website’s name show up in green in the address bar. This doesn’t have too much practical function but is said to boost sales in some way. If you think about it, customers can determine if your website is safe at first glance.
If you have a good enough hosting service, you don’t have to configure hosting yourself as they will take care of it for you.
But if you’re setting it up manually, the process depends entirely on your hosting environment. You can Use the Mozilla SSL Config Generator to create a sample configuration file.
Once the configuration process is done by the host or by you, use this SSL server test to determine if the server has been correctly configured.
Update Your Content And Change All Of Your Links To HTTPS
Assuming that you have your SSL Certificate setup, a Content Management System will save you a lot of time here as it does most of the work. Always use relative links instead of hard coding links! It also doesn’t hurt to read the migration guide that comes with your specific CMS.
Scan all of your websites source files and do the following:
- Make sure that every external image and script works well with HTTPS. Download other files and replace them with those if they don’t.
Update In Content References
You can do this the old fashion way by using search-and-replace in the database. Update every reference to internal links to use relative paths or HTTPS.
Update All of Your modules/plugins/add-ons
Update everything to make sure that your entire system has adjusted to the change and that nothing breaks along the way. You don’t want any of your website’s function to suddenly disappear.
Update Your robots.txt and sitemap.xml
Place the corresponding HTTP links into these files.
You May Have to Change Some CMS Specific Settings
Most CMS Systems have detailed migration guides for these.
Finish It Up
Crawl Through Your Site’s Old URLs
Look through every webpage to make sure that all is in order and nothing is broken.
Force HTTPS using redirects
This is different for every server configuration. It is included in Nginx, ISS and Apache server’s documentation though.
Your website will load much faster because the HSTS tells the browser to use HTTPS at all times. This way, there is no need for a server-side check, which would slow down how fast your website loads.
Don’t Forget About Search Engines
Add the new HTTPS version of your website to every search engine version of the webmaster tools you’re using and load your newly created sitemap.xml file with HTTPS to them.
Publish Your Website!
If you’re not a tech-savvy person, it’s best if you let your host handle your migration to HTTPS / SSL. A lot of issues may come up depending on what hosting environment you’re working in and you have to double check and triple check everything to make sure that the migration goes smoothly. There are a lot of online resources to help so go ahead and use as many as you can.
Also, stay calm because the loss of external links which are pointing to the old HTTP version of your site might cause a temporary decrease in rankings and traffic.
I hope you’ve enjoyed reading through this article and that you’ve found a lot of useful information!