No HTTPS yet - may want to reconsider


(Doug Bennett) #1

If you’ve been putting off switching your site(s) to HTTPS, you might want to consider planning the move.

Google’s Chrome the most used browser now marks any HTTP page as Not secure, if it has password or credit card fields.
Starting in October Chrome will add the “not secure” warning to all HTTP pages when a user enters any data (i.e., contact form, email sign-up and search boxes).
In this phase, it is just a warning, but I would imagine that your conversion rate will drop.

Also, you get a bump in your page ranking from search engines.

The main reason to make the jump to HTTPS is your customer’s privacy. Lots of snooping going on from public WIFI, ISP’s, etc.

Here’s an interesting post from Chris Coyier from CSS-tricks.


HTTPS on a shoestring budget
(Rob D) #2

Yep, it’s time to make a move to more secure web development, folks. But remember that getting a SSL/TLS certificate is just the first step. It makes things more secure on the developer’s side rather than on the viewer’s side. To make things more secure for visitors of your website, you got to implement some more security measures – you should do it by placing some directives in your .htaccess file, especially if you are on a shared hosting plan.

After I got my Let’s Encrypt free SSL/TLS certificate, my security rating was still “F” (according to the Observatory rating site). After I implemented additional security measures recommended by the Observatory, my rating jumped to “A+”, but that broke some functionality of my site. So, I had to go back and withdraw some security directives. That made my site fully-functional again, but my rating dropped to “B”. Now, I have to rework some features of the site to get even better rating.

BTW, paying for the certificate won’t make it any more secure than getting the free one from “Let’s Encrypt”.


(Dave Farrants) #3

FWIW, I run 9 sites for different people / organisations, 2 were with a host who wanted £45 per year to implement HTTPS, the other 7 were with one.com who offer a one click conversion (via CP) to https with Comodo for free (ATM) - it was a no brainer to move the 2 sites to one.com.


(Mike S) #4

I’ll just add that even paying for certs is no guarantee they will be honored by browsers in the future. Here Google found that certificates from Symantec were allegedly mis-issued and are beginning the process of un-trusting them over time. So while the move to HTTPS is crucial for websites, it is also one that requires diligence from designers and owners alike.


(Jan Fuellemann) #5

Hi Rob, could you elaborate on what you did in detail and which recommendations you followed? The site is not so easy to understand…


(Rob D) #6

Hey, Jan,

Basically, what I did is shown in the screenshot. There is eleven test results. Two of them are failed (I had to fail the CSP policy on purpose, because it was breaking my site). The other 9 directives are in my .htaccess file.

To successfully implement those security rules you will have to spend some time for a research on Internet, but all information is relatively easy to obtain. I had a great help from people running the forum on Let’s Encrypt website.

Other great sources of info:

Web hosting supporting Let’s Encrypthttps://community.letsencrypt.org/t/web-hosting-who-support-lets-encrypt/6920
Let’s Encrypt Documentationhttps://letsencrypt.org/docs/
Security Guidelineshttps://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
Security Headershttps://securityheaders.io/
Content Security Policyhttps://scotthelme.co.uk/content-security-policy-an-introduction/
Certificate Authority Authorizationhttps://scotthelme.co.uk/certificate-authority-authorization/


(Jan Fuellemann) #7

Thank you very, very much !