No HTTPS yet - may want to reconsider

If you’ve been putting off switching your site(s) to HTTPS, you might want to consider planning the move.

Google’s Chrome the most used browser now marks any HTTP page as Not secure, if it has password or credit card fields.
Starting in October Chrome will add the “not secure” warning to all HTTP pages when a user enters any data (i.e., contact form, email sign-up and search boxes).
In this phase, it is just a warning, but I would imagine that your conversion rate will drop.

Also, you get a bump in your page ranking from search engines.

The main reason to make the jump to HTTPS is your customer’s privacy. Lots of snooping going on from public WIFI, ISP’s, etc.

Here’s an interesting post from Chris Coyier from CSS-tricks.

6 Likes

Yep, it’s time to make a move to more secure web development, folks. But remember that getting a SSL/TLS certificate is just the first step. It makes things more secure on the developer’s side rather than on the viewer’s side. To make things more secure for visitors of your website, you got to implement some more security measures – you should do it by placing some directives in your .htaccess file, especially if you are on a shared hosting plan.

After I got my Let’s Encrypt free SSL/TLS certificate, my security rating was still “F” (according to the Observatory rating site). After I implemented additional security measures recommended by the Observatory, my rating jumped to “A+”, but that broke some functionality of my site. So, I had to go back and withdraw some security directives. That made my site fully-functional again, but my rating dropped to “B”. Now, I have to rework some features of the site to get even better rating.

BTW, paying for the certificate won’t make it any more secure than getting the free one from “Let’s Encrypt”.

1 Like

FWIW, I run 9 sites for different people / organisations, 2 were with a host who wanted £45 per year to implement HTTPS, the other 7 were with one.com who offer a one click conversion (via CP) to https with Comodo for free (ATM) - it was a no brainer to move the 2 sites to one.com.

I’ll just add that even paying for certs is no guarantee they will be honored by browsers in the future. Here Google found that certificates from Symantec were allegedly mis-issued and are beginning the process of un-trusting them over time. So while the move to HTTPS is crucial for websites, it is also one that requires diligence from designers and owners alike.

Hi Rob, could you elaborate on what you did in detail and which recommendations you followed? The site is not so easy to understand…

Hey, Jan,

Basically, what I did is shown in the screenshot. There is eleven test results. Two of them are failed (I had to fail the CSP policy on purpose, because it was breaking my site). The other 9 directives are in my .htaccess file.

To successfully implement those security rules you will have to spend some time for a research on Internet, but all information is relatively easy to obtain. I had a great help from people running the forum on Let’s Encrypt website.

Other great sources of info:

Web hosting supporting Let’s EncryptWeb Hosting who support Let's Encrypt - Issuance Tech - Let's Encrypt Community Support
Let’s Encrypt DocumentationDocumentation - Let's Encrypt
Security GuidelinesWeb Security
Security Headershttps://securityheaders.io/
Content Security PolicyContent Security Policy - An Introduction
Certificate Authority AuthorizationCertificate Authority Authorization

3 Likes

Thank you very, very much !

1 Like