Josh Lewis

Why you should be using HTTPS on your website

In 2016 every serious client-facing website should be using HTTPS, simply because the benefits well exceed the small cost.

HTTPS/SSL is a different protocol from HTTP and any site using it requires a signed certificate. You can spot a site using it because it will usually have a green lock displayed in the url bar and the url will start with 'https://' instead of 'http://'.

Many web developers don't actively recommend SSL certificates because they can be hard work to setup and install, but you should make it an important requirement of your new project, no matter the size. There are three key reasons why using HTTPS is so important:

Performance

The HTTPS protocol is actively developing with a wide range of new features to improve speed.

Better Security

HTTPS helps protect any user data transmitted to your site and is required for things like card details.

Increased Trust

The green lock helps increase trust in your website and business and therefore increase sales and leads.

These benefits are well worth the small cost and are explained in greater detail below.

The HTTP protocol defines how data is sent over the internet and uses the underlying TCP protocol. At a basic level it splits content up into small 'packets' which are then routed through the internet to the destination and re-assembled. There is also a 'hand-shake' where a client (usually a web browser) will send a request to a server and the server will reply with a response. The basic HTTP protocol hasn't very much since the 1997 HTTP/1.1 version was defined.

HTTP also defines different methods for requesting data such as GET, POST and PUT (there are 9 in total), as well as a set of error codes such as 404 for not found or 500 for a server error.

HTTPS works in a similar way and also uses TCP but it communicates on a different port and sends data via an encrypted connection. This connection is public key based with the public key being the SSL certificate. Intermediate certificates are used to verify the trustworthiness of the server certificate.

How HTTPS improves performance

The performance benefits of using HTTPS come because only HTTPS supports the new HTTP/2 protocol that was developed from a project by Google called SPDY to improve performance of HTTP. HTTP/2 is supported in all modern browsers and differs from HTTP/1.1 in a number of ways to improve performance:

  • It allows for parallel downloads over one connection as well as for the server to “push” responses before the client requests it.
  • It compresses the headers sent with every request/response.
  • HTTP/2 makes better use of any connection through multiplexing.
  • It also sends data via binary instead of as text allowing for better compression.

The actual speedup depends a lot on the site but anywhere between 20% and 200% isn't uncommon.

Why HTTPS is more secure

By using an encrypted connection HTTPS prevents 'man in the middle' attacks. On a normal connection any third party whether it is a criminal or the government could be collecting data as it sent between the browser and the server without either party knowing. With an encrypted connection this is not possible.

HTTPS by no means makes your site invulnerable to being compromised but it is a very easy way to make things a lot harder for any would-be-attacker. HTTPS should be used to transmit any sensitive data, even if it is just login credentials.

The 'green lock' is widely recognised as a sign that the site can be trusted and is more secure which in turn leads to increased trust with your sites users and an increased likelihood of them making purchases or contacting you.

How much does it cost?

A typical single-domain SSL certificate costs less than £10. I normally purchase them through Namecheap and I pass the cost of domains and SSL certificates directly on to clients without any markup.