Why We All Need HTTPS & How We Ensure It’s Everywhere
Everybody likes to feel secure. It’s a pretty simple and universal truth. We like to feel secure in our homes, in our cars and in our neighborhoods. Addressing our concerns in these environments has also been pretty straightforward.
We put locks on our doors, added airbags to cars, and have police officers walk our streets. But there’s another place we want to feel safe, where addressing our need for security has been a little less straightforward — the internet.
One way we accomplish this is for all of us to drop HTTP and start installing SSL certificates on every website to move over to HTTPS.
Adding an SSL certificate essentially tells site visitors a few things:
- The site they are on is actually the site the URL says it is
- The content on the site hasn’t been changed in any way by anybody other than the site owner
- Any information shared between the visitor and the site (through a contact form, reservation sign up, etc.) won’t end up in the hands of a third-party
- The visitor’s browser history isn’t being tracked by some unauthorized third-party
- Any payment gateways on the site are secure
It’s pretty easy to see how this can lend to a small business’ credibility and put a potential customer at ease, especially if the SMB owner is running an online store. But if you think it’s not worth the effort or really that important, think again.
Website visitors are starting to notice when they don’t see that little green lock next to the URL, which indicates a site has an SSL certificate. This is especially true if the site visitor is using Chrome, as the browser is actively notifying people when they are on a website that isn’t encrypted. And just to round out the reasons why you should make the switch, Google views HTTPS as a positive ranking indicator for SEO.
However, there are some roadblocks that will keep many site owners from taking the plunge and moving over to HTTPS — traditional content management systems like WordPress.
Though 25 percent of all websites are built on WordPress, the platform doesn’t exactly make it a quick or easy task to switch a website from HTTP to HTTPS. (Just as a side note, we should point out that this isn’t a problem exclusive to WordPress. Any traditional CMS will have the same issues, but since WordPress is something nearly everybody has worked with, we’ll use them as the example.)
There are a few reasons why WordPress and the web servers it’s installed on make adding an SSL certificate to a website a pain. Namely:
- You have to pay for a certificate
- Installing it on your website takes up a fair amount of time
- You need to have a good understanding of the backend of both your web server and WordPress
Briefly, let’s walk through this process. Here are the steps you need to follow to install a certificate using a CMS like WordPress.
First, you need to log into your web server, this is normally done through a command line interface. Then you have to generate a certificate signing request (CSR), which gives you a CSR file and a private key.
This needs to be taken to your certificate provider (also called a certificate authority) of choice. You upload the CSR to the provider. They will then cross sign it and send you a valid certificate that is “signed” by them, which verifies that the website you’re doing this for actually represents the business it says it does. (The certificate company is basically just saying your website is your website.) At some point in this process, you will actually purchase your SSL certificate.
NOTE: Depending on the type of certificate and provider there are different levels of verification that often range from a phone conversation to a letter of incorporation for your business (SMBs normally don’t need to go this far, the base level of domain verification should be enough for an SSL certificate).
Once your certificate is bought and paid for, you need to install it on your web server. This requires uploading the certificate file to the file system and changing your web server’s configuration to point to the new files that you just downloaded to enable a secure connection.
For an experienced developer, this takes about 30-45 minutes (unless you’re using a certificate that takes forever to verify the website). If you’re new to this, good luck.
What’s more, if you’re a digital marketing agency with lots of clients, imagine doing this for each one of the websites you’re running.
It’s also important to point out that SSL certificates generally have a shelf life — they have to be renewed every quarter, six months, year, etc., so this is going to be a recurring cost.
Clearly, that’s way too much time and development work to simply ensure that your clients’ sites meet the bare minimum of essential encryption on today’s internet.
But therein lies the problem with using a CMS. This is the process that you must go through and there’s really no way around it. However, there are alternatives. Some website builders have begun offering this as an easy-to-add option within their platforms. All it takes is a few clicks and you can add an SSL certificate to a website when publishing. No need for messing around with web servers, creating a CSR, shopping around for a certificate authority, or jumping through hoops. Some website builders charge for this, others offer it for free, but the important thing is these platforms can make this an automated process.
In a world where all of us are increasingly relying on the web to buy and sell goods and services, there needs to be at least a baseline level of encryption to ensure that the information we share online, like our credit card numbers, home addresses, and phone numbers, are not ending up in the wrong hands. And turning to website builders that automate the process of adding SSL certificates is simply the best way to get the millions of small business websites out there onboard.