You should support HTTPS on your website now.

For a very long time, I have been an advocate for HTTPS. It might seem like a no-brainer for technical people, but for clients and management/bosses you might need some extra.

It’s a bit like being an advocate for not killing innocent children, right?

What does HTTPS offer us?

It protects the data between your server and the end-user. This is needed when sending credit card data, password or any other sensitive information. Yet many pages don’t do this at all — the good thing is that browser have started punishing sites that do not follow best practices and take the users security serious.

In short, Security & Performance.

Note: All of the performance is HTTP/2 related, but to use this you will need HTTPS.

But why care?

Will it make you money? YES.

SEO & Performance

Everyone cares about SEO and sometimes a little too much. However SEO should reflect the user-experience, and that is the most important thing in my opinion.

Speed also affect your SEO rank. And HTTP/2 can provide massive performance gains, especially if you have a lot of files.

How? Multiplexing.

What is multiplexing, you might ask? Take this as an example. You want to order some fast food for you and your friends.

HTTP:

Call. Hey I would like a pizza. Thanks. Hang up.
Call. I would also like a burger. Thanks. Hang up.
Call. I would also like a cheeseburger. Thanks. Hang up.
Call. I would also like a large coke. Thanks. Hang up.

HTTP/2:

Call.
-
Hey I would like a pizza, a burger, a cheeseburger and a large coke.
Hang up.

As you might see already, with a lot of items, or files this can be speed up a whole lot. The truth is that browser does allow you to “call” 8 times in parallel, but with sites like tv2.dk, having 70 requests and no HTTP/2… the performance gains can be very large, and cheap to implement.

HTML5 Features

Wouldn't it be great to be able to use the location of your visitor to show nearest stores? Well you need HTTPS for that.

You want your website to work offline? Maybe not the whole website, but at least the contact information? Well, you need HTTPS for that.

The list goes on, but I think you got the idea — to use some of the awesome features that browsers and the evolving web provides, you need HTTPS. The features have been disabled for non-secure site, to protect the users.

You might say that you will add HTTPS, when you need these features. but your competitor might already have HTTPS, and if you both need a new smart feature right now — they will no-doubt be in the market sooner than you, and this might make you loose your costumers to them. Also remember that they might already prefer the site with HTTPS, as it’s likely to be better performant.

No bad press, or alerted costumers

Browsers have started to warn against sites not using HTTPS for fields like passwords and credit cards.

This means that if you have a login box on the page, it will be marked as “insecure” this is very bad for both technical costumers, but also for the technical inclined.

Example Chrome Behavior, taken from blog.chromium.org

Seeing a warning that something is insecure on your site, damages your brand — and the trust that people put into it. This might be the #1 reason for upgrading your site right now. It could make your support happy as they will not have to explain this issue to the people phoning in about you insecure site.

I have seen this happen on facebook and twitter — people questioning the security of the site. The company might dismiss it, but then some technical person arrives, and explains that it is indeed not secure — because HTTP is not secure. SO SAVE YOURSELF BEFORE THIS HAPPENS.

Getting started

It can take anywhere from 10 minutes to 4 years to implement it. But it will depend on so many things.

To get started you will ned to consider what kind of Certificate you want and need.

If you are a government institution, or a company that would benefit from the extra trust, you should look into getting an Extended Validation Certificate. In most browsers, this will print something out in the address bar. Take a look at Medium for example. It says “A Medium Corpration [US]” other sites will just say “Secure”.

This can benefit some organizations, but others might not care. It will cost something to get an EV Cert, but you should consider it in some cases.

If you just want to be secure and have HTTPS, there are other options. I would recommend Let’s Encrypt, it’s free and really easy to setup on most sites.

You could also take a look at CloudFlare, it will provide you with other benefits, but it’s really easy to get HTTPS with CloudFlare.

You can also buy certs from many other providers, if you have a hosting provider — maybe talk with them. If some consulting firm is managing your website, take a meeting with them and ask about recommendations. (I would not understand if they didn’t already propose this to you — so maybe you should consider changing to someone else?)

If in doubt, feel free to contact me and I’ll provide you with some quick guidelines.

Conclusion

If you don’t have HTTPS, you need HTTPS. It will hurt you some way or another if you don’t do it in the long run.

It’s basically free. But even if it’s not, it’s worth it, it can provide your organization with some extra trust, and even more if you pick an EV Cert.

Half of the internet is already doing it. You are lagging behind, and it’s time to get on the train to the future.

https://twitter.com/letsencrypt/status/786977436109934592

If you wished you had read something more technical, there is a lot of resources on this topic already, I can recommend the following:

Thanks for reading. Feel very welcome to post your feedback.

Show your support

Clapping shows how much you appreciated Allan Kimmer Jensen’s story.