Are you concerned about the security and authenticity of the websites you are visiting? Probably yes, though it may not be your top priority: getting the job done is. What if we told you that browser makers are doubling their efforts to convince web professionals to rethink their priorities: browsers like Chrome are flat-out refusing to serve websites unless they are delivered via HTTPS (an encrypted, more secure version of HTTP, the Hypertext Transfer Protocol).
Google Chrome and Firefox, for example, will bluntly deny you access to Google’s In-Page Analytics data and visualization for a website if they deem it not “private’ enough for lack of HTTPS, not to mention that Google and Bing may be penalizing sites that don’t use encryption in search engine ranking. Web creatives can no longer afford to ignore the security aspect of web publishing.
The Google Analytics plug-in for your browser may or may not resolve the In-Page Analytics error. Rest assured, the plug-in will not make up for the loss of SEO karma points due to lack of HTTPS.
So how exactly would you go about fixing your site?
You need an SSL certificate
First and foremost, you need an SSL certificate for each and every one of your domains (that includes subdomains; some certificates support more than one domain, which can greatly simplify their management). Costs run from about $10 for the simplest of certificates to hundreds of dollars per year for an extended validation (EV) certificate, the Ferrari of SSL certificates that looks flashy but may not be any safer if it’s used irresponsibly, which gets us to the next point: you need a solid SSL configuration.
You need a solid grip on your SSL configuration (free diagnostics tools can help)
The setup is full of pitfalls. For starters: in the SSL configuration of your web server, you should never use SSL. What?! Yes, you read that right, the SSL protocol is a legacy that would expose your site to its vulnerabilities. Use TLS 1.1/1.2 instead.
When using an external service provider or even the control panel of your web host, you aren’t at the mercy of luck. Using free online services you can verify the security aspects of your server’s SSL configuration as described in this post.
HTTP/2 can nullify the performance penalty of HTTPS
And while you are at it: if optimizing your sites’ performance is something close to your heart, why don’t you treat your web visitors to the best implementation of HTTPS around: HTTP/2. Web admins have been shunning HTTPS for a reason: it will slow your site down, considerably. An upgrade from the decades-old HTTP/1.1 protocol to HTTP/2 will take care of that for visitors with web browsers that are fully supported (this covers almost everyone these days).
As for the technical implementation and what to look for in a web hoster, our sister publication Cloud Insider has a series of articles on this very topic:
- Letsencrypt, the SSL-Certificate Engine for the Cloud Era of Hyperscale, on AWS EC2 (this one explains the use of free SSL certificates by an open certificate authority named Letsencrypt)
- How to Activate HTTP/2 with TLS Encryption in NGINX for Secure Connections without a Performance Penalty
Please feel free to post your questions in the comments section below.