Time to Adopt HTTPS
Andy Schaff Nov 28 2017
I recently developed a comprehensive questionnaire to determine if it’s worthwhile to move your site to HTTPS if you haven’t already. If you can answer “YES” to any of the following questions, we highly recommend making the switch.
- Do you have a website?
Wait, what? Only one question?!? So you’re saying…
That’s right. If you have a website, it should be on HTTPS. Period. The End. OK OK, maybe not every website. If you have a website that you do NOT want people to find, use, and trust, then you don’t need HTTPS. But something tells me you do.
The key component here is trust. While encrypting the connection between your site and your users definitely improves security, it’s not a magical force-field that will protect your site from getting hacked. But, if implemented properly, it will garner trust in your users. There is comfort in the glowing green padlock ().
Without HTTPS, browser providers like Google and Apple will start taking an active role in tarnishing this trust, and it will start with Chrome. Over a year ago, Google announced its intention to move towards a more secure web, and without hesitation started shouting alarmingly at users about the lack of security on non-HTTPS websites.
Google Chrome makes up almost 60% of the entire web browser market (58% in October 2017 according to w3schools.com), so this is a big deal.
How can I migrate to HTTPS?
In order to move to HTTPS, an SSL certificate has to be installed at the public-facing layer of your site’s infrastructure. This layer can be a mixed bag of technologies depending on your setup. It could be a webserver like Apache, NGINX, or Windows IIS, a load balancer, a CDN, a caching technology like Varnish, or something else.
So, what’s best for my site?? That question may be best answered with this question: What technical resources do I have available?
If you’re a developer and already have experience working in linux, I would recommend looking at letsencrypt.org. Let’s Encrypt is a free, automated, and open certificate authority. I’ve set it up myself numerous times and highly recommend it.
If you’re not a developer but tech savvy and comfortable managing your cPanel or other hosting interface, you could install an SSL cert on your own. This requires purchasing an SSL cert from a provider and following the install instructions on your hosting management system.
If that still sounds fairly daunting, you might be able to have your hosting company handle it for you.
More than likely, you’ll still want support from a developer.
While these are solid options, my favorite and most recommended option is implementing Cloudflare. Cloudflare offers DNS management, SSL encryption, and a worldwide CDN… for FREE. It’s a ridiculous offer and checks off a lot of “easy win” boxes for your site and its performance. This is the route I chose for portent.com in mid-2017 and it’s been awesome. Their monthly pay packages offer a lot of cool technologies that continue to push the envelope on site performance, while their base offerings include DNS and built-in firewall security, the worldwide CDN, and free SSL, which in most common cases, is all of about $79 per year.
Once you have SSL installed, prep your site for the migration. Here’s a quick list of common tasks that should be addressed.
Don’t forget to redirect
Before flipping the switch to HTTPS, make sure your redirects are in order. Add a cardinal redirect for all HTTP traffic to HTTPS. Update all existing redirects to point to their HTTPS counterpart to avoid redirect hops.
Fix mixed content
Mixed content is when there are HTTP asset references (images, css, js, etc.) on an HTTPS URL. The latest modern browsers will warn you when this is happening by either not showing the magic-glowing-green-lock-of-comfort, or showing an open lock, or something along those lines. You should be vigilant about fixing mixed content issues because of the trust impact (described above), made even more urgent by the increased warnings from browsers.
This is probably a pre- and post-launch checklist item, as it requires prepping your code in advance and planning the steps for updating your CMS content once live. Scour your site and code for HTTP references. Inspect console in Google Chrome on all of your major pages. Mixed content warnings will look like this:
Update all of your HTTP links to HTTPS. Again, this is more of a post-launch item, but planning should be done beforehand so you’re not scrambling to figure out how to change links after going live. If your site has lots of pages, it’s going to be difficult to test every page by hand. I wouldn’t recommend it. Use a tool to crawl your site to find HTTP references. Utilize a search-and-replace extension/module/plugin if available. Perhaps have your developer run replace functions on the content database.
Tip for WordPress users: Use the “Search Regex” plugin to find and replace HTTP URLs.
You want to be proactive about this. It’s only a matter of time until the next Chrome update starts displaying the red exclamation warning message on all non-HTTPS pages or pages with mixed content. Stay ahead of the curve and adopt HTTPS now. There really is no going back.
Highly motivated developer with 12 years of experience who will take on any technology thrown at him. A proponent of well-formed and documented code, MVC technologies, page speed techniques, and high attention to detail, Andy is the full-stack implementation specialist and development architect at Portent.Read More