Do I Need to Encrypt Every Webpage?September 12, 2016
Is your website data encrypted?
Unless you have a shopping cart on your site, there’s a good chance it is not. Protecting online credit card transactions from prying eyes has always been a requirement. Company servers and online email services like Gmail are also protected by HTTPS encryption. But what about the average website? Does it need to be protected?
Most websites have a log-in page, a contact form, or some other interaction where data is being sent between the end user and the server. Unless your website is running on HTTPS, there’s a chance a hacker could intercept and read your messages, or passwords, or whatever is being transferred on the web. This is especially true on public wifi. So why aren’t all websites secure?
Cost and Speed
Two of the biggest reasons in the past for not using encryption were cost and speed. While never terribly expensive, running a secure site required a unique IP (something hosting companies charge extra to do), and the purchase and installation of a security certificate. The cost of purchasing an SSL Certificate cost anywhere from $30-100/year (or more for some fancier, "extended validation" versions).
The other downfall was speed. Loading encrypted pages through HTTPS meant a small downgrade in speed, and the goal is generally a fast-loading webpage. But notice that I'm talking past-tense here. Some things have changed.
Faster and Free
Thank to improvements by web hosts in their server-side hardware, the load time between a secure and non-secure site is negliable. Site like HTTP vs HTTPS Test demonstrate this change clearly.
As for cost? Using a service such as Cloudflare, you can run your whole site through HTTPS for free! Other services, such as Let's Encrypt, make a similar offer. Concerns of the past, cost and speed, are no longer an issue. But wait, there’s more!
Other Reasons to Secure Your Site
Trust – Users want to feel safe and secure when browsing your site. Seeing that nice little padlock that displays on encrypted pages tells them you care about protecting their data and their privacy. Google, Apple, Mozilla, the Internet Security Research Group (ISRG), and many others have been advocating for this change, moving their entire web to "always-on" encryption.
In what may the #1 reason to secure your site is the recent announcement that Google will soon start labeling sites in their Chrome browser as "secure" or "insecure". Beginning in 2017, users will start seeing a red "X" over a padlock on any sites or pages that aren't HTTPS encrypted. This will likely spread to other browsers as well. This public "shaming" will make your site visitors nervous and start to see your site as unsafe or untrustworthy.
Better Search – In 2014, Google announced it would start giving rank preference to sites running HTTPS encryption. While initially this hasn't made a large difference, clearly the push toward encyption has been in motion for a while.
In addition to rank, users of SSL will get better analytics. Search sites like Bing and Google are already running through https, meaning that if a visitor searches for a term there, and then clicks over to a non-secure webpage, that referrer data is lost. Data that's encrypted on one site can't be tracked by a non-encrypted site on the other side. However, if your website is https encrypted, all that good referrer data is maintained, meaning you can see how users are finding your site.
Plan on Making the Switch
Majors websites like Facebook have made the move to "always-on" encryption. The expectations are being set. The cost is low. The benefits are many. So what are you waiting for? Make the move to SSL. We made the switch on our website this year, and will be recommending encryption on all our websites moving forward. Contact the Electric Citizen team for help securing your website.