At Google I/O 2014 Google described the way most websites exchange data with their visitors as “insecure, untrustworthy, and trivially intercepted”. Harsh words. They then took it a step further and announced on the Google Webmaster blog that they were “starting to use HTTPS as a ranking signal”, at which point I decided to setup my blog to run entirely over HTTPS. It’s only costs £25 per year on my excellent hosting provider, Tsohost, but why would I bother, when I don’t process payment information?
Why run a blog site over HTTPS?
At the moment, it probably won’t make any significant difference to my search engine ranking. Google describes HTTPS as “only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals”, but there appears to be a move away from unencrypted web traffic being the default, with Google calling upon webmasters to protect the “security, privacy, and integrity of our users data”. But what does that mean? Well, HTTPS has a number of benefits for any website owner or user, so I’ll break these down;
- Secure login. At the moment, if I dropped into a coffee shop, hotel or pub with free wireless, and I logged into my WordPress site, my username and password would be transmitted over that wireless network unencrypted, and potentially readable by anyone on the same network with a few simple tools and a modicum of knowledge. I don’t want that password being compromised, so I’d rather login over a secure encrypted connection, which would make stealing my credentials a lot harder (not impossible, but difficult enough to make it unlikely). If at some point I wanted to allow other people to login to my site, to update it or comment, then I want their username and password protected as well.
- Proof of identity. If someone clicks a link, on another website or in an email, which links to my site, I want them to know it definitely is my site, and not a fake site setup to trick them downloading malware or viruses, or giving away their credentials for my site or any other site. The name www.rgbartlett.co.uk in the address bar should indicate its my site, but hijacking a website can be done in a number of ways, and having my site web pages always signed by a certificate makes those a lot harder.
- ‘Man in the middle’ attacks. There is a theoretical risk that if a point between a visitor and my website is compromised (anything from the visitors broadband router, their ISP, or even my hosting provider) were compromised, an attacker could ‘inject’ data into the stream of traffic between the visitor and my site, changing what they see, or even forcing them to download malware which could then compromise the visitors system. The disclosures by Edward Snowden illustrated how the NSA and GCHQ had this capability, and allegedly had used that against Google among others. I doubt either agency or any government cares about my site or its visitors, but it’s a capability which other parties could use.
- Privacy. The news that governments are routinely intercepting internet traffic on a vast scale, and the almost daily news of websites and cloud services being hacked has raised the awareness of many users, and caused them to question their assumptions about their own privacy, and how to preserve it. The assumption that only authentication or online payments should be protected by encryption seems to be changing, and ‘HTTPS everywhere’ may gradually become the norm.
I suspect this will make little or no difference to my search engine rankings, but it was an interesting exercise and surprisingly easy to do, and that low barrier of entry may cause others to take the same step. Think about it. For smaller sites there’s no significant cost, or performance hit on your site, and it will increase the trust your website visitors have in you and your brand. Why not give it a try? Considering Tsohost are now running a 50% discount on standard SSL certificates (down to £25 from £49 p/year) and their Standard Hosting package is only £34.99 p/year, now is the time!