DreamHost ACADEMY

Grow

You’ve done the hard work of building a website and cultivating an audience. You deserve to get a return on your time and investment — don’t you think?

What Is HTTPS and Why Does It Matter for Your Website?

Each time you visit a website — any website — that site needs to receive information from your browser. By far, the most common way this is achieved is through HTTP (Hypertext Transfer Protocol). These are essentially standardized rules that allow the transfer of information to take place.

HTTPS is the secure version of HTTP — but what is it, how does it work, and how can you make sure your website is secure?

Read on to discover more about the ins and outs of HTTPS.

What is HTTPS?

HTTPS stands for Hypertext Transfer Protocol Secure and is the protocol used to send data between your web browser and a website. It’s the secure version of HTTP, and it’s estimated that around 98% of websites now use HTTPS.

Google SERP Feature Graph showing the past 30 days.

HTTPS encrypts the data sent between the site and the browser, making it much more secure. This ensures that any sensitive information (like your bank account details) is unlikely to find its way into the wrong hands.

Any site that deals with sensitive data should have always been using HTTPS. Today, every website should use it. It has become such an important protocol in the last few years that web browsers frequently flag sites that aren’t using HTTPS, warning users that it might not be safe if they proceed.

Website showing “Your connection is not private” HTTPS warning.

How Do I Know if a Site is Using the HTTPS Protocol?

As you might expect, users want to know whether their data is going to be safe. But how do you know if you have a secure connection?

There are a few things to look for.

  1. Look for a padlock icon, or lock icon, and the word secure next to your web browser address bar.
  2. Check the address bar and look for https://. This shows that the site is secure. If it isn’t, it will only show http://.

How Does HTTPS Work?

HTTPS works by using TLS/SSL encryption protocols.

Hacked Site? We'll Fix It Fast

With our Hacked Site Repair service, we'll remove any malicious code and restore your website so it's back up and running fast.

What are TLS and SSL?

TLS is the protocol used to encrypt all communications and make sure they are secure. TLS stands for Transport Layer Security.

SSL — or Secure Sockets Layer — is simply what TLS used to be known by.

So, how does TLS (formally SSL) work?

Two different keys are used to encrypt communications between two parties — essentially your browser and the website.

The public key: This allows for communication between two parties. It is available to everyone who wants to interact with the server securely. Anything that is encrypted in the public key can only be decrypted using the private key.

The private key: The website owner controls the private key and only they have access to it. The private key is kept on the web server and is used to decrypt any information that has been encrypted by the public key.

Why is HTTPS Important?

Security and Privacy

The most significant advantage of using HTTPS is that it provides security and peace of mind for users. Visitors to your site are likely to be aware of the increased security and privacy that HTTPS offers. If your site isn’t secure, you will lose visitors.

SEO

Way back in 2014, Google announced that they would make HTTPS a ranking signal. That means that when you have two sites, and all things are equal asides from one being secure and one not, the HTTPS site would appear higher up the SERPs.

Website Performance and Conversions

One of the biggest advantages of using HTTPS over HTTP beyond security is that your site should see a performance boost. If your site performs better, it can lead to happier users and higher conversion rates.

What Happens if a Website Doesn’t Have HTTPS?

If you don’t have HTTPS on your website, it becomes possible for Internet Service Providers to add content to its pages. One of the most common ways this is abused is to inject ads into a website’s content. As this is done without the website owner’s approval, they have no control over the content of those ads and where they lead to.

As you can imagine, this isn’t great and can result in the erosion of trust between the user and the website.

How is HTTPS Different from HTTP?

That’s a good question. In reality, HTTP and HTTPS are not separate protocols. HTTPS is just adding the TLS/SSL encryption to the HTTP protocol.

HTTPS occurs when the TLS/SSL certificates confirm to the browser that the provider is who they say they are — that they are verified as safe and secure.

When a visitor requests to connect with a webpage, that page then sends over the SSL certificate. This certificate contains the public key that is necessary to start a secure session. Next, the server and the client enter a process called the SSL/TLS handshake. In reality, all this means is that both computers enter a conversation whereby they communicate back and forth to enable a secure and safe connection.

Here are some of the main differences between HTTP and HTTPS.

Integrity

Every webpage that is sent to a web browser via an HTTPS web server is given a digital signature. This digital signature is then used by the web browser to make sure the webpage has not been tampered with by any third party. This signature also contains a cryptographic hash that the browser can use to calculate whether the web page’s integrity is intact.

Encryption

HTTP was originally designed as a clear text protocol. As such, it can be vulnerable to man-in-the-middle attacks. A man-in-the-middle (MiTM) attack is when a nefarious third-party taps into the communication between two devices in a computer network. Hence the name, “man in the middle.”

HTTPS combats this by using public-key cryptography, also known as an SSL/TLS handshake. This allows the two computers in the conversation to have a secret key that only they know — stopping man-in-the-middle attacks.

Authentication 

HTTPS also improves the authentication process. This is via the SSL/TLS protocol. Any given website certificate includes what is known as a public key. The browser can see that the sent document has been signed by someone who has access to the private key since the server’s certificate must be signed by a certificate authority to prove that it is safe.

How Does a Website Start Using HTTPS?

Most hosting providers now supply the ability to add TLS/SSL certificates to your site (including DreamHost). Suppose your website hosting provider doesn’t allow you to add a certificate. In that case, you should seriously consider moving to another provider — it’s that important.

This can come at a nominal fee but is well worth the small investment. There are usually two options here. You can have a shared certificate between many customers — this is usually the cheapest option and is fine for most sites and businesses. Another option is to obtain a certificate registered to your particular web property — this is the more expensive option and is not needed for most sites and businesses.

Through a partnership with Let’s Encrypt, DreamHost now offers free SSL/TLS certificates to our customers. Existing users can easily add a free Let’s Encrypt security certificate to their domain by visiting the secure hosting section of their control panel. If you’re not a customer, you can get your free certificate by signing up for one of our hosting plans!

Your Site Deserves the Best

Our Unlimited Shared Hosting plan gives you everything you need to thrive online — we throw in a domain, SSL/TLS certificate, email address, and privacy protection for free!

What Are The Risks of Moving to HTTPS?

If you run or own a website, there are some risks involved with moving from HTTP to HTTPS.

Even big corporate sites have had migration issues, leading to problems being found on search engines, resulting in diminishing traffic and sales loss.

No matter its size, or whether you use your site for business or fun, you need to plan ahead.

Before you start the migration from HTTP to HTTPS, you should consider the following.

  1. Once you have purchased your certificate, you need to make sure that it works. You can do that here: SSLLabs.com/ssltest.
  2. You need to make sure you have the tools to gather data before, after, and during an SSL migration. We recommend making sure Google Search Console is enabled, and you have access to crawling software like Sitebulb or Botify.
  3. A thorough redirect plan is needed. You need to ensure that your developers know that you have to place a 301 redirect from every single HTTP URL to its HTTPS equivalent.
  4. There are other SEO considerations that you need to put in place. This includes but is not limited to: making sure your XML sitemap is updated to include only HTTPS URLs and that all of your canonical and hreflang tags are updated.
  5. If you control any external links pointing to your site (maybe from owning several websites), make sure those are updated to the new HTTPS links.
  6. It’s vital that you update any of your internal links as well. All internal links will be pointing to the HTTP version of your site. While you have hopefully mitigated this short-term issue with 301 redirects, you need to update them to ensure search engines don’t have additional hops to find the HTTPS pages.
  7. If you have a disavow file stored on Google Search Console, this needs to be updated too.
  8. Above all, don’t try and migrate to SSL without the help of a developer or somebody who knows what they are doing. You will likely come to regret it if it doesn’t go as planned.

While an SSL migration isn’t as complicated as a full site migration with a new URL structure, there are many examples of a poorly implemented SSL migration causing major problems. If you get it wrong the first time, it can take a lot of time and effort to correct.

So what do you need to look for after you have migrated to SSL?

  1. Ensure that the HTTPS version of your site is associated with your Google Analytics account and Google Search Console.
  2. Recrawl the site using the crawling software that you used pre-launch and compare the data.
  3. Use a fetch and render tool to make sure your pages will be rendered correctly via the search engines.
  4. Use a tool like Sistrix or Semrush to make sure that you aren’t losing visibility in Google.
  5. If you’re running paid ads, you need to make sure those ads point towards the new URLs and not the old ones.
  6. Using a tool like Screaming Frog, you should crawl the OLD URLs and ensure that ALL of these have a 301 redirect. Look for 404 pages to find URLs that might not have been updated, and fix them.
  7. Keep an eye on all data for a least a few months to ensure that everything has gone smoothly.

Ready to Set up Your Security Certificate?

Well, there you go! There’s our quick guide to HTTPS — what it is, how it works, and how to move to SSL.

Be mindful that while it might seem like a simple switch, there are many moving parts, and it isn’t something that you should rush or do on a whim.

That said, if you haven’t switched your site to HTTPS, you need to be doing so soon. You can do this via DreamHost here.

We’re Here to Help

If you have questions or just could use some help figuring some thing out, get in touch. Our team of web experts has been in the business for over 20 years and knows how to help you figure out the right next steps.