Google began rolling out a broad core algorithm update on June 16th, 2021. This update is called The Page Experience Update. It is intended to provide a better experience to users by prioritizing pages that provide fast load times, non-shifting stable pages, and include HTTPS security. While Google has prioritized quick pages since 2010, the 2021 update introduces three new metrics that measure speed, overall page experience, and security by using an SSL. Google calls these new metrics Core Web Vitals.
Now that we are in the holiday season, it's more important than ever to ensure that your site performs at its best and offers the security needed to handle the massive number of online sales transactions.
Hypertext transfer protocol secure, or HTTPS, is a secure version of the Hypertext transfer protocol. It is how data is sent between your web browser and a website. The difference between the two is the encryption used by HTTPS to handle sensitive data like logging into your bank account, making an online purchase, and opening an email.
Any website should be using HTTPS, especially those that require a login at some point during the visitors' interactions. If you are unsure if a site you visit is secure, a padlock in the URL bar tells you it's safe.
When a site uses HTTP and is not secure, Google puts a flag on it, showing that it's not secure. Unfortunately, you likely won't find a site like this until you're pretty deep into search engine results because Google ranks them so low.
Web browsers look carefully at websites and rank HTTPS websites higher in search engine results. One such browser is Google Chrome. In June, Google Chrome upped the ante on its search engine results to rank HTTPS websites even higher than before.
Because Google is moving to use HTTPS as the default method for loading websites, it also assumes that most sites use SSL/TLS certificates, which most sites already do. If you have an SSL/TLS certificate, you won't have much of an issue with your site loading. If not, your site will either return a 404 error or take a long time to load. The primary reasons for Google implementing this change are:
Even though many people use Chrome as their browser, there are other browsers that web users go through. A few notable ones are Firefox, Microsoft Edge, Safari, and Opera. Unfortunately, these browsers haven't kept up with the security initiative of using HTTPS first. Instead, there are extensions and settings to look for HTTPS first. If these aren't enabled, HTTP is still the default, and users may fall victim to insecure websites and have their data compromised. Understanding this is important because not all your traffic comes from Chrome, and it's essential to ensure your SSL/TLS certificate is used to help protect you and your web visitor's sensitive information.
If you're reading this article, you're already an Ecommerce business or seriously considering starting an Ecommerce business. It boils down to sales when it comes to HTTPS and your Ecommerce business. GlobalSign conducted a study and found that 84% of users said they would abandon an online purchase if they found or were informed that a site was not secure. Without the security, you could lose up to 48.2% of your customer base, and they'll refuse to make a purchase online.
Now that you understand the importance of encrypting your website data, it's time to review the security of your website. Most things are already taken care of if you have an SSL/TLS certificate, but let's look at how to secure your website and ensure your data and your customer's data are secure.
IP stands for Internet Protocol, a set of rules governing the format of data sent via the Internet. An IP address identifies the device on the Internet or local network transmitted whenever you access the Internet or a local network. The server it is hosted on also has an IP address to communicate information to your visitor's device when it comes to your website. It works much like a telephone. The number you use corresponds with the phone number of the party you're calling and provides a secure line of communication between the two of you.
A Dedicated IP address isn't shared with any other websites. Most web host providers offer a dedicated server or shared server. The dedicated server comes with a dedicated IP address, and a shared server shares that IP address with one or more other websites. When your server shares its IP address with other sites, even with an SSL certificate, you risk hackers accessing your data.
Web hosting does not automatically have an SSL Certificate installed, contrary to popular belief. To have an SSL Certificate, three types are used, Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV). Each one has specific security settings and validation methods depending on the level of user trust.
A DV certificate checks against a domain registry to prove site domain ownership. However, they do not offer any identifying information regarding the organization itself. DV certificates are not recommended for commercial purposes because they don't contain this information. While it is the cheapest certificate you can get, it provides no authentication value except for who is behind the website.
With a DV Certificate, site visitors can't validate if the business is legitimate and secure or not, leaving them vulnerable to online fraud. Therefore, DV certificates should only be used where authentication is not a concern, such as on your company's intranet or other protected internal systems.
An OV requires certificate authorities to confirm that your business or website making the certification request is registered and legitimate. Then, a website visitor can click the padlock icon, and your business name is listed in the dropdown.
To get an OV certificate, the organization must be authenticated by the Certificate Authority (CA), an entity that issues digital certificates. It certifies the ownership of a public key by allowing others to rely upon signatures or assertions made about the private key that corresponds to the public key. These keys provide certificates for legitimate business information and are the standard certificate needed for a commercial or public-facing website.
EV certificates offer the highest level of authentication by adding validation steps to the certificate. This safeguards your brand and protects your users. Not every site on the web uses EV certificates, but most of the world's leading organizations use them to ensure user trust. Over half of the top 400 Ecommerce sites use EV certificates and have seen that it increases online transactions and improves customer confidence. EV certificates give you the highest level of validation to know where and to whom your encrypted data is sent—EV certificates for sites with account logins, front-facing websites, and other sensitive areas on a website. In addition, EV certificates are the most secure because it's challenging to impersonate an EV-enabled website, the websites using them have virtually zero incidents of identity-spoofing attacks.
Whether you use a free SSL or a paid one, you still get the same encryption. However, there are substantial differences in other areas of the certificate. First, a free SSL certificate only authenticates the domain it's issued for, which means when HTTPS is in the address bar, you know you're at the right domain, and it's verified. But that's all it does. You don't know who is running the website or even if they're a real business. Paid SSL certificates offer higher levels of validation that can provide verified details about the domain and the company behind it. This type of SSL is only available from a commercial Certificate Authority. It takes time and resources to validate a company that only paid CAs can provide.
In addition, when you pay for an SSL certificate, support is included should you have any issues with the certificate. There are many moving parts involved with an SSL/TLS certificate, and there is a chance for something happening that you can't fix. This is a significant factor for many companies because they don't have the time or resources to monitor their SSL to ensure everything is connected correctly and working correctly.
The installation of your SSL certificate depends on the operating system you use and the server software your site uses, and whether your SSL is paid or free. Most free certificate options have detailed, step-by-step instructions on registering and installing your SSL certificate on your site and server. If you don't feel like you're qualified to do this, a paid SSL has support to do the work for you.
For your website to use the SSL and display that your site is secure, there are a few things you should take care of before you install and put your site up.
Note: HTTPS doesn't always mean that your on-server information and data are secure. It only protects the transfer of data from a visitor's point of access to your website and servers and vice-versa.
Kensium understands that everything you do on the Internet is connected, and data security is a top priority. Our dedicated solutions architects are ready to talk to you about your Ecommerce needs. We provide you with hosting costs already calculated into your quote, and the web host can take care of all your security needs. So contact us today and find out how Kensium helps grow your business and keep your and your customer's information safe and secure.