Google began rolling out a broad core algorithm update on June 16th, 2021. This update is called The Page Experience Update. It is intended to provide a better experience to users by prioritizing pages that provide fast load times, non-shifting stable pages, and include HTTPS security. While Google has prioritized quick pages since 2010, the 2021 update introduces three new metrics that measure speed, overall page experience, and security by using an SSL. Google calls these new metrics Core Web Vitals.
Now that we are in the holiday season, it's more important than ever to ensure that your site performs at its best and offers the security needed to handle the massive number of online sales transactions.
What Is HTTPS?
Hypertext transfer protocol secure, or HTTPS, is a secure version of the Hypertext transfer protocol. It is how data is sent between your web browser and a website. The difference between the two is the encryption used by HTTPS to handle sensitive data like logging into your bank account, making an online purchase, and opening an email.
Any website should be using HTTPS, especially those that require a login at some point during the visitors' interactions. If you are unsure if a site you visit is secure, a padlock in the URL bar tells you it's safe.
When a site uses HTTP and is not secure, Google puts a flag on it, showing that it's not secure. Unfortunately, you likely won't find a site like this until you're pretty deep into search engine results because Google ranks them so low.
Web browsers look carefully at websites and rank HTTPS websites higher in search engine results. One such browser is Google Chrome. In June, Google Chrome upped the ante on its search engine results to rank HTTPS websites even higher than before.
Why Is This Important?
Because Google is moving to use HTTPS as the default method for loading websites, it also assumes that most sites use SSL/TLS certificates, which most sites already do. If you have an SSL/TLS certificate, you won't have much of an issue with your site loading. If not, your site will either return a 404 error or take a long time to load. The primary reasons for Google implementing this change are:
- Google assumes that Chrome users want their data secure: Most people don't type HTTP or HTTPS as part of the web address. Instead, you generally either type example.com or www.example.com when you want to see a specific website. So, Google assumes that every site you go to is secure and uses HTTPS.
- Security is one of Google's top priorities: Google publishes a Transparency Report. In that report, Google states, "We believe that strong encryption is fundamental to the safety and security of all users on the web. Thus, we're working to support encryption in all of our products and services."
- 95% of web traffic already uses HTTPS: The overwhelming majority of web traffic relies on HTTPS; it makes sense to connect to HTTPS first. It's faster to connect with the protocol, most likely to succeed instead of trying HTTP first and waiting for the server.
What About Other Web Browsers?
Even though many people use Chrome as their browser, there are other browsers that web users go through. A few notable ones are Firefox, Microsoft Edge, Safari, and Opera. Unfortunately, these browsers haven't kept up with the security initiative of using HTTPS first. Instead, there are extensions and settings to look for HTTPS first. If these aren't enabled, HTTP is still the default, and users may fall victim to insecure websites and have their data compromised. Understanding this is important because not all your traffic comes from Chrome, and it's essential to ensure your SSL/TLS certificate is used to help protect you and your web visitor's sensitive information.
What This Means for Ecommerce and SEO Ranking
If you're reading this article, you're already an Ecommerce business or seriously considering starting an Ecommerce business. It boils down to sales when it comes to HTTPS and your Ecommerce business. GlobalSign conducted a study and found that 84% of users said they would abandon an online purchase if they found or were informed that a site was not secure. Without the security, you could lose up to 48.2% of your customer base, and they'll refuse to make a purchase online.
How Do I Secure My Website?
Now that you understand the importance of encrypting your website data, it's time to review the security of your website. Most things are already taken care of if you have an SSL/TLS certificate, but let's look at how to secure your website and ensure your data and your customer's data are secure.
Use a Dedicated IP Address
IP stands for Internet Protocol, a set of rules governing the format of data sent via the Internet. An IP address identifies the device on the Internet or local network transmitted whenever you access the Internet or a local network. The server it is hosted on also has an IP address to communicate information to your visitor's device when it comes to your website. It works much like a telephone. The number you use corresponds with the phone number of the party you're calling and provides a secure line of communication between the two of you.
A Dedicated IP address isn't shared with any other websites. Most web host providers offer a dedicated server or shared server. The dedicated server comes with a dedicated IP address, and a shared server shares that IP address with one or more other websites. When your server shares its IP address with other sites, even with an SSL certificate, you risk hackers accessing your data.
Verify Your SSL Certificate
Web hosting does not automatically have an SSL Certificate installed, contrary to popular belief. To have an SSL Certificate, three types are used, Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV). Each one has specific security settings and validation methods depending on the level of user trust.
Domain Validated (DV) Certificate
A DV certificate checks against a domain registry to prove site domain ownership. However, they do not offer any identifying information regarding the organization itself. DV certificates are not recommended for commercial purposes because they don't contain this information. While it is the cheapest certificate you can get, it provides no authentication value except for who is behind the website.
With a DV Certificate, site visitors can't validate if the business is legitimate and secure or not, leaving them vulnerable to online fraud. Therefore, DV certificates should only be used where authentication is not a concern, such as on your company's intranet or other protected internal systems.
Organization Validated (OV) Certificate
An OV requires certificate authorities to confirm that your business or website making the certification request is registered and legitimate. Then, a website visitor can click the padlock icon, and your business name is listed in the dropdown.
To get an OV certificate, the organization must be authenticated by the Certificate Authority (CA), an entity that issues digital certificates. It certifies the ownership of a public key by allowing others to rely upon signatures or assertions made about the private key that corresponds to the public key. These keys provide certificates for legitimate business information and are the standard certificate needed for a commercial or public-facing website.
Extended Validation (EV) Certificate
EV certificates offer the highest level of authentication by adding validation steps to the certificate. This safeguards your brand and protects your users. Not every site on the web uses EV certificates, but most of the world's leading organizations use them to ensure user trust. Over half of the top 400 Ecommerce sites use EV certificates and have seen that it increases online transactions and improves customer confidence. EV certificates give you the highest level of validation to know where and to whom your encrypted data is sent—EV certificates for sites with account logins, front-facing websites, and other sensitive areas on a website. In addition, EV certificates are the most secure because it's challenging to impersonate an EV-enabled website, the websites using them have virtually zero incidents of identity-spoofing attacks.
Are SSL/TLS Certificates Free?
Whether you use a free SSL or a paid one, you still get the same encryption. However, there are substantial differences in other areas of the certificate. First, a free SSL certificate only authenticates the domain it's issued for, which means when HTTPS is in the address bar, you know you're at the right domain, and it's verified. But that's all it does. You don't know who is running the website or even if they're a real business. Paid SSL certificates offer higher levels of validation that can provide verified details about the domain and the company behind it. This type of SSL is only available from a commercial Certificate Authority. It takes time and resources to validate a company that only paid CAs can provide.
In addition, when you pay for an SSL certificate, support is included should you have any issues with the certificate. There are many moving parts involved with an SSL/TLS certificate, and there is a chance for something happening that you can't fix. This is a significant factor for many companies because they don't have the time or resources to monitor their SSL to ensure everything is connected correctly and working correctly.
Installing Your Certificate
The installation of your SSL certificate depends on the operating system you use and the server software your site uses, and whether your SSL is paid or free. Most free certificate options have detailed, step-by-step instructions on registering and installing your SSL certificate on your site and server. If you don't feel like you're qualified to do this, a paid SSL has support to do the work for you.
Update Your Site to Use HTTPS
For your website to use the SSL and display that your site is secure, there are a few things you should take care of before you install and put your site up.
- Route to or force HTTPS: Make sure that all traffic goes through encryption by editing the .htaccess file, the root file of your site. Warning: You need to know precisely how to edit this file to avoid costly mistakes. Ensure that if you're a DIYer, you read through the instructions on how to edit this file and ensure that your SSL is installed and working correctly.
- Check for Mixed Content Warnings: These warnings appear when you link resources like images and videos that load through an HTTP link by default. These links can break site functionality and usability. You or your dev team can use SSH-access commands to search your domain and find them so you can either delete or find an HTTPS link to use.
Note: HTTPS doesn't always mean that your on-server information and data are secure. It only protects the transfer of data from a visitor's point of access to your website and servers and vice-versa.
Ready To Safeguard Your Ecommerce Site?
Kensium understands that everything you do on the Internet is connected, and data security is a top priority. Our dedicated solutions architects are ready to talk to you about your Ecommerce needs. We provide you with hosting costs already calculated into your quote, and the web host can take care of all your security needs. So contact us today and find out how Kensium helps grow your business and keep your and your customer's information safe and secure.
Luke M: 4/19/24 3:21 AM
Libby White