In the digital age, security takes on a whole new meaning. We’ve all seen dramatized images of hackers targeting huge corporations, but a breach in security can easily go unnoticed for those still using HTTP. Those who watched the recent webinar with Google know that retailers need to adopt HTTPS everywhere (not just their checkout) to ensure a more secure web experience.
HTTPS means three things: authentication, encryption, and data integrity. Without HTTPS, third parties can inject content to your website without your knowledge, putting your brand image (and your customers) at risk. Worse, you are vulnerable to malware, putting servers at risk.
The adoption of HTTPS has risen from 55% in March 2014 to 79% in March 2016, but Google would like to see a near 100% adoption rate as soon as possible. And the motivation isn’t strictly security – HTTP platforms will see features like camera, geolocation, progressive web apps, Autofill, web push notifications, caching, and physical web phased out over time. In short, HTTP is on a deprecation path and securing just your checkout won’t cut it. Your entire ecommerce website needs to be secure to meet customer expectations through app-like mobile web experiences.
HTTPS makes the web more secure, and allows for more innovative web experiences, but migrating to HTTPS will require planning. So what are the next steps?
- Plan your upgrade. Determine what first and third party resources rely on HTTP and which are available over HTTPS. Talk to your CDN and Ad Network about HTTPS support and pricing.
- Prototype – deploy HTTPS in tandem with HTTP. Obtain certificates for your sites and deploy them to your web servers. Enable HTTPS on your web server and update site content to use protocol-relative URIs. If appropriate, enable Referrer Policy.
- Test your site. Verify site functionality, then eliminate active and passive mixed content, where HTTPS pages pull in HTTP resources, as well as latent mixed-content where HTTPS pages link to HTTP urls.
- Optimize performance. Enable HTTP2 to reduce server load and page-time load, as well as brotli compression for static assets (like images) to reduce transfer size. Prioritize high-performance cipher suites on HTTPS front-ends and enable OCSP-stapling and Session Tickets.
- Go HTTPS only. Update non-secure site to permanently redirect to HTTPS site and canonical references in Google Webmaster Tools. Consider enabling HSTS to automatically ensure secure connections. Update email template and companion apps to link to HTTPS directly.
Google is doing its best to address the concerns around migration. It has made developer tools like the moarTLS Analyzer available on Chrome. You can also validate HTTPS configuration with an SSL Server Test. As far as cost goes, there are free certificates available, and performance is better than sites using HTTP. Undoubtedly the investment in HTTPS will pay off.
Still not convinced? Watch the HTTPS Everywhere webinar to learn how securing your entire website can enable first-class digital experiences for your customers.