If you’re going to collect sensitive information or conduct transactions online, you should plan on changing from http to https on your website.
To discover why, let’s start with some definitions:
Http (or Hyper Text Transfer Protocol) is the method by which data is moved around the Web. You can see just how integral http is to the online world by looking at the beginning of any Web address.
On the plus side, http is fast and reliable. On the minus side, it’s as secure as a diamond at a cat burglar’s convention. There are lots of ways to hack your way into data being transferred via http and while that’s not a problem for many online data transfers (e.g. watching a video, viewing a website), it is a problem if you need to protect the data that’s being sent.
Https (or Hyper Text Transfer Protocol Secure) is the answer to the data protection issue. Used on sites that feature eCommerce, banking, and even just a login page, https protects data by encrypting it before sending it either way by using an SSL (Secure Sockets Layer) Certificate.
An SSL certificate contains both public and private encryption keys that are long strings of alphanumeric characters used to encrypt data in a way that’s very hard to crack thus making it ideal for protecting sensitive data.
The Process of Changing From Http to Https
On the surface, changing from http to https is pretty straightforward:
- Purchase an SSL certificate,
- Install your SSL certificate on your website’s hosting account,
- Make sure that any website links are changed from http to https so they are not broken after you flip the https switch, and
- Set up 301 redirects from HTTP to HTTPS so that search engines are notified that your site’s addresses have changed and so that anyone who has bookmarked a page on your site is automatically redirected to the https address after you flip the switch.
It’s just that easy. However, thanks to the overwhelming number of options offered by SSL certificate vendors and packages offered by hosting companies, this straightforward process can become very confusing.
The situation is not helped by the fact that moving your site from http to https requires dealing with more tech than most small business folks feel prefer.
That’s why we’re going to dive into the four steps above only as deeply as necessary to make the business decisions that need to be made and to understand the technical details on a basic level.
Why not go deeper on the technical end? For one good reason that will make the entire process of changing from http to https easier:
Your Hosting Company Can Manage Most of the Process for You
If you already have the technical experience required to change your site from http to https, then by all means, manage the entire process end-to-end.
Many small business folks however, do not have experience with the technical side of this process. As you’ll soon see, there’s enough of a learning curve on the business end.
As a small business owner, you do need to be involved in making the business decisions. However, you may be better off having someone who knows what they’re doing — someone you can trust — handle the technology side. One option might be your website hosting company.
Many hosting companies offer packages including an SSL certificate, the installation of the certificate you select and 301 redirect setup. That leaves you with only one technical task, the straightforward job of changing your website’s links to point at https instead of http.
It may cost you a bit more to purchase a package. However, the amount of time you’ll save, and frustration you’ll avoid, by handing over the technical end of the process to your hosting company will more than make up for the expense.
Below is an example of one hosting company’s https + SSL certificate offerings (SiteGround). Here are a couple of things to note:
- You should always contact your web hosting company to make sure you understand exactly what’s included. For example, though it’s not listed, a quick online chat with SiteGround confirmed that setting up the 301 redirects was included in all three packages.
- As you can see, you can either use an SSL certificate provided by the hosting company or you can use a certificate purchased from a separate vendor. This changes the pricing of each package a bit (as indicated by the “Other Provider’s Price” row). This will make more sense in a bit.
As explained earlier, even with someone handling the technical side, you still need to make the business decisions and understand, at least on a basic level, what’s involved technically. That’s the topic of the rest of this post.
Ready to get started? Let’s get to it!
Purchase an SSL Certificate
There are two ways to purchase an SSL certificate:
- From your hosting company, or
- From an SSL certificate vendor.
While it’s easier to just buy the certificate from your hosting company (especially if it’s part of a specially-priced package), sometimes they don’t offer the type of certificate you require.
Yes, there are many types of SSL certificates and you should select one based on your business needs. Below, the different types of SSL certificates are grouped by validation level (important for marketing) and then by the level of coverage. You should select a certificate that meets your goals in both areas as closely as possible.
SSL Certificates by Validation Level
When you move your site to https, that change is reflected in your browser for your website visitors to see. There are three levels of validation, each providing more assurance to your potential customers than the next. That’s why the validation level you select is also a marketing decision.
All three levels cause a closed lock to appear in a browser’s address bar, an indication that the connection with your site is secure. Beyond that, there are differences in both the information displayed when viewing the certificate in a browser and, at the highest level of validation, in the browser’s address bar as well. You can see these differences within the images included in the descriptions of each validation level below.
Time and money are two more factors to consider when selecting your certificate’s validation level: the higher the validation, the more work and the longer it takes to receive your certificate. That’s because each step up offers more validation of the domain’s owner (i.e. your business) than the step before. It also requires more paperwork on your end and more review on the issuer’s end. In addition, the higher the validation level, the more the SSL certificate will cost
IMPORTANT NOTE: the amount of actual data security provided is the same for all three levels of validation — the additional validation is more of a customer trust builder than anything else.
The three levels of SSL certificate validation are:
- Domain Validation — The basic level of validation, domain validated SSL certificates will cause a Web browser to display a closed lock image next to the website address demonstrating that the site is secure. As shown below, when you view the details of this type of certificate within a browser, the “Subject Name” section displays the most basic information. It tells a prospective customer that, yes, this domain is secure. But it does not mention which company secured the domain. And that lack of a company name can be a trust issue with potential customers. For example, it can lead to situations where someone can set up a fraudulent domain (e.g. “robowhos.com” instead of “robowhois.com”) and nab sensitive data from those who are taken in by the ruse.
- Organization Validation (a.k.a Company Validation) – When you obtain an SSL certificate with this second level of validation, the issuer is confirming the fact that the company requesting the certificate does indeed own the rights to the domain for which the certificate is being issued. As you can see below, when you view this type of certificate in a browser, the “Subject Name” section displays more details — including the company name. This extra level of detail provides assurance to potential customers that the site is legitimate and safe to do business with.
- Extended Validation — Extended SSL certificates provide the highest level of assurance that a site is legitimate and trustworthy to do business with. As you can see below, not only is there more information in the “Subject Name” section, the company’s name is also shown directly in the browser’s address bar. (In fact, in some browsers, the entire address bar turns green when the site is viewed.) An extended SSL certificate proclaims that the company owns the rights to this domain and meets the rigid review standards necessary to receive this level of validation. Now that’s good marketing!
SSL Certificates by Coverage Level
Another way to group SSL certificates is by the level of coverage they support. The three levels of SSL certificate coverage are:
- Single Domain SSL Certificates — This type of SSL certificate will cover one domain and one domain only. For example, you can use a single domain SSL certificate to secure mysmallbusiness.com but not support.mysmallbusiness.com.
- Wildcard Domain SSL Certificates — This type of SSL certificate will cover one domain and all the subdomains underneath that domain. For example, you can use a wildcard domain SSL certificate to secure mysmallbusiness.com and support.mysmallbusiness.com and any other subdomain.
- Multi Domain SSL Certificates — This type of SSL certificates can be used to cover multiple domains. For example, you can use a multi-domain SSL certificate to secure both mysmallbusiness.com and any other domain, say myothersmallbusiness.com.
Installing Your SSL Certificate
Installing your SSL certificate on your website entails generating both public and private encryption keys and entering them in the correct spot on your Web hosting control panel.
If you’re not sure how to do these steps, you have two options:
- Allow your hosting provider to do it for you.
- Search your hosting provider’s support section for step-by-step instructions. If you can’t find any, just pick up the phone and call their support line.
Search Engine Optimization? Yes, Search Engine Optimization
Back in the summer of 2014, Google announced that it was making a small change in its algorithm to boost sites that use https. The search engine also intimated that the importance of https in search rank might grow slowly over time.
While businesses with https haven’t seen huge search rank increases over at Google, it’s never wise to ignore the search giant. What does this mean as you’re changing from http to https?
Instead of using https on only sensitive parts of your site, you may just want to go ahead and use https for your entire site. This does not affect accessibility or performance in any way and it’s a great way to hedge your bets against future Google algorithm changes.
Changing Your Website’s Links
Changing the text “http” to “https” in all of your links that point to other parts of your own site is likely the one technical task you’ll need to do yourself.
If you haven’t been using relative links (partial links using only part of a page’s entire url like “/2015/03/update-wordpress.html”) you’ll need to review all of your site’s content to find links that point to other parts of your own site. Take advantage of this opportunity to switch to relative links instead of just replacing “http” with “https”.
If you’re using a content management system such as WordPress, make sure to change the permalinks to use https.
Setting Up 301 Redirects
As mentioned above, 301 redirects both alert search engines that your site’s addresses have changed and redirect anyone who has bookmarked a page on your site automatically to the new https address.
It’s likely that your hosting company will make this change for you (don’t forget to ask if it’s part of their package), but if you want to do it on your own, you need to edit the .htaccess file in your root folder by adding:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Conclusion
If there’s one guarantee about changing from http to https, it’s that you’re going to be confused at some point during the process.
If you can avoid most of the tech work and focus on the business decisions you need to make, you will reap benefits. Those benefits include greater customer trust, super-tight data security and even a slight chance that Google will rank your site more highly.
Secure Site Photo via Shutterstock