Yes! The answer is almost always yes!!! And yet, there is a lot of misinformation regarding when you should and shouldn’t use HTTPS unfortunately.
This debate has been raging on for quite some time online to those in web development and security. However, it’s finally being brought to the attention of the public thanks to an upcoming update to Google Chrome this October, and despite what some may say, this is a very good thing.
“But I’m not running an eCommerce store and I don’t handle card payments so I don’t need one, right?”
Wrong! Using encryption not only protects your customers’ personal and financial details, it protects their browsing full stop. Any data that travels between your customers’ device to your website should be encrypted.
We won’t get into the technical pros and cons of HTTPS here, there are a lot of articles online that go into this subject in depth if you’re interested. What we will say though is that the benefits far outweigh the cons. While using HTTPS isn’t some kind of silver bullet, it will go a long way to help protecting your customers browsing data. We are now at the point where you should be asking “why doesn’t this website use HTTPS?”.
Currently if you visit a non-HTTPS website that contains any kind of form field using the latest version of Google Chrome (version 61 as of writing), you will see the following in the address bar:
If you visited the same page over HTTPS encryption, you would see the following in the address bar:
The second example looks better right? It’s reassuring for the user to see that green “Secure” message. There is an important thing to note here though – just because a website is being served over HTTPS, it doesn’t automatically mean it should be trusted.
The same level of caution should always be maintained when filling out forms that request personal details or financial details.
Our example shown above shows only a standard domain verified SSL certificate which can be very easily obtained by anyone. While it does mean your communication with that server is encrypted, and therefore protected against anyone listening in on the connection, the server itself could still be run by a malicious individual or company.
You’ll notice when you visit a bank’s website that you’ll likely see their company name next to their domain name. This is using an Extended Validation (EV) SSL certificate, which are much more difficult to get hold of if you’re not who you say you are. They require more stringent checks on the applicant and the company.
These will give you more re-assurance that the website is for the company you’re expecting it to be for, but again, caution should still be exercised. If you suspect something feels a bit ‘off’, then go with your gut instinct and avoid parting with personal data.
The ‘Not Secure’ Message
A more clear cut warning sign that Google introduced was a “Not Secure” warning for pages with login forms.
These have been in place some time ago, but you probably won’t have seen them as they tend to only be seen by people logging into their CMS (Content Management System) and tend to be ignored. This is still not ok though as your login details are being sent in the clear. However, fast forward to October this year when Chrome Version 62 is due to be released, and you’ll see the following when accessing the same URLs as shown in the first example:
Not so cool, there’s definitely something off-putting about seeing the words “Not Secure” when browsing a website!!
The security message will be shown wherever there is a form field on a page, you might think “well that’s fine because I only have one contact form on a single page”. However, as this security message covers ANY form field, it’ll also apply to search fields, and these generally appear on every page of a large site.
Now you can see why it’s a bit more of a problem. And even if it is only your contact forms, think about what a prospective customer would do if they head over to your contact form and see a message saying “Not Secure” – it’s definitely not encouraging them to part ways with personal details.
We’ve focussed on Google Chrome here but this is only because Chrome is currently the most popular desktop browser. The same also applies to Mozilla Firefox – they handle it slightly differently but it’s still there and it’s only a matter of time before other browsers follow suit.
What can you do?
The only way around this is to make sure your website is being served over HTTPS by default. Regardless of this Chrome update, we’d recommend that you do this anyway. Not only does HTTPS increase the privacy and security for you and your users, it also has an impact on SEO performance as Google do factor in whether or not a website is served over HTTPS into it’s ranking.
Of course, you may already have an SSL certificate but your website is accessible via both HTTP & HTTPS. If this is the case then you can simply redirect all users from HTTP to HTTPS and you’re good to go. You may need to contact your web host to discuss this if you don’t have access to the hosting account or server.
If you don’t currently have an SSL certificate then you’ll need to contact your web host and ask them about HTTPS. There may be a charge involved for setting up the SSL certificate and making any modifications required to the website. These should be fairly minimal though and thanks to the availability of services like Lets Encrypt there shouldn’t be an annual fee for a domain validated SSL certificate.
We’re slowly but surely heading towards a “secure by default” future. It’ll be a bumpy ride to begin with but in the end we’ll all be better off for it.
Want to know more about web development, web design or digital marketing? If so, please contact us by heading to our contact form here.