Astute visitors to the Brain Bytes website may have noticed that it’s secured using HTTPS. Yet our site doesn’t take credit cards, there is no client login option, and we don’t ask visitors for sensitive information. So why did we secure the site?

Screenshot of a web address. "https" is highlighted with a red rectangle.

Reason 1: HTTPS is faster than HTTP

There is a common misconception that sites secured with an SSL certificate are slower than those that aren’t. This was once true (though negligible in most cases), however the new HTTP/2 protocol requires SSL. HTTP/2 is a low-level update to HTTP that focuses on speed, and only sites secured with an SSL certificate can utilize the performance improvements of HTTP/2.

Reason 2: It’s good for SEO

Website performance is a known search ranking factor in Google, Bing, and other search engines but since October 2014, Google has used HTTPS as a ranking signal. Though HTTPS is a “lightweight” signal, when combined with site speed improvements we’ve seen positive results for our clients when it comes to overall organic search volume.

Reason 3: It’s future proof

Not Secure Warning in Google ChromeStarting January 2017, Google will begin rolling out new measures in Chrome that will more clearly indicate that a site is insecure. Initially these changes will focus on sites with password and credit card inputs, but eventually Google Chrome will label all HTTPS pages as non-secure. Mozilla, the makers of FireFox, made a similar announcement back in April, 2015 that they would be very slowly deprecating support for HTTP.

How do I secure my website?

Here are the high-level steps to moving your website from HTTP to HTTPS:

  1. Generate a CSR and request an SSL certificate. You can get a free SSL certificate from Let’s Encrypt.
  2. Update your website to use relative and protocol-relative URLs wherever possible.
  3. Install the SSL certificate and browse the HTTPS website using Google Chrome with verbose warnings enabled (navigate to chrome://flags/#mark-non-secure-as and select “Display a verbose state when password or credit card fields are detected on an HTTP page” from the drop-down, then click “Relaunch Chrome”). If you see warnings like this, be sure to fix all occurrences before moving on to the next step:
  4. Finally, 301-redirect all “http” URLs on your website to “https”.
  5. Monitor your analytics and Search Console accounts closely for at least one week. React quickly to unexpected data and messages to avoid impacting your visitors and organic search rank.