Odds are, at least one of the websites you visit every day uses a standard HTTP scheme – http://. That shouldn’t be too surprising. After all, those four letters represent the common gateway to any web address in the world. In fact, your own website is probably an http:// website.
There’s nothing unusual about that. But there is plenty wrong with it. A website that opens with http:// is an unsecured website. And an unsecured website is a dangerous website – for you, and for your visitors.
WHY DOES IT MATTER?
We normally think of secure websites – those that begin with https:// – as the province of banks, insurance companies, accounting firms, stockbrokers, utility companies, and transaction brokers like PayPal. We expect such sites to have increased security, because they’re handling sensitive financial information.
That’s 20th-century thinking. In our data-saturated 21st century, all information has value. It may not matter much to you that you like to visit websites that sell scented candles, but it matters to advertisers and merchants, who are willing to pay for access to customers that they know will be predisposed to buy their products.
That’s all well and good when used for benign purposes, like targeting your love of scented candles with online ads. But third parties can also gain access to this data, which is more troubling. If you access an unsecured website over an open connection, crooks can learn which e-mail client you use, the instant messages you send, even your login credentials. These can all be put to sinister purposes by identity thieves, scam artists, and others. More than one innocent browser has probably run afoul of Nigerian princes when their e-mail address got vacuumed up during an innocent visit to Starbucks. A properly secured website blocks eavesdroppers in their tracks, even over public networks.
It also protects your website and its identity. Even if your visitors come to you over secured networks, If your website is open, hackers can muck around with it. They can steal data, mess around with your website, or even create a false connection to redirect your visitors to a scam version.
Convinced yet? Having a secure website is no longer just a luxury or a security blanket. It’s part and parcel of being a good internet citizen, as important as buckling your seatbelt and driving within the speed limit. Just as wild, unregulated driving became socially irresponsible as the automobile became commonplace, non-secure websites are becoming a public safety hazard. It’s not the ’90s anymore. It’s time to make your website a responsible one.
Even today, there are common myths and misconceptions about secured websites.
The first myth is that they’re expensive to set up. The fact is that the outlay is surprisingly small. All you need is a 2048-bit Transport Layer Security (TLS) certificate, which provides you with that https:// scheme. Contrary to popular belief, these are both easy and amazingly cheap to acquire.
There are three kinds of certificates: single host, multi-host, and wildcard. A single host certificate covers a single domain – www.wikipedia.org, for instance. Such a certificate is usually good enough for many private websites. A multi-domain certificate covers multiple specified domains – www.wikipedia.org, wikipedia.org, and en.wikipedia.org. This is the most sensible option – as long as you know and can specify each domain variation you wish to secure. A wildcard certificate covers any and all prefixes – [anything you can think to type in].wikipedia.org. Look at your website to determine which certificate you need.
Non-commercial and open-source websites can acquire a certificate for free. If you’re making money online, don’t cringe yet – single host and multi-host certificates can be had for $10 and $30, cheaper than a year’s insurance policy, and just as important. Wildcards are more expensive – $100 on average – but, since most businesses will do just fine with a single host or multi-host certificate, this is an option for only the largest and most diverse businesses.
The second myth is that migrating your content between websites is difficult. In fact, it’s getting easier year by year, as internet trendsetters take a larger interest in securing communications across the web. A simple search for “making site moves easier” will direct you to Google’s stockpile of tips and tricks for a seamless transition that avoids hiccups and ensures that your site will still show up in those all-important search queries.
A third common myth is that secured websites are slower. This was indeed the case twelve years ago, but since then, even the most basic factory processors have been optimized to the point where extra CPU use and lag time is negligible when accessing secured websites.
Another widespread belief is that securing a website will increase its operating costs, as each “handshake” from user to page is verified. Actually, properly integrated TLS allows you to incorporate new innovations, such as SPDY and HTTP/2, features that streamline the process and actually decrease your operating cost.
It’s not 1995 anymore. Securing your website’s communications doesn’t just make sense – it’s becoming a civic duty. Give your visitors, and yourself, the safety they both expect and deserve and make the switch now. It’s the right thing to do, and it will save you a lot of headaches in the long term.