The great HTTP to HTTPS migration

September 10, 2017

Author: Cris Noble

Author: Cris Noble

https-3624934

HTTPS stands for Hyper Text Transfer Protocol Secure, and historically has been a technology used for websites where users expect encryption, privacy, or both. Banks, ecommerce, webmail, nearly any site that had a login have all been using HTTPS for years. Changes are coming however, and more sites will be using HTTPS in the coming months.

A few things are driving this change. The biggest push is coming from the fact that starting in October 2017 Google’s popuplar Chrome browser will begin labeling sites as insecure if they contain any form fields and do not use HTTPS. Chrome has also stated that their longterm plan is to mark every single site not using HTTPS as insecure. At the same time, the past few years have seen a proliferation of tools and services that make migrating to HTTPS both free and easy.

It is easy to idenitify sites which use HTTPS and those that are still using its uncrypted sibling, HTTP, by looking at the beginning of the browser bar.

http-8857155
https-9330607

Starting in October, Chrome will start showing the “Not Secure” warning for sites with form inputs.

badhttp-3497795

How to implement HTTPS?

The answer is going to depend on where your site is currently being hosted and what type of website you are running. Most fully-hosted solutions such as weebly, squarespace, and wordpress.com should come preconfigured or have options to use HTTPS. If you are running your own hosting it is going to be a bit more involved.

Editors note: HTTPS is the secure protocol and can be seen from the address bar, an SSL certificate is a file that is served from your server to the browser to verify the security and provide an encryption key. Configuration of SSL certificates need to be configured to enable HTTPS.

We have found varying degrees of ease-of-migration with different basic, shared hosting providers. Our previous host, bluehost.com, has a terrible interface for setting up SSL certificates and in the end the certificates they issue for free still seem to trigger warnings in Chrome. On the other end of the usability spectrum, our favorite simple hosting solution, dreamhost.com, has a one-click SSL certificate enablement button which provides a free and powerful certificate from the amazing Let’s Encrypt project. No matter which host you use there should always be a way to enable SSL for your domain. Sometimes it may cost a few dollars a month, and sometimes they will try to force you to upgrade your service. In those cases, you should just pack up and move your business to Dreamhost — we seriously can’t say enough good things about them.

dreamhostssl-8409300

Press this button in the dreamhost domain management area and you will be on your way to HTTPS bliss.

When it comes to dedicated wordpress hosting, our two favorite solutions, wpengine.com and cloudways.com both offer free SSL certificates for the domains you are hosting on their sites.

If you have a very simple static site, our reccomended path to achieving HTTPS is to follow the instructions over at CSS tricks to host your files using github pages, and to route your traffic through cloudflare for fast, secure and 100% free hosting. In fact, that is how we are hosting nobleintentstudio.com right now.

Next Steps

After you complete the settings to turn on HTTPS for your site you can test it by manually typing in “https” in front of your domain. If your browser shows a nice green lock then you are on the right path, but you’re not done yet.

If you are using WordPress, the next thing you need to do is to edit your site settings in the wp-admin area so that your domain and url are listed with the https:// in front of them.

wordpress-3349189

Don’t forget to update your WordPress settings

If you are using Google Analytics, you need to edit your property settings to be working for HTTPS rather than HTTP.

If you are using Google Search Console, you need to add the HTTPS version of your website as a new property.

Make sure you also set up a wildcard redirect so that all traffic from http:// gets automatically forwarded to https:// — this happens automatically if you are using WordPress.

Additional Benefits

This seems like a lot of work, and if you’re not running a bank, you may think the benefits of encryption are not worth the time to make the transition. Despite the fact that Google is going to force you move, you can rest easy knowing there are a few additional benefits that come with HTTPS.

The encryption means that internet providers cannot inspect and change your website as they serve it to visitors. They have been known to do this for both nefarious purposes and to inject their own ads into your pages without your knowledge. It also sends a signal of trust to your users who are becoming more and more used to seeing the green lock of safety. Google has also used HTTPS as one of the many factors that influence your search result rankings.

Given all these factors, we think there will be a time in the not-too-distant future where we’ll think of not configuring HTTPS as a web development faux pas similar to how we think of not enabling mobile responsiveness would be today.

Reach out to us with any questions, and especially if you need any assitance migrating your site to HTTPS, we can help you.

email-3947056

The email that finally pushed nobleintentstudio.com to use HTTPS.