This article will show HTTP vs HTTPS head-to-head and give you the reasons why HTTPS protocol is better for you to use. I plan to show you benefits of HTTPS and SSL certificate. There will be links to where you can get one for free and how to install it with ease. You will also see the main trouble with switching from HTTP to HTTPS on an existing site.
If Google itself isn't a good reason for switching to HTTPS and install SSL certificate, then maybe your visitors are. Later on, you will find out, that HTTPS protocol can also help you with the speed of your website. HTTPS it's not only intended to secure, it can also help you in many other ways. That's why you should secure your connection with your visitors and get a little bonus from Google for doing so. Yes, it can give you a little boost in ranking.
It’s especially important from 1. January 2017, when Google has started to inspect which protocol you are using and show warnings to people about insecure connections if you don’t use HTTPS protocol. Starting with e-commerce sites and then later all the others sites as well.
HTTP vs HTTPS: Do You Need It?
Not so long ago, mostly the e-commerce sites were using it. Recently, as Google announced, that it will check all websites for the SSL certificates, it's been a bit more buzz about it. The e-commerce sites were using HTTPS protocol, (SSL certificate) because they were accepting payments. By using HTTPS protocol they were securing the data sent from buyer to the merchant. This means no one can steal the credit card credentials and abuse the credit card.
If we look at this situation from a different perspective, this means that all other websites, that were using HTTP protocol had an unsecured connection. You could be exposing your information to anyone on the internet. Not necessarily, however, if someone wanted to, it could intercept the data and even manipulate it.
That's why I would recommend switching to HTTPS and get (I already did) an SSL certificate. If you have an e-commerce site you should buy the SSL certificate and switch to HTTPS protocol. Even if you own a site that represents your Business and has a blog on it, you should still get at least a free version of SSL certificate, and protect the connection. This way you will also be more trustworthy to your visitors and potential clients eyes.
I am probably going to repeat myself with this, but my recommendation is, you do need it and later in the article, you will see where you can get a free version of the certificate and where you can buy one for your Business. However, do it with care and if you have a large website, go slow.
Now let’s move forward and see what is the difference between them and how it works.
Http vs Https: Difference Between HTTP and HTTPS
The HTTP protocol or Hypertext Transfer Protocol is a structure agreed by the early internet administrators, to send and receive data. It's most often used for retrieving HTML websites. The HTTP itself is stateless. This means it uses fewer data as it forgets the previous sessions. The only problem with HTTP is, that once everyone knew how to send data through HTTP, it wasn't hard to intercept messages. That's what lead to the introduction of the SSL certificates. This is also the reason HTTPS protocol is securing the connection between your visitor and your website (server).
I have to point out, that having an HTTPS connection doesn't prevent your site from being attacked by hackers. For this matter, we have to use a different type of protection.
How Does the HTTPS Protect the Connection to Your Visitor
Well, the main difference between HTTP and HTTPS is the SSL certificate. The certificate enables encryption of the connection between two computers. When we encrypt the connection, we secure it. Or let's rather say, we protect the data transferred between two computers, from being seen by the third-party. The third-party can still intercept them, however without the code, agreed by both computers, they can't do anything with it, as only the visitor's computer and your server have the key for reading the data. The two computers agree on this key for every single session. This encrypts the connection to and from the website before sending data through the internet.
To put it more simple. At first, the internet was established for transferring research data between the government and the university labs, it wasn't designed to do all the things that we do today. The scope planned was smaller.
However, as the internet grew and the websites emerged and the e-commerce was going mainstream, the need for secure connection has emerged as well. I mean, can you imagine you would use your bank account without the secure connection and all your data would visible to anyone on the internet? I don’t either. We don’t have a cable from our bank data center to our computer, that’s why we could be at risk.
This is where the HTTPS and SSL certificates have come in and done the job of securing the connections between our computer and the remote computer.
Let's go a bit deeper into this with looking into the important parts which enable the secure connection between two computers.
HTTP vs HTTPS Security: The encryption is done like this
1. Visitors browser connects to your website (server), which has the SSL certificate installed and the HTTPS protocol enabled. The browser then requests the server to identify itself (authentication).
2. The website sends back the SSL certificate with the Public key included. The browser sends the Public Key to anyone that requests it.
3. Then the browser checks the certificate through various CA's, that the certificate is not expired or revoked. After that, it checks that the common name is valid for the website that he is connecting to. If everything checks out, the browser trusts the website's certificate. This means, that the browser creates, encrypts and sends back a symmetric key, created using the websites (servers) public key.
4. The website (server) receives the symmetric key for the session and decrypts it with the private key. To let the browser know about the start of the encrypted session, it sends back an acknowledgment encrypted with the session key.
5. The server (website) and the browser (visitor) have now agreed on a unique session key. All the data exchanged between them are now encrypted and secure.
In the text above you could see how it’s done. The encryption is done by asymmetric and symmetric encryption.
Asymmetric encryption - Public and private key pair
In asymmetric encryption, a public key and the corresponding private key encrypt the connection. The public key is visible to everyone and anyone is allowed to use it. This leads to the fact, that anyone can encrypt the data sent over a connection.
Decryption can only be done by the private key. As the private key is a secret, the only user, that can see the message, is the user that the message is for.
Asymmetric keys are 1024 or 2048 bits. The keys could be larger, but, this wouldn't make sense and are rarely used. The average computer in use today, would need 14 billion years to break the 2048 bit certificate.
Now let’s look at the thing, which makes all this fast and usable. If we only use the asymmetric encryption, for sending and receiving data, we could still be in danger.
Symmetric encryption - Unique session key
Use of one key to encrypt and decrypt the data sent over a connection. They are usually 128 or 256 bits large.
It's up to the server and the user browser ability, to decide what size will the key be. SSL certificates don't pre-decide which one to use.
The symmetric key in SSL encryption is different for every session, even if it comes from the same browser. This is how asymmetric and symmetric encryption secures the connection.
The HTTP vs HTTPS and Ranking Improvement
The Google announced in August 2014, that the HTTPS protocol will be a ranking signal. At first, this was a small signal, that didn't have much effect on the ranking of your website. You can see it in the image below (image from MOZ.com), that percentage of pages on the first page of Google search that had HTTPS protocol enabled was small. Only about 7 % in June 2014. Not much has changed since the announcement (August). The percentage was still small about 8%.
However, by mid-2015 the percentage was at 20 % and in June 2016 at 32,5 % of first page results on Google search had HTTPS protocol enabled.
You could say that the percentage is low and you don't need it, however, the percentage is high if you consider, that Google isn't willing to sacrifice quality content for boosting rankings of pages that have implemented SSL certificates and switched to HTTPS but don't have quality content on it.
Also, a good indicator that HTTPS can slightly improve your rankings, with quality content, is the research done by Brian Dean (article). He analyzed over 1 million sites and has confirmed that having HTTPS protocol implemented can improve your rankings on Google. He also stated the signal is reasonably strong with rankings.
Add to it, that Google has stated it will focus on making the web more secure place, more and more value will be given to HTTPS. There's no doubt about it.
HTTP vs HTTPS: Free vs Paid SSL certificate
Here we are, and you are deciding on what to do? Do you buy the SSL certificate or should you use some type of free version of it?
It depends on what type of website do you have. If you are not on a budget, buy it, no matter what type of website you have. That’s my suggestion.
I do realize, that not everyone can do that. That's why I have mentioned it above, that this depends on what type of website you own. Meaning, that, if you have a website that's a small blog or it's just representing your Business, a free SSL certificate, would be enough.
I will show you the ones that are doing the job a bit later in the article (it won’t be too long :)).
Now that we understand what free ones should be used for, let's see when you should buy a premium SSL certificate.
In case that you sell stuff on your website and have an e-commerce site, where people are writing in their Credit Card credentials, I would highly recommend, you buy yourself a premium SSL certificate. That being said, I would not just recommend it. I would insist you do yourself a favor and go through a certification process and have rock-solid security. This means the purchases made on your site are safe and secure, so no one can steal the credentials for credit cards and steal money from your clients.
Free SSL Certificates
There are many trustworthy certificates, that are free and can get the job done and are not self-signed. Self-signed certificates will show that you have an HTTPS connection to your visitor, however, the web browser will show that your site is insecure. This is the main problem of self-signed certificates. You are the one responsible for checking if your site was hacked and someone altered the SSL certificate. Self-signed SSL certificate signed by ourselves on our hosting server. However, the self-signed certificate shouldn’t be an option in no matter what.
I would recommend two certificates, that are free and can be renewed for free. I also trust them enough to recommend them.
Let’s Encrypt - Open Source Certificate Authority
This certificate is an option that many hosting providers offer from the start when you sign up for hosting. It can be uploaded to servers that don't offer it, as long as the hosting company lets you uploading certificates.
CloudFlare - CDN and security service provider
Here you can get two great services to start with for free. First is CDN for faster loading speed of your website. The second thing is, of course, SSL certificate.
In this section, you'll find some top CA's. These can provide you with top-notch certificates. Let's take a look.
SSL2BUY - Cheapest SSL Certificate provider
Comodo - They also offer 90-day free trial
Network Solutions - They also offer secure WordPress hosting
This is to name a few. If you know any, please let me know and I'll add them to the list.
HTTP vs HTTPS: Different types of SSL certificates
As the popularity of certificates grew, there have emerged many types of SSL certificates. In recent times, we also have to consider the pressure from Google for implementing them. That’s why the Certificate Authorities (CA) and providers have many types of certificates, that can serve the clients.
Now let's take a look at them.
Extended Validation (EV) Certificates
These type of SSL certificates are at the top of the security hierarchy. They are only issued when a CA examines the background of the ordering party. CA must determine that the one who has ordered the issuing of the EV certificate, has the right to use the domain. Before issuing the certificate, the CA also checks that the ordering party has given truthful information about themselves, their physical, legal and operational existence.
You can recognize the website using this certificate by a green address bar, as seen below.
Let’s take a step down now.
Organization Validated (OV) SSL Certificates
These certificates are also issued after the CA does the background checks. The Certificate Authority performs the check if the organization has the right to use the domain. The background checks for this particular certificate are less extensive. Also, there is less paperwork to obtain it.
You can recognize the website and the organization that uses it, by seeing a secure site seal. Like the one below.
Now, let’s go to further down the latter.
Domain Validation (DV) SSL Certificates
CA issues this certificate to anyone that would want an HTTPS protocol enabled. The CA doesn’t perform any background check on the organization. Your organization or you just have to prove, you have the right to use the domain.
When the certificate is installed, you can see a secure sign in the URL box.
These were the three main types of SSL certificates. Now let’s look at some special types of certificates.
Have the ability to scale the encryption based on what the browser can handle. This means you use them to make sure the HTTPS sites are accessible in older browsers. With this in mind, we can see that some SSL certificates are not compatible with the older browsers.
However, if you don't use a scalable certificate to resolve compatibility issues, the website will recommend the user to update the browser.
Unified Communication Certificates
Are basically multi-domain certificates. They can protect multi-domains and your Microsoft Exchange or Microsoft Office communications servers. Useful for companies that are using many domains for communicating external and internal.
Personal Authentication Certificates
With these certificates, you can add an extra layer of security to your emails and documents. In emails, you can enable end-to-end encryption. This can prevent anyone from altering your message. It can also prevent the third-party from reading the message.
Personal authentication certificates enable you to digitally sign your Office documents. This gives the recipient the proof, no one has altered the text in the documents.
Now we are going to look at the last type of certificate. This one is widely used. It’s not a type, it’s more of a commercial naming of the certificate (like single SSL certificate).
Wildcard SSL certificate
It's a great way to secure your main domain and all the subdomains on your website.
Usually, we use subdomains for logins or some other part of your website, like this:
I wasn’t sure where to describe it, so I put it here, as I wanted to get you the best information that I can.
Are there any risks in moving your site to HTTPS?
To be clear. This is not the risk of SSL certificates. We are talking about moving your website, from HTTP to HTTPS.
We have talked about the benefits until now. However, there's one main risk that needs your attention.
When you switch from HTTP to HTTPS you are going to experience a loss in rankings and traffic. Your website should bounce back if you've done your job properly.
You should take special care if your website is big and you have many pages. You could struggle when you'll have to find all your content and move them from HTTP to HTTPS. If something stays on HTTP, you are going to get a mixed content warning.
Use of 301 redirects (permanent) is mandatory. This means your site opens on HTTPS, no matter where your URL with HTTP was posted before. Also, this will help your site bounce back. Here is a great guide on final steps when moving your site to HTTPS by LunaMetrics.
Like any major website URL change, this is a risky business. The larger the site the more trouble you could encounter and more time it can consume.
I found a great outline guide on SearchEngine. They explain how to implement SSL certificate and what to be careful about. Get the guide.
WordPress SSL setup guides:
These two guides are from WPBeginners website.
Guide One - How to Add SSL and HTTPS in WordPress
Conclusion on HTTP vs HTTPS
Hopefully, the article has helped you to grasp the subject of HTTPS and SSL certificates. I have tried to include also the guides and some helpful resources.
If we look into the future, we can see that the HTTPS isn't going away. The security of websites will be even more important. Users will expect more security from our websites and we will have to provide them with it. Sooner or later the web will be on HTTPS. With Google increasing the pressure on those who won't implement SSL certificates. Maybe Google is pushing too hard, however, the goal is to make the internet safer.
I would recommend implementing it, however, do it with care for your website. If you have a large website, maybe take one piece of the website at a time. Don't rush it and keep up with Google guidelines. So there you have it, HTTP vs HTTPS head-to-head.