This is why you should switch your homepage to HTTPS

Everyone is talking about HTTPS transport encryption, but apart from the fact that most website owners should be aware that this is a security-relevant element, there is often still a great deal of confusion about what switching to encryption means. In the following, the advantages and disadvantages of a switch to HTTPS are listed and highlighted.

Note: If you create your own homepage now, you don't have to worry about switching to HTTPS. All websites are already securely encrypted.

SSL stands for Secure Sockets Layer, an encryption protocol originally developed by Netscape. It is now outdated and vulnerable, which is why the successor protocol Transport Layer Security, or TLS for short, is used. This offers a significantly higher level of security, but is still referred to as SSL. Hypertext Transfer Protocol Secure, or HTTPS for short, is not to be confused with either. This refers to the use of HTTP via Secure Sockets Layer or Transport Layer Security. Since the term SSL is more widespread and has become established, TLS will also be referred to as SSL in the following.

The terms are now clear, but how exactly does the encryption process work? SSL encodes the data in such a way that communication between the user and the respective provider cannot be "tapped". The data that is exchanged between the browser and a sales portal, for example, is therefore protected from access by unauthorized persons. To ensure this protection, a certificate is used that is assigned a key. The provider can request such a certificate from specially established certification authorities (CAs). The CAs then check the request and give the green light if the provider is reputable.

As already explained, certified HTTPS websites offer significantly greater protection against data attacks than ordinary HTTP websites. This makes both dangerous phishing and other intrusions into users' data privacy less likely. The certificate also ensures unique identification of the provider and makes their identity verifiable for the customer. In a sense, this creates a "tap-resistant" connection, which is visualized by a lock in the address bar. There are many reasons why you should now also switch to HTTPS.

The CAs, i.e. the issuing bodies for SSL certificates, accept applications and check them before certificates are issued to the respective provider. The CAs vouch for the truthfulness of the information provided by the applicants. Once the certificate has been issued, it is stored on the server and accessed the moment a user calls up the corresponding website. A total of three different certificates are distinguished. The basic differences are in the various security levels of the certificates.

The certificate with the lowest security, where the CA only checks whether the applicant is also the owner of the domain. All other information about the company is not subject to any verification. This is not without risk, but the big advantage for applicants is that domain validation goes through the shortest certification process. Apply this type of validation only if you run a site that is not expected to have an increased risk of fraud. The DV is visualized by a green lock in the search bar.

The OV is also indicated by a green lock in the search bar. Here, a little more depth is already taken into the matter and the applicant's information is examined in more detail. This includes information about the company, such as its legal form. However, it also takes longer until the green light is given and, unsurprisingly, the owner validation is also a bit more expensive than the pure domain validation. It is mainly used for sites where transactions are carried out, but which do not require the user to provide sensitive data.

It is visualized by green lock, where the address bar is also highlighted in green. The measures of bearer validation are extended again with extended validation. Thus, the EV is only issued by authorized certification authorities and also represents the most expensive of all validations. Nevertheless, it should be applied for as a matter of urgency if a website is operated that deals with sensitive user data.

Without an SSL certificate, websites are not only more insecure, the increased risk is also made visible to users by a missing lock in the address bar, or even visualized with a warning message in the address bar, which shows a crossed-out lock or a lock with a warning triangle.

As a website operator, you may shy away from switching to encrypted connections because it means extra effort, but failure to do so could have serious consequences in the worst case. For example, the "Act to Increase the Security of Information Technology Systems" has been in force since 2015, which expands the Telemedia Act. This places website operators under an obligation to protect their users' data in accordance with the "current technical state of the art."

The vague wording may suggest leeway. Further specifications also restrict that the conversion must be technically and economically reasonable, but this is now the case in the vast majority of cases. The other way around, on the other hand, could actually be expensive: If you collect personal user data and do not encrypt it, you could face fines of up to 50,000 euros or prohibition orders. Although such severe penalties are not currently imposed, the danger exists in theory and should therefore be avoided if possible - especially since the costs for switching to HTTPS are becoming increasingly negligible.

When it comes to search engine rankings at the latest, HTTPS deniers usually run out of arguments. Google has been encrypting its own services and online services since 2011, now even without registration, and SSL encryption has been on the search engine giant's list of ranking factors since 2014. Switching to HTTPS can therefore have a favorable effect on your ranking in Google results. In addition, your users are more likely to trust you if the green lock is lit up in the browser bar. And last but not least, you can also increase the quality of your own data, because if a user switches from one encrypted page to another encrypted page, the referrer is not lost. If he switches from an encrypted to an unencrypted page - in this example to yours - the referrer is gone.

In some cases, however, a switch could still lead to problems. Let's start with the obvious hurdles for small website owners, who have to pay special attention to money. Certificates cause additional costs, which also increase with increasing traffic. Another disadvantage is that with SSL connections it is not possible to cache data and performance can suffer from encryption, as the server has to do more computing for encryption and decryption. Modern servers do not have these problems, but older servers may well suffer from "hiccups".

While the certificate itself does not require much effort for website operators, the conversion of internal links to HTTPS and corresponding redirects against duplicate content represents a workload that should not be underestimated. Some operators shy away from the step to HTTPS for these reasons.

In addition, sites where a large part of the revenue comes from advertising have to fear a drop in sales. Ads on HTTPS pages generate less revenue - in some cases, revenues drop by a third. This is explained by the fact that advertising publishers often still rely on unencrypted connections, and encrypted pages are only considered secure if all elements from outside are also loaded in encrypted form. If, for example, advertising banners do not meet these criteria, they cannot compete for advertising space on your encrypted page. Less competition in this case means lower prices and therefore lower revenues for you as a website operator.

Small websites that operate via web hosting providers are often operated via virtual hosts. This has the disadvantage that a large number of pages with the same IP are stored on a physical server. This only works via HTTP or via the not yet very widespread HTTPS with TLS. Pages that use the predecessor SSL are not able to do this.

The following tips will make the switch to HTTPS easier. Follow the advice and avoid common mistakes and carelessness!

Redo the sitemap and submit it to Google Search Console. If there is a disavow file in Search Console, you should transfer it, as well as all other settings, to the new HTTPS account.

All internal and external sources must load over HTTPS. For images, scripts, and other content that do not load over encryption, users will see warnings in the browser that question the trustworthiness of the site.

If possible, do not use outdated certificates, but use modern versions with secure 2,048-bit encryption.

The robots.txt file should be set up via HTTPS and relative links should be used to avoid redirects. Old URLs can be easily redirected to the encrypted version of the page via a 301 redirect.

Canonical tags should be changed to the SSL version of the page. Also, use HTTP Strict Transport Security (HSTS). This guarantees that encrypted connections are protected from encryption being leveraged. In addition, search engine bots should be allowed to crawl the HTTPS page.

Check your resources! Encryption means more computing effort. Therefore, urgently take care of the appropriate framework to guarantee a comfortable experience for the user.

Except for cash-strapped site owners, there are few excuses to avoid switching to HTTPS. The legal advantages and the pros in terms of user-friendliness and search engine optimization are a clear signal to switch to encryption now. And keep one thing in mind: Progress will only strengthen this trend, and the sooner you jump on the bandwagon, the safer you'll be on your way.