What is HTTPS?
You are probably already familiar with the HTTP protocol, which appears in the first part of your URL. You might have noticed that some websites use HTTP, and others use HTTPS. The latter is a safer variation because it adds an extra level of security, in the form of an SSL certificate. This means that the connection between your website's server and your visitor gets encrypted.
Why do I need HTTPS?
- To protect the privacy of your visitor
If your visitor is on a public network, or on a network that he is not controlling, HTTPS will protect your visitor from man-in-the-middle attacks. This means that the website that is being consulted and the content of the pages will not be logged. This increases the privacy level for your visitor. If no encryption is used and the user is on a wifi network, it would be pretty easy to find out what pages other people on that network are visiting.
- To show that you can be trusted
Using HTTPS will also improve the trust level as the visitor knows that the page is actually served from your website, and is not altered by a different party or server. It is not a 100% guarantee, but it will make it harder for third parties to intervene. Tools on the network will also be unable to inject extra code, which is common practice at public WiFi providers.
- To avoid warning messages that could scare your visitors away
Not only search engines, but also all major browsers like Chrome, Firefox, Safari, and Edge care about protecting their users. They will indicate if the user is on a safe or unsafe website. Google Chrome is pretty aggressive in this matter. It shows a clear "INSECURE WEBSITE" when the website is not loaded over HTTPS. At the moment, Google Chrome is only showing a lock with a cross, but there are plans to make it harder to visit websites over HTTP in the long run.
- To improve your SEO ranking
Search engines like Google and Bing want to offer the best and most secure experience to their visitors. They will often rank websites over HTTPS higher to ensure the visitors are having a more secure setup when possible.
How does HTTPS work?
For an HTTPS connection, you need an SSL certificate. SSL stands for Secure Sockets Layer. Every SSL certificate is signed by a parent certificate. This certificate is changed by a different certificate, making it a chain of certificates. The top one is known as the root certificate. This root certificate needs to be installed and trusted on the computer of your visitors, in order to be accepted as valid. The chain needs to be completed and fully trusted in order to trust your certificate.
How can I get HTTPS?
- Get an SSL certificate from a trusted authority
To get HTTPS, you need an SSL certificate, which can be purchased from a Certificate Authority. There is a fixed set of root certificates that are by default installed by macOS of Apple, Windows and Linux. So make sure that you are buying a certificate from a trusted source. Those trusted sources are known as Certificate Authorities (CA). See AboutSSL.org for a list of CA's and how commonly they are used.
- Make sure that your certificate does not expire
There are multiple tools available to validate HTTP SSL chains. For example digicert and SSL Shopper. In the below example, we are inspecting the SSL certificate of api.semonto.com. You can see that the end certificate is valid from Dec 30, 2018, until March 30, 2021. It's signed by the Comodo RSA Domain Validation Secure CA, which is then signed by the Comodo RSA Root certificate, issued by AddTrust External CA Root. If all is well, your computer should recognize and trust this AddTrust External CA Root certificate by default.
Which type of HTTPS should I get?
As explained, an SSL certificate is required to set up an HTTPS secure connection. This does not have to be expensive. There are multiple types of certificates, based on the level of validation.
- DV Certificate (for a basic domain validation)
The first level is a basic domain validation. It only verifies that you are indeed the owner of the domain. The SSL certificate can only be used for this domain (and optional subdomains). If you want to cover all possible subdomains of a domain, you can use a wildcard. There are multiple sellers providing this certificate for about 10 dollars a year.
- Free yet temporary certificates
There are free SSL certificates available via Let’s Encrypt. Let's Encrypt is a project of the Internet Security Research Group (ISRG). Their mission is to provide a more secure and more privacy-aware internet. For this reason, they became a full-blown SSL Certificate Authority (CA) and are now accepted by all major operating systems and browsers. To avoid abuse, the Let's Encrypt certificates are only valid for a short period of time (3 months) and need to be renewed often.
- EV Certificate (extended validation)
There are also other certificates available, often called Extended Validation or EV certificates. While technically, they are using the same technology and structure, the difference lies in the extra validations required to obtain these certificates. To obtain an EV certificate, you need to prove that you as a person are the owner of or an employee at the company for which you are requesting the certificate. And this often requires quite some paperwork. In return, you get the advantage that visitors see your company name displayed in the browser, next to the SSL-symbol, to show which company requested the certificate. This has an additional positive effect on the trust level.
How do I implement my SSL certificate?
Once you have your SSL certificate, the exact implementation depends on the web application software you are using. If you are using Apache or NGINX, it's as easy as enabling some modules and putting the certificates in some folders. If your server is managed for you, your web hoster can help you with this. If you are on shared hosting, the chances are high the web hoster has a one-click "Let's Encrypt" button. Be sure this is enabled, if it is not enabled by default. Another option is to check out CertBot, which can help you to manage the certificates automatically. CertBot is a project by the Electronic Frontier Foundation (EFF).
Can Semonto help me with this?
SSL certificates are a good thing because they improve the security and trust level of your website. However, they also come with a downside. SSL certificates are only valid for a limited period of time. So if your certificate is expired, or if a wrong certificate is used due to a misconfiguration, your website will be unavailable for your visitors. Semonto can help you stay on top of all this. When you ask Semonto to monitor your site, the SSL certificate is automatically checked. We also have more features in the pipeline that will warn you in advance if your certificate is about to expire (eg if the Let's Encrypt renewal process has failed) and to verify the SSL chain. Want to know more? Get in touch! Or give Semonto a free spin by making a trial account.
- Redirect your HTTP to your HTTPS
When you have HTTPS on your website, it is a must to check if the non-HTTPS-variant of your website is properly redirecting to the secure version. This will improve SEO, as it will be clear for the search engine that both the secure and insecure version are the same website (and you will not receive a penalty for having duplicated content). Google will only use the SSL variant and you'll end up higher in the SEO rankings.
- Enable the HSTS flag
You can also enable the HSTS flag, also known as HTTP Strict Transport Security. This is a header that your website should have. It tells the browser that HTTPS is available and should be used in all requests for this domain (and subdomains). It will avoid that browsers will go to the insecure page, get a redirect and request the content again. As a benefit, you can be included in the preloaded list, which is a hardcoded list of all domains with HSTS enabled in the browser, ensuring HTTPS will be used and HTTP calls will be refused. More info about HSTS can be found on the Modzilla Developer Pages, and the preloaded list is available here.
- Use additional HTTPS tools
There are multiple tools available online that focus on HTTPS and the validation of this. While Semonto will inform you when your SSL certificate is no longer valid or will expire soon, other tools can help you debug and verify your current setup. The most well-known one is SSL Labs which helps you to get insights on your current SSL setup and how to get a better best practice via a grading system. They evaluate your SSL chain, the encryption algorithms your server is using and more, and help you in disabling the less secure ones.
- Choose a certificate with less than 13 months of validity
Choosing a certificate with a long validity make sense, because it doesn’t have to be renewed often. The renewal can be a dangerous process and could potentially result in downtime. However, having a certificate with a short lifespan also has its merits. It proves that you are using a recent certificate and that you care about security. Apple, for example, announced that it will be imposing new validation rules and that it will reject certificates that are valid for longer than 13 months.
Share the knowledge
Was this useful to you? Please do not hesitate to forward this article to a friend who might benefit from it. Any comments or suggestions? Feel free to drop us a line We love to hear from you!
Do you want to receive all our tips & tricks straight in your inbox? Then subscribe to our newsletter.