Using HTTPS Everywhere
I recommend all websites use https. That includes your personal blog, small company marketing sites, as well as web applications and e-commerce websites.
What is HTTPS? As I explained in my article for small business: “It is HTTP delivered through a secure, encrypted connection. When you visit a website protected by HTTPS, the first step is your web browser and the web server negotiate encryption keys that will be used for the session. These keys are then used to encrypt the data flowing between the two end points – in both directions.”
This blog post will serve as an online notebook for information, tools, and links regarding utilizing HTTPS for your website.
Why use HTTPS? The Benefits of HTTPS over HTTP Explained
Why? Primarily for these three reasons:
- Confidentiality – Web page data, form data, cookies, the full URL path, all encrypted. Only the IP address is unencrypted (otherwise, how would the request ever get to the destination?). This ensures data in both directions is kept confidential.
- Authenticity – Ensures the identity of the source is accurate
- Integrity – Ensures the information hasn’t been tampered with or modified while in transit
Regular HTTP has none of these things.
Here’s some additional reasons:
- Google uses it as a ranking signal for SERPs (Search Engine Results Pages)
- The Google Chrome web browser is going to start calling HTTP sites with forms “Not Secure” very soon. Want your clients or customers to see that?
- Give customers, clients, and end users a feeling of security and trustworthiness
- Project a professional image
Finally, it’s the wave of the future. The HTTP/2 protocol, which will eventually replace HTTP has TLS security baked in at it’s core.
HTTPS – Getting Started
How do you use HTTPS? Here’s a quick start guide
- First, you’ll need to obtain a certificate from a Certificate Authority, or CA.
- Install onto your web server of choice
- Setup a 301 redirect for any non https links
- Test the certificate, to make sure it’s working properly
- Re-register your site in Google Analytics and Google Search Console
How to Setup HTTPS – Using “Let’s Encrypt”
(Check back soon and we’ll have a tutorial on how to use a “Let’s Encrypt” certificate on your website).
How to Setup HTTPS – on 1&1 hosting
Unfortunately, 1and1 shared hosting does not support the “Let’s Encrypt” CA at this time. However, they do offer reasonably priced certificates for personal blogs and other sites, as well as fully verified business certificates. At this time, a personal blog certificate is only $9.99 per year.
- If your plan includes a certificate (Business package, for example, includes one by default), you can access it from the SSL Certificates menu in your 1&1 Control Panel. If your plan doesn’t include one, or you need an additional certificate you can order it from the same page. For a personal or hobby blog, order the 1&1 SSL Starter certificate. Please note that you do not want the 1&1 SSL Business package – “GeoTrust True Business ID” verified certificate – unless you have a business entity with incorporation papers, etc. If you don’t have that, you’re not going to be able to confirm your business identity
- Use these steps to associate the cert with your domain.
It’s that simple!
1&1 Shared Web Hosting – Features and Reliability
Despite the fact that 1&1 doesn’t support “Let’s Encrypt” certificates on their shared hosting plans, I have been very pleased with 1and1 hosting service. I have used the 1&1 Business Package Web Hosting for almost 15 years. I have hosted dozens of different sites, with different traffic needs. I have hosted many Linux based WordPress and VBulletin sites on my account, and currently have at least 6 sites running. If you need website hosting, with unlimited space, unlimited files, and unlimited MySQL databases, I recommend 1&1. I have worked with their support on occasion, and it is excellent. Shared hosting will be the most cost effective choice for running a small business or personal website. If you are critically dependent on your website (such as for a web focused small business and e-commerce) I recommend their dedicated or virtual hosting options instead.
I have worked extensively with GoDaddy and BlueHost web hosting as well, in my professional endeavors. I recommend 1&1.
Links & Resources
- The original Google I/O talk on HTTPS Everyhere – Explains the origin of the movement and covers a lot of technical details.
- An excellent US government resource on HTTPS – Contains a very simple overview, and a lot of advanced information as well.
- Qualys SSL Server Test – Don’t even think about turning on HTTPS without checking the results through this test site. It’s the most in-depth, complete test suite for SSL.
- All about referrer policy, right from the source w3.org.