Google has ignited a storm of interest in HTTPS, but what are the advantages and disadvantages of offering SSL-encrypted HTTPS connections to your users.
Since Google announced that serving sites over HTTPS would become a search engine ranking signal, the number of people interested in purchasing SSL certificates has skyrocketed. Many webmasters who would never have considered using HTTPS are worried that competitors will have an SEO advantage should they continue to serve their sites in the open.
Whatever you think about Google’s attempt to shape the web’s security policy using SERP position as a carrot (and stick), it’s worth thinking about the potential advantages and disadvantages of implementing HTTPS.
I’m assuming that if you’re reading this, you are at least familiar with what HTTPS is and what an SSL certificate is for. If not, here’s the nutshell explanation: HTTPS is a secure version of the HTTP protocol — in fact, it’s HTTP over SSL (Secure Socket Layer) or TLS as it should be called (although I won’t because hardly anyone does).
HTTPS uses very strong public-key cryptography to encrypt the connection between a client (often a web browser) and a server. No one but the server and the client can know what is being communicated. That requires an SSL certificate, which serves to verify the identity of the server via a certificate authority and provides the keys that are used to encrypt and sign data.
Providing the private part of the certificate remains private and there are no other hiccups in implementation, HTTPS is highly secure. Implemented properly, it’s practically unhackable even if you’re the NSA (probably).
Lots of sites don’t need that level of privacy and security. The average blog, for example, doesn’t need its public-facing pages encrypted with high-grade cryptography, but Google is a fan of the “security by default” and “HTTPS Everywhere” concept, so it’s using SEO to incentivize webmasters to implement HTTPS.
The Disadvantages Of Implementing SSL
The disadvantages of HTTPS fall into two main groups: those that are based in reality, and those that are based on outdated information or plain misinformation. We’ll start with the latter.
(Mostly) False Disadvantages
HTTPS Uses A Lot Of Server Resources
At one time this was an issue. HTTPS requires some processing power and memory for encryption. A decade ago that could cause problems, but unless your site is running on a server from back then, it probably won’t be an issue: servers have improved, and many of the inefficiencies in the popular OpenSSL library and other implementations have been fixed.
Performance issues are highly unlikely to affect your server if you implement SSL, and shouldn’t be a reason to avoid HTTPS.
HTTPS Introduces Latencies
As with performance worries, concerns about SSL’s impact on latencies are based on reality — SSL connections take longer to set up with more roundtrips — but in practice it’s usually nothing to worry about. The impact is negligible.
That said, in some circumstances HTTPS can cause delays it’s worth running tests to make sure that SSL isn’t causing real-world latency. Theory is fine, but there’s no substitute for testing.
Browser Caching Won’t Work Properly
This used to be true, but isn’t any more — except in one unfortunate case. The only browser in somewhat common usage that can’t handle caching for HTTPS connections is IE6. If you need to support IE6 in a legacy environment, then SSL is going to cause problems: modern sites will run slowly without browser caching.
For well over 95% of potential users, this is not an issue.
You’ll Need To Buy An SSL Cert
SSL certificates are issued and rely on the trustworthiness of certificate authorities. Technically, you can make your own, but no one will trust it so you’ll need to buy an SSL certificate.
The prices vary as depending on how many domains or subdomains the cert will cover, and also on the level of identity verification.
The Mixed Modes Issue
During the course of browsing the web, you’ll probably have received a warning that says a site which is ostensibly using SSL is serving insecure content. That’s not because they’re up to anything bad, but because they’re loading assets from other sites or services — social media widgets or advertising most frequently — that aren’t encrypted.
The browser doesn’t want users to think a site it totally secure when it isn’t, and will pop up a warning, which can be off-putting to many users who don’t understand the implications.
This is less of a problem than it used to be as most advertising networks serve encrypted content and most social media networks now use SSL. But, mixed mode issues are not completely solved, and may still impact sites with SSL implemented without careful testing of third-party content — e.g. making sure that your ad network isn’t sending third-party unencrypted content.
Proxy Caching Problems
Over SSL connections, everything is encrypted including the packet headers and content. Any caching that might have happened between the points at which data is encrypted and decrypted is blocked if content is encrypted. If you’re using a system like Varnish to cache CMS content, it’s necessary to have a server out in front of the cache to handle encryption, which adds some complexity to private caching efforts, but that will be taken care of by any decent web hosting company.
Any public caching that might have happened cannot happen. ISPs and others will not be able to cache encrypted content. Whether this is really an issue at all depends on individual circumstance, so testing is key once again. Public proxy caching has been declining in recent years, to be replaced by content distribution networks, which in many cases work perfectly well with HTTPS.
Most of the potential disadvantages won’t affect small to medium-sized sites. It’s only the really large sites that might need to think twice about implementing HTTPS, and even then the negatives are probably outweighed by the advantages, which we’ll take a look at now.
The Advantages Of HTTPS
Obviously, the major benefit of encrypting connections to and from a site is that they can’t read by any third-party. It will no longer be possible for anyone to snag data flowing between you and your users from the air. But, a number of other benefits come along with SSL.
A certificate guarantees the information a browser is receiving originates at the expected domain. It’s a guarantee that when a user sends sensitive data, it’s being sent to the right place, and not to a malicious third-party.
If data is sent in the clear, it’s possible for a third-party to sit between the server and the browser and read everything, But, even worse, if they can read it, they can change it. By hijacking a connection, a hacker can see what the browser is requesting and the site is sending; they can intercept the data sent by the site and alter it before sending it on to the browser — the user would never know.
HTTPS connections make this sort of man-in-the-middle attack much more difficult to pull off.
As I mentioned earlier, Google wants to send its users to secure sites and to that end has made HTTPS connections a ranking signal. That means, all else being equal — which it never is — a site with HTTPS is going to rank higher than a site without.
It’s important to note that HTTPS is a weak ranking signal. At the moment, implementing SSL is going to have a minimal impact on search positions. High-quality content is more important.
We offer a range of premium SSL options for the highest level of validation.
Finally, that green padlock indicates that you take security seriously and helps give users confidence.
Whether you choose to implement HTTPS on your site is a matter of personal or business choice. There is no real downside, but for a lot of sites — particularly personal blogs — it’s not strictly necessary from an information security perspective, but it appears Google differs on that point. Webmasters should weigh up the advantages and disadvantages we’ve discussed in this article and come to their own informed decision.Posted in: Nexcess