Contact
Site: US UK AU |
Nexcess Blog

The Pros And Cons Of Implementing SSL / HTTPS

September 3, 2014 8 Comments RSS Feed

SSL and HTTPS

Google has ignited a storm of interest in HTTPS, but what are the advantages and disadvantages of offering SSL-encrypted HTTPS connections to your users.

Since Google announced that serving sites over HTTPS would become a search engine ranking signal, the number of people interested in purchasing SSL certificates has skyrocketed. Many webmasters who would never have considered using HTTPS are worried that competitors will have an SEO advantage should they continue to serve their sites in the open.

Whatever you think about Google’s attempt to shape the web’s security policy using SERP position as a carrot (and stick), it’s worth thinking about the potential advantages and disadvantages of implementing HTTPS.

I’m assuming that if you’re reading this, you are at least familiar with what HTTPS is and what an SSL certificate is for. If not, here’s the nutshell explanation: HTTPS is a secure version of the HTTP protocol — in fact, it’s HTTP over SSL (Secure Socket Layer) or TLS as it should be called (although I won’t because hardly anyone does).

HTTPS uses very strong public-key cryptography to encrypt the connection between a client (often a web browser) and a server. No one but the server and the client can know what is being communicated. That requires an SSL certificate, which serves to verify the identity of the server via a certificate authority and provides the keys that are used to encrypt and sign data.

Providing the private part of the certificate remains private and there are no other hiccups in implementation, HTTPS is highly secure. Implemented properly, it’s practically unhackable even if you’re the NSA (probably).

Lots of sites don’t need that level of privacy and security. The average blog, for example, doesn’t need its public-facing pages encrypted with high-grade cryptography, but Google is a fan of the “security by default” and “HTTPS Everywhere” concept, so it’s using SEO to incentivize webmasters to implement HTTPS.

The Disadvantages Of Implementing SSL

The disadvantages of HTTPS fall into two main groups: those that are based in reality, and those that are based on outdated information or plain misinformation. We’ll start with the latter.

(Mostly) False Disadvantages

HTTPS Uses A Lot Of Server Resources

At one time this was an issue. HTTPS requires some processing power and memory for encryption. A decade ago that could cause problems, but unless your site is running on a server from back then, it probably won’t be an issue: servers have improved, and many of the inefficiencies in the popular OpenSSL library and other implementations have been fixed.

Performance issues are highly unlikely to affect your server if you implement SSL, and shouldn’t be a reason to avoid HTTPS.

HTTPS Introduces Latencies

As with performance worries, concerns about SSL’s impact on latencies are based on reality — SSL connections take longer to set up with more roundtrips — but in practice it’s usually nothing to worry about. The impact is negligible.

That said, in some circumstances HTTPS can cause delays it’s worth running tests to make sure that SSL isn’t causing real-world latency. Theory is fine, but there’s no substitute for testing.

Browser Caching Won’t Work Properly

This used to be true, but isn’t any more — except in one unfortunate case. The only browser in somewhat common usage that can’t handle caching for HTTPS connections is IE6. If you need to support IE6 in a legacy environment, then SSL is going to cause problems: modern sites will run slowly without browser caching.

For well over 95% of potential users, this is not an issue.

Real Disadvantages

You’ll Need To Buy An SSL Cert

SSL certificates are issued and rely on the trustworthiness of certificate authorities. Technically, you can make your own, but no one will trust it so you’ll need to buy an SSL certificate.

The prices vary as depending on how many domains or subdomains the cert will cover, and also on the level of identity verification.

The Mixed Modes Issue

During the course of browsing the web, you’ll probably have received a warning that says a site which is ostensibly using SSL is serving insecure content. That’s not because they’re up to anything bad, but because they’re loading assets from other sites or services — social media widgets or advertising most frequently — that aren’t encrypted.

The browser doesn’t want users to think a site it totally secure when it isn’t, and will pop up a warning, which can be off-putting to many users who don’t understand the implications.

This is less of a problem than it used to be as most advertising networks serve encrypted content and most social media networks now use SSL. But, mixed mode issues are not completely solved, and may still impact sites with SSL implemented without careful testing of third-party content — e.g. making sure that your ad network isn’t sending third-party unencrypted content.

Proxy Caching Problems

Over SSL connections, everything is encrypted including the packet headers and content. Any caching that might have happened between the points at which data is encrypted and decrypted is blocked if content is encrypted. If you’re using a system like Varnish to cache CMS content, it’s necessary to have a server out in front of the cache to handle encryption, which adds some complexity to private caching efforts, but that will be taken care of by any decent web hosting company.

Any public caching that might have happened cannot happen. ISPs and others will not be able to cache encrypted content. Whether this is really an issue at all depends on individual circumstance, so testing is key once again. Public proxy caching has been declining in recent years, to be replaced by content distribution networks, which in many cases work perfectly well with HTTPS.

Most of the potential disadvantages won’t affect small to medium-sized sites. It’s only the really large sites that might need to think twice about implementing HTTPS, and even then the negatives are probably outweighed by the advantages, which we’ll take a look at now.

The Advantages Of HTTPS

Obviously, the major benefit of encrypting connections to and from a site is that they can’t read by any third-party. It will no longer be possible for anyone to snag data flowing between you and your users from the air. But, a number of other benefits come along with SSL.

Identity Verification

A certificate guarantees the information a browser is receiving originates at the expected domain. It’s a guarantee that when a user sends sensitive data, it’s being sent to the right place, and not to a malicious third-party.

Data Integrity

If data is sent in the clear, it’s possible for a third-party to sit between the server and the browser and read everything, But, even worse, if they can read it, they can change it. By hijacking a connection, a hacker can see what the browser is requesting and the site is sending; they can intercept the data sent by the site and alter it before sending it on to the browser — the user would never know.

HTTPS connections make this sort of man-in-the-middle attack much more difficult to pull off.

SEO

As I mentioned earlier, Google wants to send its users to secure sites and to that end has made HTTPS connections a ranking signal. That means, all else being equal — which it never is — a site with HTTPS is going to rank higher than a site without.

It’s important to note that HTTPS is a weak ranking signal. At the moment, implementing SSL is going to have a minimal impact on search positions. High-quality content is more important.

  We offer a range of premium SSL options for the highest level of validation.  

Trust

Finally, that green padlock indicates that you take security seriously and helps give users confidence.

Whether you choose to implement HTTPS on your site is a matter of personal or business choice. There is no real downside, but for a lot of sites — particularly personal blogs — it’s not strictly necessary from an information security perspective, but it appears Google differs on that point. Webmasters should weigh up the advantages and disadvantages we’ve discussed in this article and come to their own informed decision.

Posted in: Nexcess
  • Under advantages you haven’t mentioned client identification via certs, smartcards etc

  • Keijo

    Nobody uses them, like ever.

  • it’s not correct. For example Estonia has successfully deployed it’s national ID-card and PKI. In case of browser identification exactly this is used – a smartcard and client certificate with private key on it.

  • All beautiful points! Thanks…

  • good in depth analysis .. thank you very much!

  • Hey Corey,

    Great article about the importance of having a SSL certificate.

    I believe that almost every respectable website should have a HTTPS encryption especially if it a shop or a website where users can register new accounts.

    A particular but not strange thing that pushes people into getting SSL certificates for their websites is the SEO.

    Believe it or not, Google does take into account whether or not your website has SSL.

    I wrote an post about 4 reasons to have a SSL certificate, including two essential factors that are worth taking into account:

    https://neutrondev.com/4-reasons-to-have-ssl-certificate/

  • Thanks Corey, I am working on process to solve mixed modes issues. Good article.

  • Hey Corey, It really is a great guide on HTTPS (SSL) and i have learnt some great advantages from which we can benefit our site with SEO as you mentioned that it is a ranking factor. I will turn on HTTPS for my blog as soon as possible. Thanks for this great post. Loved it!