Secure Websites

Published on 3 Sep 2014 at 7:24 pm.
Filed under Google,Informative,Search Engine Optimization,Web Design.

Google now encourages webmasters to secure websites. They’re doing this by offering a minor SEO boost.

Secure Websites: What it Means For Users and Webmasters

Secure websites run over HTTPS with a 2048-bit SSL.

Google’s goal is to foster a more secure web. By encrypting everything it will make it harder for hackers to steal your identity or gain access to things like your credit card or medical information. It also makes it more convenient to use public Wi-Fi as a secure connection is less likely to suffer main-in-the-middle attacks.

Webmasters for sites that have pages that run over a secure (HTTPS) connection may see a minor bump in the ranking. As of the time of this writing Google has said that they don’t think it will change most results, but they may increase the bump over time. This bump is on a per-URL basis. If you’ve contemplated going HTTPS-only for your site now is the time to finally pull that trigger. By going HTTPS-only you will give that minor bump to every page on your site.

I would not recommend sites get an SSL certificate — necessary to run a site over HTTPS — for the SEO boost. Right now the SEO boost is unlikely to play much of a role in your ranking and they will not justify the added costs associated with running over HTTPS. You’d be better served to spend your resources on things like natural SEO, search engine marketing, or social media marketing. For those unaware of the costs, it boils down to two things:

1. It costs money to purchase an SSL certificate. You can purchase SSL certificates for one or more years.
2. Hosting companies are likely to increase your hosting cost.
   • Encrypting takes up more resources and places a further burden on the web server.
   • Older technology that is still in active use does not include the HTTP Host header. Without this header the only way to run a site over HTTPS is to only run one site on that IP address. IP addresses are becoming very scarce and this will cost the hosting company to get one for you. Doing otherwise can cause a web server to send the user to another site served on that IP address. The older technologies that are still in use include Internet Explorer and Safari on Windows XP, Android 2, Java 1.6 and below, and BlackBerry devices before BlackBerry 10.

Secure Websites: What to do

Sites making the switch to HTTPS-only will need to reconfigure the site to send a 301 (permanent) redirect for all requests that run over HTTP to send them to the HTTPS version. At this time Google’s Change of Address tool does not support HTTP to HTTPS site moves. That’s not a big deal since Google will figure out the change anyway. You just cannot give them a hint to look for things.

After you have made the switch you must look over the pages on your site. To improve the user experience you must update your site’s template to only send the user to files over HTTPS. While you have a redirect in place, the redirect process is slow. Just send them to the right file.

Your site may include third-party widgets for things like YouTube videos. These widgets may need updating, including third-party widgets that run on HTTP that will produce warning messages to the user and may not run.

Once you know your site works you should update any link you can that points to your site. You want these links to directly point to the HTTPS version. By this I mean you should update the links on your Facebook, Google+, and LinkedIn pages. You should also update them on any local business directory like Foursquare, Yelp, or CitySearch. The more links that point to the HTTPS version of your site the faster Google will update you in the index, and it’s a better experience for the user.

HTTP Strict Transport Security (HSTS)

HSTS is an HTTP header sent by a web server to a visitor and is a great step to secure websites. This header instructs web browsers and search engines to only use the HTTPS version of a site. If another site links to the HTTP version of your site the browser or search engine will send a visitor to the HTTPS version without the need for a redirect. This is a very useful header to improve website security.

HSTS is a very new technology used to secure websites. Browser support is very limited. While it has good support in Firefox, Opera, and Chrome the same cannot be said for other browsers. Safari only supports it in version 7 on Mavericks and does not support it in iOS. Android only got support in version 4.4. Internet Explorer will not support it until version 12. BlackBerry devices do not support HSTS.

Secure Cookies

For sites that use cookies you should direct them to include the secure attribute with the cookie. This tells web browsers to only issue cookies over the HTTPS version of your site. With this an attacker cannot get cookie data from a user that went to the HTTP version of a site. Even if you run HTTPS-only if the user still visits the HTTP version (which you redirect) they will still have gone to the HTTP version and an attacker can get this data. Including the secure attribute on cookies helps to secure websites.

Consider adding the HttpOnly attribute while you’re adding this attribute. This attribute is a misnomer because it also applies to HTTPS. This attribute tells a browser only that the cookie data cannot be access through JavaScript. This attribute will help protect your users from cross-site scripting attacks.

SPDY

Configure your website to run over the SPDY protocol. While SPDY does not help secure websites but does help the user experience for sites running HTTPS. Web browsers that support the SPDY protocol load secure websites faster. Faster load times will improve the user experience and improve your SEO.

Implementing these measures to secure websites will improve consumer confidence in your brand. This will help your business in the eyes of users and search engines. I strongly suggest you consider these measures for your website.

Thank you and keep building your brand.

This post was originally published as Secure Websites for Brand Builder Websites.