Last week, our team had an “official meeting” about moving our site wisdmlabs.com to HTTPS. Well, the talks had begun, ever since Google made an announcement, that ‘HTTPS would be a Ranking Signal’, but this was the first real discussion. Personally, I’d have wanted to enable SSL for our site (which is basically moving to HTTPS), a long time ago. But there are other factors which come into play, such as Search Engine Rankings. With hundreds of people visiting the site everyday, you do not want that affected.
But let’s not get ahead of ourselves. Let’s start with the basics. Even though this whole hoopla about shifting to HTTPS started after Google’s announcement, it’s always better to understand what all of this actually is, and why is it important to enable SSL for your website.
What is SSL? How is SSL Related to HTTPS?
SSL (Secure Sockets Layer) is an encryption method. Basically it encrypts the connection made between a browser and your domain, thus making it secure for data transfer. Communication which happens with this added level of security is basically said to be an HTTPS connection.
To enable SSL for your domain, you need an SSL Certificate which is issued by a Certificate Authority. This Certificate basically tells any browser trying to connect to your domain, that a secure, trusted, connection can be made. The SSL Certificate is like an ID proof. You have it on you (as in your domain), to tell the world, that you are a trusted website, and not a spammy one.
I’m not Really Convinced. Do I really Need SSL?
Have you noticed banking websites? For that matter any financial websites? They all have SSL enabled. And, the reason for that is, SSL ensures data security. You do not want such sensitive data to be stolen or tampered with. It’s like this. If money is sensitive data (because let’s face it, data on your site is valuable). SSL is like the armored car used to transfer this money.
So logically, if you have an eCommerce store, you must move to HTTPS, if you want to handle transactions on your site. Or if you handle sensitive data, like Insurance related or Legal data, have a Government website, or want to instill trust in the minds of your visitors, you’d want to move to HTTPS.
But of course there is a cost involved. The SSL certificate needed, incorporates a financial cost. But, a visitor’s browser has to also check the validity of the certificate to establish the secure connection, thus affecting the load time of a page. But if you weigh the pros and cons, the pros out-weigh the cons by a lot.
And finally, (and this should be the primary motivating factor for you, if you are not yet convinced) Google has said that it will give a ratings boost to secure sites. And even if they say, that “For now it’s only a very lightweight signal… But over time, we may decide to strengthen it”, should be understood as “We want you to switch to HTTPS, whether you like it or not”.
That’s fine… But what will Happen to my Search Rankings?
If you directly move to HTTPS, without taking care of any URL redirection, you’re site will suddenly disappear from the face of the web. Well, not literally. But it will collapse. The several HTTP hyperlinks in your site, and external links to your site will return an error. Search engines will consider your site to be a new site, due to the change in URLs, and your ranking will dramatically drop.
So, then what do you do? How do you safely port your website to HTTPS without affecting search rankings?
Don’t Worry! WisdmLabs Has a Guide for SSL Configuration Best Practices
Below, we have consolidated a list, which will not just help you retain your search rankings when you port your site to HTTPS, but will also help you correctly configure SSL and your server. I mean if you are making the move, you might as well make it right. Your SSL configuration can improve performance of your website.
Change the URLs and Redirect Links
After moving to HTTPs, you should update all links in your site to ‘https://”. This would mean changing URLs of your pages, JS and CSS files and images. Helps if you were using relative paths for files. But you still need to scan through all your files, and check for any links, and update them. Make sure to check your database as well for any links. Additionally, you need to redirect all your links so that links from external websites are still able to find your site.
Deploy the Chain-of-Trust
When you get an SSL certificate, you get several other certificates with it (a certificate bundle). These certificates validate not just your domain, but the certificate authority as well, and anything in between. When a browser checks if your certificate is valid, it checks the bundle as well. So you need to ensure that you install all the certificates on your server, so as to speed up browser validation.
Use a Secure Protocol
There are five protocols in the SSL/TLS family. TLS v1.2 should be your main protocol. Do ensure that you disable TLS compression.
Secure Your Cookies
This should be done when configuring your web application. It is optional but recommended. HTTP and HTTPS cookies should be different. This is because HTTP cookies can be changed by an external JS, but secure cookies cannot be changed.
Use Secure Cipher Suites
This is a server side configuration. A cipher suite is an encryption method, which is used to create the secure connection. Some cipher suits offer better security than other, so better choose a reliable method.
Enable OCSP Stapling
Every time a browser connects to your domain, it asks the Certificate Authority for validation. With OCSP Stapling, the validation result is cached, and sent to the browser, so that the browser does not have to make an additional request to the CA.
Caching Done Right
You should cache all public resources (such as CSS, JS, Images) and disable caching of sensitive content (such as pages which include transactions, etc should not be cached). You could implement xCache which is server side caching, to further reduce execution time.
Deploy HTTP Strict Transport Security (HSTS)
What this does, is ensure that once your domain has been verified as secure, all further requests are sent over as HTTPS, even if they initially started out as HTTP.
Maintain a Persistent HTTPS Connection and Sessions
Ensure that you keep a live connection (or one time connection) for all files (CSS, JS and Images), to reduce load time. It’s also recommended to save and resume user sessions.
Use Latest OpenSSL software
Since there was some vulnerability to Heartbleed, BEAST attack, CVE-2014-0224, it’s best to use the latest OpenSSL software version.
Encrypt Your Entire Website
HTTPS for everything. Period.
That was a Piece of Cake……. Right?
I get that you may not have understood all of the above stated all at once. And that’s okay. You need to do a lot of research before going forward with such configuration and set up. So I’ve tried to help, based on my experience of porting client sites to HTTPS. If you have any questions for me, feel free to leave them in the comment section below! Oh yes, and soon, you should find SSL enabled on our site as well 😀