Web security – especially the encryption mechanisms behind it – is often little understood by marketers, even those with technical understanding. It’s no surprise then, that the responsibility of maintaining website assets such as Security Certificates often falls to the IT department or web design company who may not see the additional benefit for marketers and end consumers that careful selection brings.
The reality is that website security is more important than ever, with Google itself recognising the need for improved security with it’s announcement that site security is now a ranking factor (explained later). Marketers must understand and implement the right security solution for their business and their users.
Here I’ll explain:
- Encryption levels
- HTTPS as a ranking factor
- User experience considerations
- Why invest in website security
- How to obtain and implement a security certificate
It’s also worth noting that the Impression website is itself using the extended validation security certificate, which is evident in the green bar you see in your browser bar now and the use of HTTPS in our URL.
Encryption level options
Encryption is the process of encoding information so it cannot be understood by unauthorised parties; it doesn’t stop the information being intercepted, but it does obfuscate the content so the intercepter can’t use it.
This process is typically associated with ecommerce sites, where a user is making a purchase and thus inputting sensitive data such as credit card details, which must be encrypted to ensure their safety.
A quick scout around the web shows that, although many ecommerce website checkout processes and ‘my account’ areas are in fact secured, many businesses have chosen not to encrypt their entire site. And it used to make good sense not to do so. Connections that are encrypted are a lot ‘heavier’ – they consume more bandwidth and take longer to send data. This meant that users could be faced with a longer load time, which adversely affected their experience on the site. By choosing to only encrypt the sensitive parts of the website, webmasters were able to reduce load time and server requirements.
Today though, server and browser technology is improving and fewer and fewer users remain on outdated devices and software. Compression of files sent over the web has also markedly improved. This means that as the number of communications required to establish the connection is increasing, the physical data size is decreasing, countering what would have previously been an issue and that encrypted sites can load quickly. For the tech readers out there, check out initiatives such as SPDY. This means that we’re seeing far more instances of entire ecommerce websites being encrypted and also of non-ecommerce sites investing in better website security for their users, too.
It’s important to remember that an unencrypted browsing session is just that – unencrypted. Although it can be unlikely, malicious users with at least some access to a web server can form man-in-the-middle attacks which effectively fool users into giving away information under the illusion that the website they are communicating with are secure. Security professional Jim Shaver details the case for using TLS security further here.
For anyone who hasn’t already, now is the time to invest in securing your entire website.
HTTPS as a ranking factor
In August 2014, Google announced that HTTPS would be introduced as a ranking factor, where businesses which has invested in a security certificate and therefore have domains prefaced with ‘https’ rather than ‘http’ would be given a boost in the search engine results pages – potentially over their non-secure counterparts. They are taking website security seriously and we see this in two main ways:
1) The introduction of the use of HTTPS as a ranking signal, meaning websites using HTTPS have an (albeit small) advantage over those on HTTP in the rankings;
2) The announcement that Google Chrome will serve an ‘unsecure connection’ warning when a user tries to access a site not using HTTPS
Both of these things combined spell out quite clearly the necessity for your business website to be running on HTTPS. Even if the use of HTTPS is, as Google suggests, only a “lightweight signal” in deciding who ranks where in the search results, you can be fairly sure that users will in the short-medium term begin to prefer these sites. HTTPS isn’t a requirement – your site will still work over standard HTTP (no green padlock) – but you will be at an advantage if you move to HTTPS.
Additionally, the growing expectation is that the web will soon be encrypted end-to-end following the Snowden NSA incident, amongst other security breaches of late. Watch Google’s call for “HTTPS everywhere” at Google IO 2014 here.
Web security and user experience
User experience is an important part of digital marketing. When a user has a positive experience on your site, they’re more likely to be engaged with your brand, your content and to make a purchase or submit an enquiry. Google also recognises this need and seeks to provide its users with a positive experience too. This means that Google values sites with a more positive user experience above those which are difficult or confusing to use, which is why HTTPS impacts the search results.
As far back as 2000, renowned usability expert Jakob Nielsen was laying out the best practices associated with securing a website with relation to passwords. He explained that the complexity of passwords doesn’t necessarily correlate with the security of a site and that, in fact, users would write down more complex passwords making them more liable to security breaches. For Nielsen, security is a UX consideration where the site must account for how real people behave.
Since that time, marketers have continued to postulate the impact of security upon user experience and on the conversion rate of a site. And savvy marketers are investing in security as a method of increasing website engagement, enquiries and ultimately sales the business makes online. When people feel your site is safe and secure, they are more likely to trust that their money and details will be secure too.
I found an interesting data set that’s a little dated now showing US consumer preference of trust marks and seals. Whilst this doesn’t prove a point that consumer preferences are towards sites that employ additional security, it does show how users trust those with additional trust marks more. I suspect that now, two and a half years after the original study, less people would respond “don’t know”.
Technical digital marketing: your security investment
From a digital marketing perspective, security is an essential element of a campaign’s success. By investing in security, conversion rates are improved and search visibility can also be increased.
With the cost of security certificates falling as demand increases, the annual cost of securing a website with a best-in-class Extended Validation (EV) security certificate can cost as little as £100 per year. In some respects with security certificates you get what you pay for, however, once you’re using a validated certificate the higher costs are for better perks, which usually include insurance for transactions processed through it.
Moving to a secure site: what you need to do
By now, you should be convinced of the necessity of website security and therefore ready to invest in a security certificate for your website. Here are your next steps:
1) Choose the certification level
There are a number of options available to you when selecting your certification level and you’ll need to find a trusted provider of the certificate of your choice. The main options are:
Extended validation (EV) SSL certificates
An EV certificate is awarded to a website once the Certificate Authority has confirmed the applicant has the right to use the domain they have put forward and verified that ownership. According to information from Global Sign, this vetting process includes:
- “Verifying the legal, physical and operational existence of the entity
- Verifying that the identity of the entity matches official records
- Verifying that the entity has exclusive right to use the domain specified in the EV SSL Certificate
- Verifying that the entity has properly authorized the issuance of the EV SSL Certificate”
Once the EV certificate is granted, the website will show a green padlock bar in the browser bar, like this:
Organised validation (OV) SSL certificates
The Certificate Authority will check your right to use the domain with some vetting of your company, but to a lesser extent than the EV certificate.
Domain validation (DV) SSL certificates
The Certificate Authority will check your right to use the domain, but with no checks of your company.
The Extended Validation EV certificate is therefore the most secure and the version we recommend selecting for your business website. The presence of the green bar is a great trust signal for your business too, helping users to immediately see a clear signal of your trustworthiness and therefore to feel comfortable buying from your site.
2) Install the certificate on your server
You’ll need to install your certificate onto your server, something that may be included in your certificate purchase or that your web designer can do on your behalf. It’s important to consider that moving from HTTP to HTTPS means essentially changing your domain in the view of some software you may use, so it’s essential you implement appropriate redirects from the http version to the new https versions of every single page on your site, and that over time you check the internal links have been updated too to ensure you keep all traffic browsing in HTTPS.
3) Add the HTTPS version of your site to Google Webmaster Tools
This will enable you to manage the HTTPS version as well as marking this version of your site as the preferred version for indexing. Through using Google Webmaster Tools (edit: now Search Console) you’ll be able to see visibility shift from your non-secure website over to the secure version. You’ll also be able to pick up on 404 – page not found – issues if any are to arise during the switch, too.
What if you’re without a valid TLS 1.2 certificate?
I often purchase suits and shirts from the UK brand TM Lewin, and I was in looking at their website before writing this article. Unfortunately for their marketing and IT team, they’ve made an excellent example for me; its certificate is using the outdated TLS 1.2 standard.
TM Lewin is also an interesting example as the site is deployed via a cloud application. Running HTTPS web applications and websites on cloud instances (where you’re not always using one server and one IP) can create some element of complexity, though it’s not something that cannot be overcome. Google’s cloud service AppEngine, and Amazon’s Elastic Beanstalk/EC2/S3 supports this.
TM Lewin is already doing much of the work they need to ensure that any slow down in speed is countered, such as using content delivery networks to deliver assets. However, they aren’t scoring 80+ in a test at http://tools.pingdom.com/ for a secure page. Some of this can be attributed to the external services the site relies on, such as web fonts, analytics and external basket abandonment apps, but some elements such as preventing bad requests are avoidable.
In addition, the form on the page posts the data entered into it elsewhere on the website. This is usually fine, however in this case, as the destination is not a secure page (as the entire site is not secure, odds are that this is common throughout) then the data entered, even on a secure page, is no longer secure.
To identify issues like this, look in your browser console for something that looks like this:
Mixed Content: The page at ‘…’ was loaded over a secure connection, but contains a form which targets an insecure endpoint ‘…’. This endpoint should be made available over a secure connection.
Wrapping this up
Website security certificates are important. They’re great for users who will continue to value secure websites meaning conversion rates are likely to increase. Search engines are continuing to value “HTTPS everywhere” too, so secure website visibility is likely to benefit in some way in the short term too.
I’d really strongly recommend getting a plan together for all businesses who are not yet planning on going secure. Get in touch in the comments below if you have any questions or comments, and I’ll get back to you as soon as possible.
If you think we could help improve your website’s visibility in search, get in touch.