Does Your Solo Practitioner Website Use "Always on SSL"?

January 16, 2018

"Always on SSL" will not only keep your website safer but can help with your Google page ranking

It's a big bad world out there, and website hacking is a real thing (see WordPress Sites Attacked Again). If your solo practitioner website is not secure, not only is it vulnerable to defacing, but it can also be held for ransom, or, worse, be used to infect other websites and computers.

One step you can take toward greater security is to use "Always on SSL," which will encrypt your website. We regard this as so important that we build all of our websites with it - and have never had any of them hacked. And while greater security is the goal, there's also another benefit: Google uses "Always on SSL" as a page-ranking signal, giving your SSL site an advantage over the non-SSL site.

Key points:

  1. SSL stands for "Secure Socket Layer," which allows encrypted communication between a website and web server. In layman's terms, it's the green padlock when going to a secure website.
  2. SSL is common for shopping sites, and is increasingly becoming more common for content websites.
  3. Google has pushed for the concept of "Always on SSL," which is the idea that every website should be SSL in order to create a safer web environment, especially in mobile where routers can be easily spoofed and "man in the middle" attacks are exceedingly easy.
  4. Google uses SSL as a page ranking indicator.
  5. They have not announced that they will penalize sites without SSL, but this follows the same pattern as their "mobile friendly" mandate from April 2015.
  6. We expect that Google will follow suit and start dramatically penalizing sites without SSL.
  7. We make all the sites we host Always on SSL. 

Definitions

HTTP (Hypertext Transfer Protocol) is how webpages are transmitted to your computer. Unfortunately, it's an insecure protocol and can be intercepted easily by hackers.

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP and is a standard for when you're sending sensitive information over the web such as credit card or personal information via a checkout process.

SSL (Secure Socket Layer) is how a computer establishes a secure and encrypted connection between a web server and a person's browser (or email program).

Alway on SSL is the concept of always using SSL regardless of the type of content. Always on SSL is also sometimes called "HTTPS Everywhere." Always on SSL seems to be the more popular term, so we'll use that for this article, but they mean the same thing.

The Padlock

HTTPS is visually displayed in browsers (and most apps) as a padlock. This is what it looks like in several popular web browsers:

SSL Different Browsers

Problems with HTTPS/SSL

Back in the day, there were problems with HTTPS/SSL that made it impractical for content-oriented websites. Most of those roadblocks are no longer an issue.

  1. It used to be that HTTPS made websites slower because browsers and computers were not as powerful as they are today. The encryption -> transmission -> decryption process back and forth repeatedly caused a perceptible lag in page load times.
    • These days there is not much concern about lag or latency because it is generally imperceptible by a human and the upside benefit far outweighs a few millisecond delay.
  2. SSL Certificates used to be expensive, so unless there was a good reason for SSL (like ecommerce or form data transmission that was transmitting private information) it was generally not used.
    • That meant that MOST content-oriented sites did not use SSL because there was no perceived reason to do so.
    • These days SSL Certificates are relatively inexpensive (under $75/year), and, therefore, now much more attractive to solo practitioners.
    • Because of the cost reduction and increased security risk (or perhaps more importantly stated: increased awareness of the security risk), many websites are starting to use HTTPS/SSL all the time, not just in ecommerce or form data.
  3. Until relatively recently many services were not available in HTTPS/SSL. For example, websites often use third-party javascript files hosted on a content delivery network (or CDN), but the CDN did not have an SSL certificate.
    • Mixing secure and insecure content on a page will throw an error to the browser stating that there is a mix of secure and insecure content on the page - this warning will probably alarm a visitor.
    • Now many more third-party platforms offer their scripts and tools using HTTPS/SSL, which remove the mixed content problem.

Why SSL matters

The web is a much scarier place than most of us would really like to admit.

It's easy for bad guys to intercept web traffic, and even seemingly benign browsing can expose a tremendous amount of information about an individual user. Without much effort, normal browsing on an open wireless network can divulge information such as name, location, email address, content of email, web pages visited, current or planned activity, who you're communicating with, their information, etc.

This allows the bad guy to build up a personal profile of you and sometimes of those you communicate with. Add in social media and it gets even more dicey because with a name and a location, one could likely get a picture and potentially information about activities, habits, preferences, family, etc.

There is a really good summary of what can be casually gathered by a third party "listening on the wire" in the NPR podcast, Planet Money, Episode #548: Project Eavesdrop, which is about 15 minutes long. Go ahead and take a listen. After you pick your jaw back up off the floor, keep reading.

Privacy and Trust

In short: after Edward Snowden showed the world that lots of folks have access to lots of data, security and privacy became a much higher priority in the minds of both consumers and businesses alike. In a recent PEW Research poll, 93% of adults say that being in control of who can get information about them is important. In the same poll, many people have taken steps to help ensure their own online privacy.

Some of the more common activities include:

  • Clearing cookies or browser history (59% have done this).
  • Refusing to provide information about themselves that wasn’t relevant to a transaction (57% have done this).
  • Using a temporary username or email address (25% have done this).
  • Giving inaccurate or misleading information about themselves (24% have done this).
  • Deciding not to use a website because they asked for a real name (23% have done this).

So security and privacy ARE on your solo practitioner website visitors' minds. Making sure SSL is used at all times on your website is an obvious and simple first step you can take to help instill a sense of trust by demonstrating that you're concerned about their security and privacy through the simple act of encrypting your website.

Having a privacy policy and actually living up to that policy is a good second step, but that's the subject of another article. 

Google and Always on SSL

Always on SSL is viewed by most experts as a good thing, because if the communication is encrypted, then your activity cannot be read or tracked, even if the transmission is intercepted - this leaves both the website visitor and owner more protected.

Google has openly stated that it thinks Always on SSL is a good thing and has started to incentivize individual website owners to adopt HTTPS/SSL by using it as a ranking signal. That means if all other things are equal between two websites, the website that is delivered via HTTPS will have a higher page rank than the website that uses simple HTTP.

This form of technical/social/behavioral engineering is not uncommon for Google who flexes their juggernaut stature from time to time. In April 2014, they did the same thing with their Mobile Friendly initiative by making the fact that your website was mobile friendly or not a major ranking signal when searching from a mobile device. Given that over 50% of Google searches are performed from a mobile device, guess what: many more sites are now mobile friendly. And guess what else? The same has been true for over a year regarding Always on SSL (See Wired article, "Half the Web Is Now Encrypted. That Makes Everyone Safer"). 

So what are you waiting for? Keep your solo practitioner website and your clients safe by increasing your website security - and potentially increase your page ranking all at the same time.

Be well (and be safe out there)!

Have additional questions? Contact us. No pressure - we’re happy to help!

-Todd & the AttyHub Team

 

Sources and Additional Exploration

Original Google Announcement about SSL as a page ranking signal:
https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

Good primer by Symantec, a leading SSL Certificate Authority
https://www.symantec.com/page.jsp?id=always-on-ssl

A slightly scary podcast about security and what can be detected by casual web browsing
http://www.npr.org/sections/money/2016/07/29/487970769/episode-548-project-eavesdrop

Another good framing of the Google SSL page rank announcement
http://searchengineland.com/google-starts-giving-ranking-boost-secure-httpsssl-sites-199446

An article that explores any potential downside to SSL (upshot: there is none)
http://searchengineland.com/google-want-to-switch-to-https-go-ahead-140068

The White House went Always on SSL and you should too!
https://www.globalsign.com/en/blog/whitehouse-implements-always-on-ssl/

Interesting study by PEW about public privacy perceptions after Snowden
http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/

Another good study by PEW about American attitudes surrounding privacy, security and surveillance
http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/

Harvard Business Review on handling consumer data with transparency and trust as a central tenant
https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust