Are You the Master of Your Website Domain?


When scrolling through websites, have you noticed anything different in your browser lately? If not, then log on to Google Chrome and direct your attention to the upper left-hand corner of the address bar. There you will learn if the site you are visiting is “Secure” (using the prefix HTTPS, for Hypertext Transfer Protocol Secure) or “Not Secure” (using the prefix HTTP, for Hypertext Transfer Protocol).

The effort to create a secure online experience is nothing new. In fact, security was a concern long before the Internet became available to the public. As it transformed from a private network of engineers and computer scientists to the Information Superhighway, and beyond, the matter of security grew in significance.

HTTP was introduced in 1991 as the foundation of data communication for the World Wide Web. Yet, when you load a website over plain HTTP, anyone on the network can view information going back and forth, or even modify the contents of the site before it gets to you, since your connection to the site is not encrypted.

Software developer Patrick Teglia says, “Netscape created the HTTPS prefix in 1994, to be able to ensure that the website you think you are visiting is the actual site.”

Making the Case for HTTPS

In recent years, Google has led the charge to encourage migration of websites to HTTPS. To that end, they began differentiating between HTTP and HTTPS sites with the introduction of the Chrome 68 browser, in July 2018, by flagging HTTP sites with a “Not Secure” warning, and validating HTTPS sites as “Secure” with the image of a closed padlock.

With HTTPS sites, all communications between your browser and the website are encrypted using a digital certificate, which blocks eavesdroppers, while also protecting the transmission of sensitive information such as passwords and credit-card data. “The certificate is a file that resides on the host domain,” Teglia points out. “In most browsers, it can be viewed by clicking on the padlock.”

He continues, “The primary benefit to updating your website to the HTTPS protocol is to ensure that your visitors know that their browser is communicating directly with the intended website. In other words, there is a direct line of communication between the viewer’s browser and your website, which is basically secret because of its encryption.”

While not always the case, Teglia brings up another possible benefit to securing your entire site. “Sometimes this can make your site run faster, particularly on shared hosting,” he says.

What’s more, HTTPS is widely viewed as the future of the Web. “Many new, cutting-edge web features depend on HTTPS to function,” Teglia adds. “Driving the industry to HTTPS will make it possible for users to see these new features, such as progressive web apps, offline-app experiences, and more.”

If these advantages are not convincing, Teglia points to several issues with not enabling HTTPS on your domain. “For one thing, since Google now gives priority to properly secured domains, an HTTP site will be penalized in Google's search rankings, making it harder to find,” he says.

“Viewers who do end up on your site will likely see the ‘Not Secure’ warning, or additional alerts such as ‘Google Chrome couldn't verify the authenticity of this website,’” says Teglia. “These are scary messages that tend to spook website visitors, leading people not to trust your site.”

Most concerning, however, is the fact that not taking the necessary steps to secure your domain could make it vulnerable to "man-in-the-middle" hacking attacks. “This is especially important if you sell anything through your site, or accept credit cards,” he points out. “The information between the browser and the website can be redirected to a malicious site, or the traffic can be quietly collected, putting both payments and personal information at potential risk.”

Securing Your Domain

The process for updating a basic domain to HTTPS is free of charge, and it can likely be handled through a quick chat with your web host. “Almost all web hosts have simple methods for providing a valid certificate, and most content management systems, such as WordPress, or Drupal, make it easy to implement HTTPS,” Teglia says.

Yet, it’s important to note that free host-provided certificates are limited to providing domain validation. “This is great for sites that don’t involve credit card transactions, or collect personal information,” says Teglia. “But when e-commerce is involved, you’d need a higher level of trust, and would want to pursue a Business Validation or Extended Validation certificate. These are not free, and take a bit more effort to achieve, and usually require a static IP address, and validation of the business.”

Why Are We Telling You This?

Beyond the public service value in educating readers who may currently have an unsecured website, there is an additional reason for getting site owners to adopt the HTTPS standard. As noted above, Google penalizes unsecured domains by lowering the site’s Internet search ranking in its algorithm. When a site such as the Explora blog publishes links to an unsecured website—an HTTP website from an individual photographer, for example—the act of propagating insecure links could negatively affect the search ranking of the hosting website. That is a huge business risk, which could result in very serious consequences. Due to this fact, we can no longer publish links to unsecured websites.

Yet, given the combined benefits of enhanced security, improved search ranking, and access to the latest tools, taking the small amount of time generally required to secure your web domain seems like a no-brainer. And Patrick Teglia couldn’t agree more. His parting advice: “If you haven’t already secured your domain, you should do it. You’ll see increased traffic, better rankings, and you’ll sleep better at night!”

Have you made the switch to HTTPS yet? Are you worried when you see that “Not Secure” notification when browsing the Web? Please feel free to share your thoughts and questions on the subject in the Comments section, below!

A senior level software developer and team lead for clients such as the U.S Forest Service and NBC Universal, Patrick Teglia is primarily focused on architecting solutions for organizations using Open Source tools such as Drupal, WordPress, and Magento Commerce. Previously, he was a Security+ certified auditor of credit unions and banks, in Washington State. Outside of work, he enjoys photography, gaming, and spending time with his family in the Pacific Northwest.