HTTPS: “that means my website’s secure, right?”
It’s a misconception we hear far too often: an https website with that little padlock will make the website’s data secure. Unfortunately that’s not quite true as it will only secure the connection, not the data itself.
What is HTTPS?
HTTPS secures the connection between the user’s web browser and the web server with a SSL certificate. Data sent between the two points is encrypted (apart from the header information). This prevents a man-in-the-middle attack, where a third party intercepts the data in transit.
Once the data hits the server, it’s decrypted and interpreted in plain text by the web server.
There are a couple of drawbacks with HTTPS connections;
- added overhead with each connection: the data must be encrypted then decrypted for each connection, which can potentially increase the load time of the website. The effect may not be noticeable for the end user, but can mount up on the server side causing affecting the number of simultaneous connections it can process.
- generally no browser caching for secured content: as the data was received securely, many browsers won’t store a copy of the data on your local cache. Static elements such as images must be downloaded each time they’re requested. It is possible to work around this by setting cache-control and expiry headers, but not always supported.
Are there any SEO implications?
There are potential duplicate content issues when using HTTPS if the content is accessible through secured and insecure connections. 301 redirects when the site is accessed through the incorrect protocol is the preferred method, or canonical tags can also be used as a workaround.
Search engines have no problems accessing secure content, and don’t favour one protocol over the other.
Great, so when must I use HTTPS connections?
Put simply: whenever there is a transaction of sensitive data. What are the potential implications for you and your client if the data was intercepted?
In some cases this may be an entire website, but for most it will be the checkout or restricted access section of a website.