You may have noticed the little padlock (or lack thereof) in the URL bar when you visit a website. If you use the Chrome browser, you will see a blatant "Not Secure" message preceding the URL if a website does not employ encryption. In layman's terms, the padlock simply means that all communication between your browser and the server hosting the website is encrypted.
Why is Encryption Important?
The most obvious reason is that the site is more secure. First of all, encryption requires a pair of keys, and prevents servers without the proper key from pretending to be someone they're not. Secondly, it means that no one can decrypt the information without the correct key.
The more important thing to know is why it is important to you, even if you're not processing payments or collecting sensitive information on your website.
- It inspires trust - it lets people know that any inquiries they make through you site are secure. Many people inherently don't trust sites without the encryption padlock. This is especially true now that the Chrome browser specifically states that your site is "Not Secure" unless it's running through HTTPS.
- Even if your customers are not logging into your site - you probably are, especially if you're running a CMS like WordPress. Unencrypted login information is dangerous, especially if a web host has been compromised. Hosting services that primarily server WordPress sites are especially vulnerable if sites and plugins aren't updated regularly, as their popularity means that they are also the number one attack vector.
- It improves your SEO ranking. Google gives your site a bit of a rank boost for running exclusively over HTTPS.
Is My Site Secure?
It's easy to check. You can use the Qualys SSL Server Test to thoroughly test your site and grade your security.
How Do I Secure My Site?
In order to serve your site via HTTPS, you need a TLS certificate. Until recently, obtaining and installing a TLS certificate was not a trivial matter. It required that you purchase a costly certificate from a certificate authority, and it required someone with advanced web server configuration skills to install and enable the certificate for you.
Now, thanks to Let’s Encrypt, a non-profit certificate authority that launched in 2015, it's a much easier process. Anyone can obtain a free certificate, and a project known as Certbot allows your hosting provider to both obtain and install a certificate for you in a few minutes.
These certificates are perfectly fine for the vast majority of websites. Sites whose primary function is to handle large numbers of financial transactions, such as banks, will still want to purchase certificates. This is not because the purchased certificates encrypt better, it's simply that the certificate authority verifies and documents the identity of the person or organization securing the certificate.
If your site is not secure, the best thing to do is to contact your hosting provider. Chances are they can take care of this for you quickly and with minimal expense. In fact, many hosting services now provide certificates at no cost when you set up a new domain with them. At Axion Arts, we've been providing free certificates and certificate setup since the beginning of 2017.