2: Learn about making your site HTTPS

2: Learn about making your site HTTPS

Episode Two is all about getting your website to be secure using HTTPS, why this is now a thing, and what you need to know to make sure you get your site changed over, and take care of all the bloody business behind the scenes to make sure it's done properly.

Resources for this Episode

Checklist for http -> https migration by Aleyda Solis READ IT

Darryl: Welcome to my bloody website, the show where we talk all things online. The small and medium businesses owners or executives who still refer to their bloody website. I'm your co-host, Darryl King.

Edmund: And I'm Edmund Pelgen.

Darryl: Okay, welcome to the podcast, welcome out Ed, good to see you. This is episode 2, and we're talking about your site, must be HTTPS and Why.

Edmund:  Now mate, you need to tell me, the average punters not gonna know what the heck is HTTPS, I still have this conversation today and I say HTTPS and say, "what's that?", and I say, " secure certificate do you know what that is?". So why don't you explain it to me? What is it?

Darryl: Okay and I got to be careful we don't go too technical because we don't want to ... the easiest way I explain it to people is when you got to a website and there the little green padlock up in the top of your browser or whatever color padlock it might be for what browser you use. You know that the sites secure and you trust it. It's secure if it's done properly using a secure socket layer or a security certificate. An SSL certificate that is installed for your website and that uses the HTTPS protocol. So websites used to be HTTP, now there's an S on the end of them and that indicates that it's secure, if it's done correctly, so if you see the padlock and it says the word secure, then we know that the site is secure, so that's the basic terms of what it is.

Edmund: Now I actually said that to someone and they said, "well what does that mean?", and so what does that really mean when it's secure?

Darryl: Okay, the data that's ... okay, let's get back and do a 101 website kinda basic things. When you visit a website and you interact with the website, between your computer and where the website lives on the hosted server, there is a transmission of data that things go round, so data could be an image, the logo on a website, and that image is sent to you and it's broken up into things called packets, and there's all sorts of stuff about it ... it's very clever. The browser that you're looking in or the device that you're looking on knows that it should receive this. It's broken up into little packets and it re-compiles them again so that everything looks right when it gets to your machine. That's done or was done for many years over HTTP, which is general protocol. Now the data that's being transmitted is wide open, it's not encrypted, it's visible. Now does that really matter? Well on my webpage where I wax on about we're a wonderful service provider and we do this and we do that, no it doesn't really matter whether that's secure or not. Where it matters of course and where it always mattered was when you were selling stuff.

Edmund: Like in eCommerce?

Darryl:  Yeah eCommerce shop, cause when I put I'm putting in my credit card data right, then I don't want it being transmitted as all the numbers and my expiry date, because then someone could see that, so if it's sent over HTTP, if it's not secure, that data is technically visible. Now, not to the average person, I can't see it, its gone through the ether, but if someone was able to hack into that data stream between you and that connection, and we won't talk about how they might do that, but it's very possible they could do it. They can then take that data out and they can see it and it's in plain text, so what HTTPS does is it allows an encrypted connection between the destination and the sender, so that data is now encrypted in a method that in theory can't be seen and so the secure certificate at the website end, is recognized by the browser, and the two things share that data, now encrypted, so I can't see it, so if I was sending the 16 digit credit card number, it's all now obfuscated and encrypted, or I can't see it.

Edmund: Right.

Darryl: That's why the certificate is doing, so that's why it might exist. Now why do we, you know ... it's a difficult question to answer, and maybe you could talk about well why has this become such a big thing previously, why has it become ... like it was used at eCommerce shops, why is it a big deal now? Why is it all suddenly topical?

Edmund: Yeah, because up until recently right, most eCommerce, in fact, all eCommerce websites, using shopping carts, had to have HTTPS on the shopping cart page, correct?

Darryl: Well they should've had, they didn't all do it, and they should've had yeah.

Edmund: Umm Ahh, so that's the big issue. Like right now every SEO and every marketer is telling everyone you've gotta upgrade the website to HTTPS. Now the reason why ...

Darryl: Well why are they saying that.

Edmund: Yeah absolutely, it's a kinder using the big stick approach, and the reason is because google is the biggest access point for the internet out there and they've been very aggressively pushing security as one of their key issues, and recently they moved their own search engine to HTTPS, and so that took away the keyword data that us SEO's used to get in analytics, but the big issue is primarily around security, they want to secure the web, they want people to have secure websites.

Darryl: And maybe we're not gonna go down all the layers of why they want to do that and whether it's good or bad or whatever, but they are forcing people too ... I mean it's because people weren't adopting stuff to make the web a safer place.

Edmund: Correct, and google is in a position to apply pressure because of two things; one, they own google, the search engine right, and so they started telling people that a ranking factor or a contributive ranking factor in ranking well and doing well online was the fact that your site was secure, and the second thing is they own bloody Chrome, right? One of the most, probably the most popular browser out there. I mean, Darryl why don't you talk about ...

Darryl: Well an Android right, Android devices. Think of the massive footprint across consumer use of online.

Edmund: Yeah, and so what they've been doing now is that they've recently updated Chrome so that a site that's not HTTPS or pages where there are forms that aren't on HTTPS, start sending up these little flags in the browser, and you've seen them more aggressively when a browser will pop up and say, "this site is hacked! Move back". You've seen this right? No one clicks through to those, and in this way that little message, right, is starting to get a little bit more aggressive, and who knows, Google could say to Chrome tomorrow, every single site that's not HTTPS, flash up a big red warning, telling people it's not secure. Can you imagine what that'll do to the site traffic?

Darryl: Well, and I think this is the thing. You talked about forms, so part of what's happened is that ... okay most people that adopted it for payment, now the viewers well okay, but what about login forms? So WordPress is an example, now you always had an option of WordPress to force HTTPS for the admin area, but people didn't. You know, and WordPress is unarguably the largest content management system in the world by a long shot, so a lot, hundreds of millions of sites are using WordPress and we're seeing lots of sites getting hacked, being hacked, and it's not all directly through a website, sometimes the computer gets infected and the got FDP details or login. Now because there are forms, like admin forms for content management systems, there are contact inquiry forms, and yeah people have been more sophisticated and aggressive pushing forms everywhere, and you've let us sign our forms, whether you're using mailchimp or something like that. All of these elements are asking for data and while it might not be payment data, if I can get your name and your email address, maybe you ask for a birthdate because you're a doctor registration form. If that's not secure and that data is intercepted, then obviously people can use that data against you and in their hacking attempts and other attempts to steal your identity.

I think that's the thing, you talked about its forms, so that's why now it's not just saying, "well your eCommerce shop is secure, we'll et you get away with it". Your kind of going, rather than having to worry about every element on a page and tell blah blah blah, or you don't want people going in and out of HTTPS and non HTTPS.

Edmund: Absolutely.

Darryl: And I think maybe we should raise something else technical too. It used to be problematic and load intensive to run HTTPS, so that's another reason why people didn't do it, if I run my whole site under HTTPS the overhead on the server ... and you know a lot of people are on shared servers, was higher, so my site performance went down, so there was kind of this double edged sword. My speed was down and people like Google are saying well that's a ranking factor. We want faster sites and because everything is going mobile, it makes sense, but then I add an HTTPS layer and then there's more processing time, cause you know it's doing harder work and it's slowing it down. We are kind of canceling each other out, but when there was updates to the protocols and everything now, those arguments are long gone away, they're not needed. And then the other part was there's a cost. People charge money for secure certificates, and we'll talk about that a little bit later maybe, but that doesn't exist now, we're talking about now.

Edmund: Well I think we should talk about it now, because we've basically touched on the point of why you need to move to HTTPS right, so that's not an issue of discussion anymore. My question is, and I know this because I'm still confused by it and I guarantee the average business owner looks at this and goes, "what the hell are they talking about?". What type of SSL certificate do I need? There are free, there are paid, there are five thousand dollar SSL's. What the hell is the difference?

Darryl: Well before I answer that question, why don't we say one thing. We've talked about it and we've said that you should do it, but we should emphatically say to people, "if your site is not on HTTPS now, don't even think about it, you should do it. Absolutely go and do it".

Edmund: Absolutely.

Darryl: The attitude of today is, if your site is not HTTPS, you need to rapidly make it HTTPS and you need to talk to your providers and make that happen. So that's, I think we'll say that again at the end, don't debate it. If you don't know why, go to your site and do it. Now we'll talk about technical stuff. So SSL certificates for the average business are not a big deal. You've always been able to get quick SSL's and simple SSL's and all those sorts of things, and then there were more expensive ones. There's things like Wild Card SSL's, so Wild Card SSL's is that any sub-domaine from my root domaine is covered, so if I have www.mywebsite and I had members.shop., I could buy one certificate and it will cover them all.

Most people don't need that, but most people ... and the higher level verified ones, so if you go to your bank, if you go to someone like National Australia Bank or you go to Wells Fargo, you'll actually see up in the browser that it actually next to the secure part, has their name, and that's a verified certificate, where their identity is being verified properly. To do that it's much more expensive and you have to submit all sorts of corporate documentations and verify that you are the person. Now 99 percent of people probably don't need a verified certificate, so they don't need to pay for the certificate, they don't need to go through that process, and so then you come back to, okay well if I don't need verified, we're really comparing lower cost certificates through trust of people and free certificates. Now free certificates have only been around properly, in a rusted sense, for a couple of years, and the biggest one in that space really is called Let's Encrypt.

Edmund: Why are they free? How are these guys giving them away for free?

Darryl:  Well technically there was no reason to charge for them, because they are just a ... well really what it comes back to is that you need trust in a relationship, so the certificate, for the certificate to build trust, they have to come from a trusted provider. Now there's a bit of irony that one of the companies that owns a lot of the root certificates, actually got hacked massively, there's a problem in there, but that's a different story, so that broke down some of the trust, but you need trust. So they were paid for because people ... you know it was hard to generate the trust, so we were a top provider, not me personally, but this company would be a Verisign or something like that, and they would have root certificates and then they could issue certificates based off that, and people could trust it. So your browser knew, you're operating system browser knew that you could trust that certificate was valid, otherwise because, to be technical, you can set up a secure certificate on a server like that. The protocol exists, and you could say this server is running HTTPS, so the protocol, which encrypts everything, runs, but I don't know that it's trusted because there's no certificate.

Edmund:  Sure.

Darryl: You get the certificate to create the trust, and people owned that trust. When you go to the bank, I could store your money for you, give it to me and ill pay you interest. Just bring it and I'll put it in my letter box and look after it. Well, you don't really trust that, because I'm just gonna run off, well ... you know, might not. But that's the same thing, we go to banks because we trust they'll look after our money, they'll be able to pay it back et cetera. So the certificates' kind of work that way. You trust this place, you buy it, but then people ... well if we want to make the web secure and we want to now remove the biggest factor and half the world has accepted open source, you know the concept of open source, WordPress is free, lots of things are free, Drubel is free. Like all of these open source technologies, I mean Limits is free, all of these things are free.

So basically, Let's Encrypt was set up to provide free. Now they're not the only free SSL provider, but they're backed by things like Google and Microsoft and people like that. So you create the trust inherently and set up a foundation that runs. So it's a not for profit in theory that runs these, and that we can all trust, and they do it a little bit differently.

Edmund: Can someone who's running a decent sized eCommerce business use a free SSL from Let's Encrypt?

Darryl: Yeah, there's no reason they can't at all.

Edmund: There's no reason, okay.

Darryl: There are secure certificates and there trusted certificates. They auto-renew every 90 days, so typically when you buy a certificate, the minimum quantity is a year, but you can buy multiple years when you buy them. The issue is if you got a business or you change things, you've got a years worth certificate. If things change, the period is a year or two years, that that's a trusted certificate. So if someone was able to get hold of it and use it nefariously , you're not necessarily protected.

So these are good, they'll do it all, but the basic ones don't provide that higher level verification, but at least they're securing your site.

Edmund: So my next question is, if I'm a business owner and I don't have a site on HTTPS, what do I do? What are the steps? Who do I talk to? What's the process?

Darryl: Okay, so you probably want to have ... the important thing in our show head, is we wanna make sure that, and that's why there's two of us, we come from different sides, there's different people involved in this process, so for getting your SSL sorted, you want to talk to your hosting company and your web gal. I said web guy exclusively last time, it can be web gal.

Darryl: This time its web gal.

Darryl: Web guy, web gal, who's looking after your website. Now that might be someone internal or it might be an agency or freelancer. Both people need to know. Now there's a third person as well, a really important person, your SEO, particularly, and people make the mistake. So fundamentally we're changing the URL and it's just the HTTP and HTTPS, but it is a change in URL, and it's no different to taking the www off your site and going without. It's a fundamental change in the URL that your site runs on, so you have to do it properly.

Edmund: Yeah, and the analogy it's like changing your address and not redirecting your mail, right?

Darryl: Yeah. Now most servers will handle the redirect probably for you, but so you wanna talk to those people, now at a server level or your hosting level, they need too install a certificate. If you're on any hosting company and using C-Panel for example, that offers free. Lets make a note about the free and paid, there are a lot of large hosting companies not offering free SSL at the moment, [inaudible hat tip to you I had a hosting company, which I sold a year ago, but two years ago we put Let's Encrypt it when we were happy with it, because why not?

Now I could understand if you were a daddy site or something like that, or whoever it is that doesn't want to offer them, you might have 800 thousand people that pay you, even for a quick SSL and maybe you charge them a hundred bucks a year, well that's a fair bit of coin that they're gonna give up. So from a shareholder perspective, they don't necessarily want you to turn the tap off, but the reality is there are plenty of great hosting companies that offer, So if your host doesn't offer it, don't immediately pay. Talk to your team about moving, because these days if you're in C-Panel, new hosting companies can do a C-Panel to C-Panel move for you easily.

Edmund: Can the web developer handle this one? Cause I mean the reality is like you're asking a business owner to talk to the hosting company, talk to the web de ... a good web developer.

Darryl: The web developer could. Things you need to look at. The business owners or whoever's the nominated person in the business should be taking more responsibility for this asset. I think we've got an episode coming up about digital assets and taking ownership of them, so we might leave that till then. But, someone gotta know enough to do this, not just abrogate responsibility to your web guy, but yes, what you need to know is we need to get our hosting changed. Now the hosting level we want it installed, then the next part is you want to have site wide redirects put in place, from non HTTPS to HTTPS. So what that means ... well, maybe you can talk about that one, if I've got a bookmarked link or I find you on Google when it goes to your slash about page that was previously HTTP://www.... And that now will redirect to the HTTPS version automatically, including the about or whatever the URL was on the end path.

So we want that done. We want to install a certificate, so we've got  ... we've got a certificate and we want global redirects done, including retaining the path and everything else done. That's what most people do. There's a step that's not always done, often not done, and this is something you need to talk to your web developers about. The web developers might not be ... some won't be the people to do this, some will, so there's a different degree. Some are more graphic design orientated, that can do great at implementations and a content management system, but they not necessarily great with the more technical items of data. One of the big things, a lot of content management systems hard store URL's, so WordPress is bad at this in that it will store the full URL, so if you've got a link to a page or if something within your site, it will have stored HTTP:// in there. So if you don't do anymore, your site is continually redirecting those old links to the new ones, internally, so it adds little hops into the process and ideally we want to take them out.

So what you need to get someone to do, is to do a database fix. Now you don't wanna go through your site manually go to PHP my admin and edit the menu, so there are scripts that can do this. They're very aggressive, they're dangerous to run on a live production website and you need someone that can do them. Your hosting company might be able to help, your web developer might be experienced enough to do it, there are other plugins you can install into your content management system and different systems have different things, but the third part of it is that you need to get your data base references checked and changed to HTTPS, to make your site perform, so that's what people don't do.

Edmund: Yeah, so I'm gonna need someone with a little bit of technical ... someone who like yourself, just to run their eye over it, check the data base and make sure that's all working and possibly an SEO, to check that those redirects, those permanent redirects ...

Darryl: So that's step four. That's step four right, it is now I gotta check it. I want to run a crawler or a screener and you can talk a little bit about how would you go about that. What's a tool that someone could use to check those steps? Is free tool out there?

Edmund: Yeah absolutely. Well off the top of my head, your SEO guy is going ... or gal, is gonna use a tool like Screening Frog, but there are no doubt a number of other free crawlers that probably don't provide the level of complexity, non of them come to mind for the moment, but this is the kind of thing that I would get an SEO consultant to do, and you get them involved before you make the actual implementation, so that they can compile all the old URL's and run it through these tools, and it just makes sure that their redirecting to the new one, your mail is being redirected correctly.

And the key thing here is to make sure that it's called a 301, meaning a permanent redirect. That's the terminology, and why that's important is cause it tells Google, hey the old URL, the HTTP one, that's gone now and it's being permanently replaced by the HTTPS version. And what Google will do, will, it will drop out of the index, the old version, and replace it with the new one and that's what you want, and Darryl's point about keeping those re direction's in place on the site, don't forget all of your old links, they point to the old version of your website. So there's a bit of cleanup afterwards too, right? To think about all those directory listings that I've got pointing to the old site, I've gotta go and clean them up ultimately, and point them to the new HTTPS version as well.

Darryl can I ask you one question, what if I've upgraded my site, I've moved to HTTPS, but I've got graphics or links to third party sites that are not on HTTP ...

Darryl: Maybe I should've talked about why you need to do the data base cleanup, because so what will happen is when you go HTTPS in your browser, and I'll use Chrome as an example cause that's where I spend most of my life, when you go there, where it should say "secure", instead of having the green padlock and the word "secure", it has a little eye and a circle, it's gray and it's, it basically says "insecure".  And if you click on that, it says "this site is not necessarily secure". That's how they are handling it at the moment, and generally that comes from what's called mixed content, and you will see that before you've done the data base cleanup, but like you said, you could also get it from referencing third party sites. So what that means is I've got a logo embedded on my page and it might be an affiliate badge or a badge to some association, so you instead of downloading the graphic, loading it up to your site and then putting a link in, you might of embedded something from them, like possibly an eye frame, or some code. They gave you an HTML code to paste, so you just paste it in there as JavaScript, but in there the link says HTTP, to them.

So what the browser is telling you is that the page is not 100 percent secure. Now you could live with that, you could say well there's nothing insecure or really ... and I found an example when I was cleaning up a site the other week, where the destination site did not have HTTPS version, so there were six ... it was a typical sidebar on a blog and out of the six, five had an HTTPS version, so I basically clipped the link in a new tab to the site and then I just put in the S on the end to see if it also rendered on their site, and it did. Most of them actually redirected them automatically, but not all of them. I should send them an email, but there was one that did not have an HTTPS version, so the way handled that was I downloaded the graphic, I went to the sidebar widget and went in there and I attached the internal graphic. Now on my website, or this clients' website, which was now HTTPS because it was local, and then the link out can be non HTTPS.

The link doesn't matter, it's if you're bringing in any assets from another site, and those assets could be a JavaScript file, so if you were embedding Google Analytics, it would be HTTPS, but sites like that where you bring them in. So if you were using a piece of software that's doing A/B testing for you and you had the code there for forever, it might be HTTP. Now the site will show up that way, if you're embedding a graphic off a third party site. Now we should say, when we talk about speed performance and that, it's best that you don't do that, you bring them all local anyways, so you can control the speed, but those things are pretty common. Particularly if you've had a blog or a site up for two or three years, you know I've had more than that.

Edmund: I've seen something similar where there in the allied help space, there are sites that have these little book now buttons, and they use third party websites to handle the online bookings, and some of these systems haven't moved to HTTPS yet, so the clients site takes HTTPS but they've got this big bok now button that's linking to a non HTTPS asset, so they're not getting the full hundred percent that's this is secure.

Darryl: Okay well, it's pretty common, and to round it up right, don't feel bad if you're not there yet, because you know what, we have a buddy in the industry that's done a big report about major eCommerce retailers and forty-eight percent of them have gone HTTPS, this warnings been out for several years, so here's the thing. You gotta go do it. Let's be emphatic, get to your site HTTPS, get your people involved, if you've got any questions, send them through. We are going to be doing Q&A sessions along the way like we'll do episodes do it. We'll try and respond. We are gonna be setting up a Facebook group, uh page for people who might have questions or things that we can talk about and redirect them to people, but talk to your SEO consultant, talk to your web guy or girl, talk to your hosting company, don't always take verbatim of what they say. Get the basic information, doesn't make sense, then get the implementation done, and then test it.

Edmund: Absolutely, and what we might do in the notes too, I know there's a great HTTP to HTTPS migration checklist by an international SEO, called Aleyda Solis. It's really comprehensive, it's a downloadable spreadsheet, you can give that to your SEO person or at least step them through it, but it's very comprehensive and it'll help you make sure you've covered the basis in this process. When you get to ...

Darryl: I'll give a warning right, I have seen messages from hosting companies that don't want to give free, actually tell their clients that they're not safe and secure, you shouldn't do it, and there's no need to do it.

Edmund: And that's just bad info.

Darryl: Well its bad info. The fact of the matter is, it's about trust signals, and there's a book up on my shelf from a guy called B.J Fog, from about eighteen years ago, that talks about persuasive technology and it's about trust signals, and the thing there is the questions really easily answered. When your potential customers or your existing customers come to your website for any reason, do you ... would it be good or bad for your business to say "this site is insecure", at the top. You answer that question. If you are happy for it to say " my site's insecure ", and you think people will still trust you, don't take our advice, but if you think that that doesn't make sense, if you think it's okay to go home at night and leave your shop or office door unlocked and wide open that anyone could get in, that's fine. You probably won't want to listen to anymore episodes of us, but if you want to take the advice, don't believe them, move away from that hosting company or that SEO or that web guy or gal, if that's the advice they give you, because it's actually wrong.

Don't listen, change your site to HTTPS, it shouldn't cost you very much at all. Go do it and you will be better for it in the long run.

Edmund: Mate is that today's tip?

Darryl: I'm done ranting.

Edmund: Make the move, make the move. Alright Mate, I think that was very comprehensive, I think that is it for today. If you want to be notified when the next episode goes live, please sign up to the website; mybloodywebsitepodcast.com or subscribe to us on Itunes. As I say every week, if you enjoyed this information, if it was helpful, we'd appreciate it if you would leave us an Itunes review, because it helps people find us. Once again, we'll see you next week ... lets try that again. We'll see you next week when we continue this chat about mybloodywebsite. It's goodbye from me.

Darryl: It's goodbye from him.