What is HTTPS, and Why Does My Ecommerce Website Need It?

When it comes to ecommerce, security is paramount. To ensure security, most websites use something called SSL encryption to protect any data passed between a website and a shopper (and vice versa). However, SSL encryption requires a secure form of communication between a website and a customer, and that secure form of communication is known as HTTPS.

Up until recently, it was only ecommerce websites that needed to use SSL for the shopping cart and checkout process. However, that’s no longer the case. Every website with a search form, login form, or even an email signup form needs an SSL certificate. It’s officially a best practice in 2017.

HTTP Is A “Style” For Web Communication

In the early days of the web, the architects of the Internet agreed upon a website-client communication standard that became known as HTTP or HyperText Transfer Protocol. This standard enabled HTML websites and all the technologies that followed.

One problem with HTTP is that “packets” of data shared over HTTP can be secretly “sniffed” and then copied by a 3rd party, intercepted and “spoofed”, etc.

A very basic illustration of the security problems with a standard HTTP connection.

• Packet sniffing allows someone to see what data you’re downloading. If you’re reading an article on a news site, that’s not a big deal. But if you’re viewing your account page on your favorite ecommerce site? A “sniffer” can see your account info.
• Spoofing is intercepting a packet and sending an altered packet in it’s place. This can be used to do all sorts of nasty things – from tricking you into giving your info to the wrong website, to forcing you to download malware.

Since HTTP is susceptible to sniffing and spoofing, it’s long been recommended to use HTTPS on an ecommerce website. HTTPS basically encrypts all the packets that are sent between your site and the consumer (and vice versa). If the packets are intercepted, they can’t be decoded. The encryption also means packets can’t be spoofed.

HTTPS stops 3rd parties from sniffing or spoofing packets via encryption.

Recently (Jan. 2017), Google began issuing warnings to any site that collected info from visitors without an HTTPS connection. If, for example, you have a website with a search form, and you don’t implement HTTPS, you may get a warning from Google about security.

As a result, it’s considered a best practice for all websites (even sites that don’t collect personal info) to implement HTTPS.

How You Setup HTTPS – The Broad Strokes

HTTPS – which stands for HyperText Transfer Protocol Secure – is an encrypted standard for website-client communication. To send information via HTTPS, an encryption system known as SSL is used. SSL is sort of like a voucher system for communications.

It may be helpful to imagine SSL as a bouncer at a bar. To get inside the bar, you hand your driver’s license to the bouncer, who then verifies that your license is legit and lets you in the door. In this analogy:

• The bar is the website you’re trying to access,
• The bouncer is the HTTPS protocol, and
• Your driver’s license is the SSL certificate, a form of identification that both you and the bouncer know to be legitimate.

This is a bit of an oversimplification, but hopefully, it allows you to see that SSL certificates serve as the proof that a communication attempt is legitimate.

In terms of setup, website owners who want to use SSL must do the following.

1. Obtain an SSL certificate, either for free from LetsEncrypt.org, or purchased from Comodo, GoDaddy, etc.
2. Work with your hosting provider to have your SSL certificate installed

SSL certificates are issued for a specific period of time, usually one year. This certificate is installed on your site by your web host (or, if you have a private server, by your server management person), and then presto! HTTPS.

Do You Really Need An SSL Certificate?

Yup. The main reasons:

1. It’s a good idea. Your site is less likely to be targeted by hackers, less likely to be implicated in a security complaint, and more trustworthy.
2. It’s likely mandatory if you collect any private info. A few states have laws and regulations that have been interpreted to require HTTPS if a website collects information like an email address or phone number.
3. Google is probably going to give sites with HTTPS special treatment at some point*. Google has steadily been forcing website owners to invest in HTTPS. While they might not ever “officially” require websites to utilize HTTPS, it’s becoming pretty clear that Google will treat sites with HTTPS differently (read: better) than sites without it.
4. There are some performance improvement opportunities. HTTPS allows for the use of a new protocol called HTTP/2. Without getting into the technical details, HTTP/2 is fast. You want it. SSL helps you get it.

*NOTE: Some say Google is already giving websites that have HTTPS better rankings. We’ve never seen strong evidence to support this notion, but it it’s reasonable to assume Google is giving HTTPS websites some small preferential benefits.

Summing Up: SSL Certificates Are Mandatory These Days

There are a lot of great reasons to use HTTPS:

1. Consumers trust sites that use HTTPS and are more likely to buy from them
2. HTTPS protects your business from legal problems, and your customers from danger
3. Your payment provider requires it
4. Your state has laws or regulations requiring it

Considering that SSL certificates are cheaper than ever, there’s really no good reason to go without one.