If your site collects any kind of data through a form or an account login, then the short answer is “Yes”. Before I discuss why, it is important to know what HTTPS does for you.
HTTPS is the secure version of HTTP, the protocol that is used to move data between your user’s browsers and your website server. HTTP is an open text protocol. In other words, when you fill out a form in your browser, that information is sent as readable text to the web server. Using HTTPS the browser will encrypt the form data and the web server will decrypt the data. This protects the data from being read anywhere between those 2 points.
For HTTPS to work properly, it relies on SSL Certificates. Like Domain Authorities that issue the domain names you use for your website, there is a known set of trusted Certificate Authorities that issue SSL certificates. The SSL Certificate can be authenticated by a Certificate Authority, this ensures that the browser is not connecting with a fake version of your website.
Because of the privacy that HTTPS offers, Google’s Chrome, Apple’s Safari and Mozilla’s Firefox browsers have been encouraging website owners to move to this encrypted protocol. However, Google has announced (https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html) that, in January, Chrome will take this “HTTPS everywhere” concept to the next step by not just identifying sites with HTTPS as secure, but it will mark a site without HTTPS as “Not Secure” if the site has any input fields.
This means that visitors to your website may be told by their browser that your site is not a secure site. Many visitors may not feel comfortable providing information to a website that is labeled ”Not Secure”. Your best choice is to switch to the secure protocol for your website.
To convert a website from HTTP to HTTPS you need to add an SSL certificate and tell the web server to use the new protocol. The seemingly straight forward task of switching your site to HTTPS with an SSL certificate can easily be mismanaged. Some of the challenges you will need to address are:
- What kind of certificate do you get?
- Is the certificate installed properly?
- Does the content on your pages need adjusted?
There are a variety of validations used by Certificate Authorities and depending on the validation used and SSL certificates run in price from under ten dollars per year to hundreds of dollars per year. Choosing the right level of validation can save you money, or prevent you from having to redo the process.
Many servers don’t disable deprecated ciphers. Testing against known vulnerabilities will highlight any configuration deficiencies with the installation of the certificate.
Your website pages may reference internal content in a non-secure way. This is a typical problem found on sites that were converted from HTTP to HTTP after being deployed. Links to internal content may still be coded to use HTTP. While easily fixed, this will block the browser form displaying the secure page indicator.
Should your website use HTTPS? In the long view, all websites will have HTTPS, you just need to decide when you want to make the change.