I just spent the last week moving ALL my sites to be HTTPS by default. It’s tedious to set up and pricey ($10/y per domain). But it’s worth it. And if you’re a maker of sites and apps that people from all over the world use (like many of you reading this are), I think it’s your responsibility to set it up by default now. It gives your users increased privacy and security and it even has advantages for us too.
Better security
With HTTPS enabled by default, your users are more secure. Because if you’re letting users login with passwords for example, they’re transferred over an unsecure connection. Even personal data like addresses can be sensitive. Many of us are building apps that include chat functionality, the stuff said there can be sensitive too. This gets especially dangerous with people increasingly working on public/shared WiFi’s (e.g. coffee shops, hotels) where snooping passwords is literally as easy as installing Wireshark. I’ve tried it and I was able to read the packets of most of the people on my hotel’s network. That’s insane in 2015.
Better privacy for your users
With internet spreading to more places in the world, there’s a higher chance your site will be used in places that have less freedom of speech than your country. If snooping on other people’s connections is so easy without HTTPS, I think it’s our responsibility as a site/app builders to at least try to protect our users’s security with HTTPS:
Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites.
— Peter Eckersley on EFF.org
Even non-interactive sites should think about this, because the URLs people visit on your site without HTTPS are shared publicly. Stuff like which news a user reads and their particular choice of any other media consumption (think adult content), should be private by default as it increases the odds of being profiled by governments, companies. Even if they have no bad intentions, everyone has a legal right to privacy. For example, reading lots of articles on Wikipedia about terrorism might get you profiled as a terrorist. Luckily Wikipedia already set HTTPS default 2 years ago.
Better referral data
You know how in Google Analytics, you’re getting less and less referral info these days? Well that’s also because HTTP referrers cannot share it with HTTPS hosts and vice versa. It means that if your users come from a HTTPS site previously (like Google itself), you won’t be able to see any referral info. If the referral is HTTPS and you are HTTPS, you can though. With more sites switching to HTTPS as default in the future, this seems like a good choice.
Google ranks you better
(..) we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal (..) But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
— Zineb Ait Bahajji and Gary Illyes on Google’s security blog
Google has stated it will now reward HTTPS-default sites with higher ranking in search results. It also rewards fast sites (with low loading times) and sites that are responsive (with a mobile-friendly layout). So that means combining those, theoretically gives you a boost.
There’s one disadvantage:
Load times increase over HTTPS. Right? It makes things slower. But does it always have to be like that? No. Actually HTTPS can be faster than HTTP:
There’s a secret though, that site uses Google’s new protocol SPDY which is lightning fast and secure.
Setting it up HTTPS with SPDY
You can set up SSL on NGINX for free too, although I’d recommend just paying NameCheap $10/y to buy the Comodo SSL certificates as they’re less troublesome to set up and more reliable.
Also SPDY works with NGINX now, so that’s easy to set up too. Bjorn Johansen wrote a nice article on how to get the latest version of NGINX with SPDY and then enabling SPDY. It’s literally changing this:
listen 443 ssl;
into
listen 443 ssl spdy;
Have a lot of NGINX virtual server configs to change this? Try this (watch out for those curly quotes, WordPress somehow changes them, no idea why, they should be ordinary single quotes).
find . -name ‘nginx.conf’ -exec sed -i ‘s/443 ssl/443 ssl spdy/g’ {} ;
Yes people, DevOps is getting really easy these days 😀
P.S. I'm on Twitter too if you'd like to follow more of my stories. And I wrote a book called MAKE about building startups without funding. See a list of my stories or contact me. To get an alert when I write a new blog post, you can subscribe below: