Since Google confirmed in August 2014 that HTTPS is now a ranking signal, website owners have been making a conscious effort to install SSL certificates on their servers.
However, SSL installations are often done incorrectly, negating the perks that HTTPS was designed to provide. This not only has a negative impact on data security, but can also give a jarring experience to end-users. Web browsers now heavily penalise websites with visual indications which are likely to scare away potential customers.
This screenshot, taken from BadSSL.com, which provides links to various poorly configured servers so you can see exactly what certain browsers present to users in certain circumstance, provides a visual indication as to the sort of customer experience that you could be providing if you have implemented your SSL installation incorrectly. This has major implications for user experience, brand perception, search ranking and web security.
In order to ensure that your site is properly set up for HTTPS, you need to complete these five key stages.
1. Redirect all HTTP traffic to HTTPS
There's no reason to serve your website from both HTTP and HTTPS, so you should 301 redirect all HTTP traffic to the equivalent HTTPS URL.
This will ensure Google ranks your HTTPS website, and will prevent any potential duplicate content issues. You can check your redirects are working using this tool.
2. Make sure all assets within your website are using HTTPS
This is a very common problem which mainly occurs on websites with user-supplied content (eg. forums). Even if you follow every other best-practice, you will still get your green padlock removed if you include anything in the page which is not fetched from a secure server, as you can see in this example from Chrome.
For your own assets with absolute links, a simple fix for this is to always include them without specifying the protocol (eg. user "//domain.com" rather than "http://domain.com"). This enables the browser to use whichever protocol the current page is using. However for user-supplied content which can contain assets this is a harder problem to solve, and may require some input validation or post-processing.
3. Make sure you receive a SHA-2 certificate from your CA
Some CAs (Certificate Authorities) still provide SHA-1 certificates by default unless explicitly instructed otherwise (sometimes hidden in advanced options). However, SHA-1 certificates are obsolete and should not be used anymore. Here's a quick tool to check if your current certificate is SHA-1: https://shaaaaaaaaaaaaa.com/.
4. Check your SSL installation with an online tool and modify your server configuration if necessary
Always check your SSL certificate using an online tool (we recommend Qualys' SSL Labs test) after you've installed it. This will reveal any security vulnerabilities in your server configuration.
In order to remove any vulnerabilities, you may have to make some modifications to your configuration file. One of the first things you should do is ensure SSLv2 and SSLv3 are not available protocols. Further configuration advice can be found on https://cipherli.st/.
5. Renew your SSL certificate in good time
Do not let your SSL certificate expire! CAs will let you renew it before it expires and add the remaining time to the end of the existing certificate, so there is no reason to delay renewal. However, certificate renewals are not automatic. You will need to reinstall the certificate the same way as when you initially installed it.
And, that's it! So when you next set up an HTTPS website, just follow these steps and your users will be on their way to a happy, secure browsing experience.
If you'd like to talk to our Design and Development team about installing SSL certificates or any other design and development challenges, contact us now.
