HTTP vs HTTPS in the Age of Google and GDPR

GDPR

Last updated: 8/10/2018

There’s maybe no bigger issue on the minds of today’s website administrators than ensuring security for consumers. With high-profile data breaches happening with disturbing regularity and the European Union’s General Data Protection Regulation (GDPR) changing the face of data processing, providing your users with peace of mind has never been more crucial.

If you’ve read our previous articles on Google’s push toward secure URLs and the data logistics of switching to an HTTPS site, you know that there are plenty of solid reasons for a lot of websites to make the switch. Still, any visible change to your website is worthy of serious consideration. Is shifting your site from HTTP to HTTPS really worth the effort?

The short answer: probably. While the benefits of a secure website are most obvious for organizations that regularly collect sensitive user data such as credit card numbers, passwords, or Social Security numbers, even seemingly innocuous pieces of identifying material can put consumers at risk. The GDPR's definition of personal data is “any information relating to an identified or identifiable natural person.” That can include everything from birth dates to email addresses to political leanings to eye color. By that standard, the number of websites in the data collection business jumps up considerably.

What’s the difference between HTTP and HTTPS?

The major difference between an HTTP site and an HTTPS site is encryption. All material on an HTTPS site is automatically protected by a virtually unbreakable encryption that makes it much more difficult for hackers and other bad actors to get at. Almost as important, the “security” aspect of HTTPS lets visitors know that you take their privacy seriously. That peace of mind is worth a lot to the public: Research shows that only 25% of consumers trust businesses to handle their private information responsibly. And, of course, Google’s recent focus on improving security means that HTTPS sites have an advantage in SEO.

Example of Google Chrome's current treatment of "not secure" HTTP pages

Image courtesy of Google Chromium Blog

How to Make the Change from HTTP to HTTPS

So what exactly does switching your site to HTTPS entail? It’s an easier process than you might assume, but one that needs to be handled with care.

Step 1: Obtain a Security Certificate

For starters, you’ll need to obtain a security certificate. This is a piece of documentation from a trusted third party that lets users know their information will be responsibly encrypted. There are a number of options here depending on your site and your personal preferences, with Transport Layer Security (TLS) and Secure Sockets Layer (SSL) standing as perhaps the most common public key certificates.

You’ll likely need to purchase your certificate from a company that issues them, although there are some organizations that issue certificates at no charge.

Step 2: Redirect Your HTTP Pages to HTTPS

The next step probably won’t be a ton of fun, but it’s a vital one. You’ll need to redirect all of your existing HTTP pages to HTTPS pages using permanent 301 redirects. This ensures that visitors won’t stumble across any overlooked, non-secure pages while browsing your site. You’ll definitely want to build a map of all the existing URLs on your site and make sure that each one has a corresponding HTTPS page. Fortunately, most web hosting services offer a how-to for this process, so it may not end up being as overwhelming a project as you might fear. Don’t forget to update links, images, PDFs, and any other elements of your site that may be directed to non-secure pages.

Step 3: Update Your Site Map

Finally, you’ll need to create an updated site map, somewhat similar to the process of a website redesign. Just like it sounds, this maps out all of the now-secure pages living on your site and their relationships to each other. Once your pages are properly reindexed, you’ll submit the updates to Google and start your new life as a considerably more secure website.

If this all sounds like a lot of work, well, it rather is. But it’s also work that will go a long way toward boosting your credibility with consumers, enhancing your searchability with Google, and, most importantly, providing better data protection for both your users and your organization. That kind of return on investment should be motivation enough to make the switch to HTTPS.


Have you automated your GDPR web compliance process? Siteimprove GDPR locates the personal data you handle online so you can pinpoint and remove that data across your websites, minimizing the risk of fines and other legal consequences.


Learn more about Siteimprove GDPR