Ecommerce Website HTTP or HTTS?

TheGeekestLink

Free Member
May 4, 2011
372
23
Just setting up a new website and my developer has suggested that it would benefit from being ALL HTTPS. Is this advisable and is there any disadvantages to it?

This is an area I know nothing about and web searching seems to bring up very little on security encryption.

I know most shopping sites are only HTTPS when you've logged in to buy something.

Advice?
 

ssh

Free Member
Jun 6, 2014
48
2
HTTPS all the way! Unless you want to force visitors to send credentials over open connection? You can get a proper free SSL online if you search for one. Or you can write your own SSL. However, if you write your own SSL certificate website visitors will see a security alert and then they would have to accept it before they could continue to your website for the first time.
 
Upvote 0

Rickeo

Free Member
Jun 12, 2014
19
2
36
Manchester
You can get your own however setting it all up can be difficult if you don't know what you're doing if you're a novice to these kind of things it's not only time consuming but can be difficult.

In terms of what HTTPS/HTTP is it easily explained.

In simple terms HTTPS is a more secure connection which allows people to send you details over the net encrypted. So it's considered safer than HTTP. The only time I'd say you NEED and MUST HAVE one is if you're selling things DIRECTLY (not on eBay etc) on your website. Only then is it a MUST HAVE as it gives consumers the confidence that your website is more safe and secure submitting details over.

Hope that helps!
 
Upvote 0

8420PR

Free Member
Aug 9, 2009
143
18
Without any technical server knowledge, I would not recommend an all https website, because:
- my perception is loading times are longer.
- high risk of visitors getting warnings of unsecure content (if it is coming from another website that is not https, but included on your https page).

But of course you do need https where personal information (email, address etc) is entered, and certainly for any oayment information.

Just my opinion, and of course your developer can easily fix both issues.
 
Upvote 0

KM-Tiger

Free Member
Aug 10, 2003
10,346
1
2,893
Bexley, Kent
Didn't realise you could get your own.
Depends what you mean by 'get your own'.

What @ssh was referring to is a self-signed certificate. That will actually be just as secure as any other from an encryption point of view, but it will trigger dire warnings in any browser, as the root certificate will not be one of those built into the browser. That will frighten off potential customers.

To avoid browser warnings you have no choice but to pay the ransom to one of the cartel who have their root certificates built into browsers.
 
Upvote 0

antropy

Business Member
  • Business Listing
    Aug 2, 2010
    5,324
    1,104
    West Sussex, UK
    www.antropy.co.uk
    It will help your developer sell you a certificate.
    Not if the checkout is already HTTPS, the same one will cover it.

    I'd say having the whole site HTTPS is generally a good idea, Google and Facebook have gone that way and don't seem to load too slowly.
     
    Upvote 0

    andygambles

    Free Member
    Jun 17, 2009
    2,616
    687
    Scarborough
    Modern browsers and technology means there is no noticeable speed difference between https and http. Many major sites have gone 100% https. I completely advocate going 100% https.

    I also recommend you get an EV certificate (Green Address Bar). This means that every page on your site will show the green address bar which helps visitors trust your website more, especially if it is not an instantly recognised brand. These can be purchased for under £100 per year. More expensive versions include things like Malware/Vulnerability scanning and enhanced encryption options.

    For us going 100% https had a marked improvement on conversions.

    This might be an interesting read: https://blog.servertastic.com/switching-your-site-to-100-https/

    Talking about "Making your own SSL" all certificates are generated by you but for them to be accepted by public browsers they need to be signed by a Certificate Authority. Which is why they cost money. The CA's need to maintain the infrastructure for generation of public keys and handle OCSP and CRL lookups (this is when your browser checks the certificate is valid and has not been revoked).

    Disclosure: I sell SSL certificates
     
    Upvote 0

    Jayser100

    Free Member
    May 21, 2009
    718
    123
    Maidstone
    I have noticed recently that the major Windows 8 browsers like Explorer and Chrome now seem to default to https in the browser bar when you open them. This is significant in my view because, if someone tries to type your URL into the bar and you don't have an https site, it won't work. If the potential customer isn't that internet savvy, they might just think that means your website does not exist, or isn't working. For this reason I am going to switch my own site to https very soon.
     
    Upvote 0

    ecoleman

    Free Member
    Feb 12, 2010
    392
    71
    I'm not sure I agree with this. Just because Paypal and facebook have gone HTTPS doesn't mean we all need to and I certainly don't believe this will become the norm.
    Everything on Paypal is sensitive information so it stands to reason that Paypal should be HTTPS, the same can be said for Facebook.

    An ecommerce site is not displaying sensitive information until a customer starts the checkout process where it is imperative that you use a secure page. I really don't see the point in making the whole site secure.

    Amazon don't
    PC World doesn't
    eBuyer doesn't
    Argos doesn't
    M&S - No
    Tesco - No
    Next - No
    John Lewis - No

    If HTTPS was really a way to seriously improve conversions, these guys would have jumped all over it.
     
    Upvote 0

    nahosting

    Free Member
    Mar 19, 2013
    252
    62
    Totnes
    We would recommend HTTPS for all your website pages if you are selling items or your clients are logging in. People switch off/move on from websites for all sorts of reasons and security/trust is one of the major reasons. The big sites are trusted so might not implement on all their pages but unless you have a loyal following I doubt your website will have the same level of trust. DO NOT use your own as it will only give warnings, fine for testing etc. Again free SSL certificates are free for a reason and they are not trusted by users so much and generally don't come with site seals or checks. We supply SSL certificates from £6.79 a year for a domain validated SSL certificate to £59.95 for a full EV SSL certificate so it doesn't have to break the bank. - https://www.nuttyabouthosting.co.uk/ssl-certificates
     
    Upvote 0

    pjperez

    Free Member
    Mar 31, 2014
    106
    17
    Reading
    An ecommerce site is not displaying sensitive information until a customer starts the checkout process where it is imperative that you use a secure page. I really don't see the point in making the whole site secure.

    I can't talk about improving conversions, but the above is really bad advice. If you're logged in your account and just browsing the site I can get your cookies hence steal your session hence get full control of your account. Some of the sites mentioned above ask you to reconfirm credentials before any critical operation (change account details, buy something) and at that moment you go HTTPS to not come back.
     
    Upvote 0
    If you have the be-all and end-all of server power and bandwidth, then by all means have HTTPS sitewide.

    But for the majority of sole-traders and small businesses, I would recommend HTTP (NON-HTTPS) on the majority of your site, leaving only login pages, logged-in areas, the cart system and checkout pages HTTPS (but express CLEARLY on every page that your checkout is SSL Secured).

    If they know the bit that matters is secure, and can see it when they go to pay or login etc, then they will not mind that the rest of the site isn't HTTPS. All you will do is eat up your bandwidth and slow down your site, technically.

    It also depends what industry you're in I suppose. Know your customers, and think about what they want. For example, if you're selling SSL services, you want your whole site SSL-secured, it shows off your well-implemented SSL, and boasts how crucial SSL is that you - the pro - are using it site-wide, even in places where realistically it's not at all necessary.

    But selling spuds, I don't think anyone's going to care until the cart process begins.
     
    Upvote 0

    andygambles

    Free Member
    Jun 17, 2009
    2,616
    687
    Scarborough
    The overhead is practically non existent. Google reported a sub 1% increase in load when they went 100% https.

    There is also protocols like SPDY which can make the overhead literally zero and possible even make your site faster.

    Not everyone needs SSL but I feel it would make for a safer web if https was the norm rather than the exception. This would make less savy users potentially take more notice when a site isn't https.
     
    Upvote 0

    dx3webs

    Free Member
    Feb 22, 2011
    492
    131
    Lincoln, UK
    dx3webs.com
    @ecoleman.. good feed back.

    I cant see any reason at all to go whole https You want to show an increase in security at check out / account login.. how do you do this if the site looks the same all over?

    It is a well established 'norm' why take the risk an go against this.

    Also, it may have an impact on google listings.. can any SEO bods confirm or deny this?
     
    Upvote 0

    ecoleman

    Free Member
    Feb 12, 2010
    392
    71
    I don't think this would actually hurt google rankings as long as you have the correct redirects in place, but looking at various blogs about this subject it doesn't look like it will be an advantage either.

    I can see why some say it may increase conversions. We are always seeing programs like watchdog and rip-off britain telling people to look for the padlock. Unfortunately they forget to mention that this is only necessary at the checkout stage where personal information is being entered. So it would stand to reason that some "not so tech savvy" customers could think they are non a non-secure site and leave.

    I certainly didn't see any drop in speed on the site and Analytics speed data doesn't show any particular slow down since implementing it but we do run on a fairly well spec'd VDS and not a cheap shared hosting solution.

    However, saying all this, I have seen no improvement in conversion over the past 12 days so I'm not entirely sold.

    What it did do was kill my PPC for a day while all my ads where re-approved with the new URL :(
     
    Upvote 0

    Latest Articles

    Join UK Business Forums for free business advice