Ecommerce Website HTTP or HTTS?

[TheGeekestLink]

Just setting up a new website and my developer has suggested that it would benefit from being ALL HTTPS. Is this advisable and is there any disadvantages to it?

This is an area I know nothing about and web searching seems to bring up very little on security encryption.

I know most shopping sites are only HTTPS when you've logged in to buy something.

Advice?

 

[martin_frost]

It will help your developer sell you a certificate.

Indexing of HTTP/HTTPS is the same.

 

[ssh]

HTTPS all the way! Unless you want to force visitors to send credentials over open connection? You can get a proper free SSL online if you search for one. Or you can write your own SSL. However, if you write your own SSL certificate website visitors will see a security alert and then they would have to accept it before they could continue to your website for the first time.

 

[FantasticCleaners]

HTTPS takes longer to load client wise, but is definitely a must for e-commerce. It is flat-out better for you and your customers.

 

[TheGeekestLink]

Drat. I just paid £80 for two. I thought that was quite reasonable. Didn't realise you could get your own.

 

[Rickeo]

You can get your own however setting it all up can be difficult if you don't know what you're doing if you're a novice to these kind of things it's not only time consuming but can be difficult.

In terms of what HTTPS/HTTP is it easily explained.

In simple terms HTTPS is a more secure connection which allows people to send you details over the net encrypted. So it's considered safer than HTTP. The only time I'd say you NEED and MUST HAVE one is if you're selling things DIRECTLY (not on eBay etc) on your website. Only then is it a MUST HAVE as it gives consumers the confidence that your website is more safe and secure submitting details over.

Hope that helps!

 

[8420PR]

Without any technical server knowledge, I would not recommend an all https website, because:
- my perception is loading times are longer.
- high risk of visitors getting warnings of unsecure content (if it is coming from another website that is not https, but included on your https page).

But of course you do need https where personal information (email, address etc) is entered, and certainly for any oayment information.

Just my opinion, and of course your developer can easily fix both issues.

 

[KM-Tiger]

Didn't realise you could get your own.

Depends what you mean by 'get your own'.

What @ssh was referring to is a self-signed certificate. That will actually be just as secure as any other from an encryption point of view, but it will trigger dire warnings in any browser, as the root certificate will not be one of those built into the browser. That will frighten off potential customers.

To avoid browser warnings you have no choice but to pay the ransom to one of the cartel who have their root certificates built into browsers.

 

[mtools]

my card supplier would not let me take card payments without a SSL (was paypal pro). my SSL ceritficate cost me £25 and i needed an IP address which cost around £35. reasonable enough i thought and obviously gives customers peace of mind

 

[antropy]

It will help your developer sell you a certificate.

Not if the checkout is already HTTPS, the same one will cover it.

I'd say having the whole site HTTPS is generally a good idea, Google and Facebook have gone that way and don't seem to load too slowly.

 

[andygambles]

Modern browsers and technology means there is no noticeable speed difference between https and http. Many major sites have gone 100% https. I completely advocate going 100% https.

I also recommend you get an EV certificate (Green Address Bar). This means that every page on your site will show the green address bar which helps visitors trust your website more, especially if it is not an instantly recognised brand. These can be purchased for under £100 per year. More expensive versions include things like Malware/Vulnerability scanning and enhanced encryption options.

For us going 100% https had a marked improvement on conversions.

This might be an interesting read: https://blog.servertastic.com/switching-your-site-to-100-https/

Talking about "Making your own SSL" all certificates are generated by you but for them to be accepted by public browsers they need to be signed by a Certificate Authority. Which is why they cost money. The CA's need to maintain the infrastructure for generation of public keys and handle OCSP and CRL lookups (this is when your browser checks the certificate is valid and has not been revoked).

Disclosure: I sell SSL certificates

 

[Jayser100]

I have noticed recently that the major Windows 8 browsers like Explorer and Chrome now seem to default to https in the browser bar when you open them. This is significant in my view because, if someone tries to type your URL into the bar and you don't have an https site, it won't work. If the potential customer isn't that internet savvy, they might just think that means your website does not exist, or isn't working. For this reason I am going to switch my own site to https very soon.

 

[8420PR]

oh. thats interesting and the first time I heard that. I will try when I get home (windows 7 only at work).

 

[ecoleman]

I'm not sure I agree with this. Just because Paypal and facebook have gone HTTPS doesn't mean we all need to and I certainly don't believe this will become the norm.
Everything on Paypal is sensitive information so it stands to reason that Paypal should be HTTPS, the same can be said for Facebook.

An ecommerce site is not displaying sensitive information until a customer starts the checkout process where it is imperative that you use a secure page. I really don't see the point in making the whole site secure.

Amazon don't
PC World doesn't
eBuyer doesn't
Argos doesn't
M&S - No
Tesco - No
Next - No
John Lewis - No

If HTTPS was really a way to seriously improve conversions, these guys would have jumped all over it.

 

[ecoleman]

I have noticed recently that the major Windows 8 browsers like Explorer and Chrome now seem to default to https

Not here they don't. Not on Win 8 or OSX Mavericks

 

[nahosting]

We would recommend HTTPS for all your website pages if you are selling items or your clients are logging in. People switch off/move on from websites for all sorts of reasons and security/trust is one of the major reasons. The big sites are trusted so might not implement on all their pages but unless you have a loyal following I doubt your website will have the same level of trust. DO NOT use your own as it will only give warnings, fine for testing etc. Again free SSL certificates are free for a reason and they are not trusted by users so much and generally don't come with site seals or checks. We supply SSL certificates from £6.79 a year for a domain validated SSL certificate to £59.95 for a full EV SSL certificate so it doesn't have to break the bank. - https://www.nuttyabouthosting.co.uk/ssl-certificates

 

[ecoleman]

Okay, I convert pretty well (around 7.5%). I've just changed my site to all HTTPS://

the proof is in the pudding

 

[ecoleman]

When a user connects to a website via HTTPS, the website encrypts the session with a Digital Certificate. A user can tell if they are connected to a secure website if the website URL begins with https:// instead of http://.

I think we all understand that already. Was there a point to this post?

 

[ecoleman]

Oh ... Really @ecoleman ?

Yes, Really! We have been discussing the benefits of using HTTPS:// over HTTP:// on an ecommerce site. Nobody has asked what HTTPS:// is, but thanks for signing up just to let us know anyway.

 

[ecoleman]

 

[pjperez]

An ecommerce site is not displaying sensitive information until a customer starts the checkout process where it is imperative that you use a secure page. I really don't see the point in making the whole site secure.

I can't talk about improving conversions, but the above is really bad advice. If you're logged in your account and just browsing the site I can get your cookies hence steal your session hence get full control of your account. Some of the sites mentioned above ask you to reconfirm credentials before any critical operation (change account details, buy something) and at that moment you go HTTPS to not come back.

 

[ecoleman]

You are correct. I was not referring to being logged into an account but simply a guest browsing the site. Whenever sensitive information comes into play then as I said HTTPS is imperative.

 

[ClickWebStudio]

If you have the be-all and end-all of server power and bandwidth, then by all means have HTTPS sitewide.

But for the majority of sole-traders and small businesses, I would recommend HTTP (NON-HTTPS) on the majority of your site, leaving only login pages, logged-in areas, the cart system and checkout pages HTTPS (but express CLEARLY on every page that your checkout is SSL Secured).

If they know the bit that matters is secure, and can see it when they go to pay or login etc, then they will not mind that the rest of the site isn't HTTPS. All you will do is eat up your bandwidth and slow down your site, technically.

It also depends what industry you're in I suppose. Know your customers, and think about what they want. For example, if you're selling SSL services, you want your whole site SSL-secured, it shows off your well-implemented SSL, and boasts how crucial SSL is that you - the pro - are using it site-wide, even in places where realistically it's not at all necessary.

But selling spuds, I don't think anyone's going to care until the cart process begins.

 

[ecoleman]

Urrm, Why would it eat up your bandwidth? SSL has very little overhead.

Are you are referring to the myth that secure pages don't get cached?

 

[ClickWebStudio]

Not at all.. But do your own benchmarks and see the difference.

EDIT: I'm not actually suggesting you waste your time on that by the way, logic will instead tell you that if it's technically slower, it's technically processing more data.

 

[andygambles]

The overhead is practically non existent. Google reported a sub 1% increase in load when they went 100% https.

There is also protocols like SPDY which can make the overhead literally zero and possible even make your site faster.

Not everyone needs SSL but I feel it would make for a safer web if https was the norm rather than the exception. This would make less savy users potentially take more notice when a site isn't https.

 

[Chris Ashdown]

Most e-commerce site dont use https as its not needed, but all of them. Transfer the user to their psp's sites which are https when payment details are required, therefor giving protection for the payment side of the transaction

 

[ecoleman]

Okay, I convert pretty well (around 7.5%). I've just changed my site to all HTTPS://

the proof is in the pudding

Well we've been running HTTPS:// for around 12 days now. No increase in conversions, in fact we have dropped. This may just be the time of the month but we'll continue for a while longer.

 

[dx3webs]

@ecoleman.. good feed back.

I cant see any reason at all to go whole https You want to show an increase in security at check out / account login.. how do you do this if the site looks the same all over?

It is a well established 'norm' why take the risk an go against this.

Also, it may have an impact on google listings.. can any SEO bods confirm or deny this?

 

[ecoleman]

I don't think this would actually hurt google rankings as long as you have the correct redirects in place, but looking at various blogs about this subject it doesn't look like it will be an advantage either.

I can see why some say it may increase conversions. We are always seeing programs like watchdog and rip-off britain telling people to look for the padlock. Unfortunately they forget to mention that this is only necessary at the checkout stage where personal information is being entered. So it would stand to reason that some "not so tech savvy" customers could think they are non a non-secure site and leave.

I certainly didn't see any drop in speed on the site and Analytics speed data doesn't show any particular slow down since implementing it but we do run on a fairly well spec'd VDS and not a cheap shared hosting solution.

However, saying all this, I have seen no improvement in conversion over the past 12 days so I'm not entirely sold.

What it did do was kill my PPC for a day while all my ads where re-approved with the new URL

 

[HFE Signs]

Personally I'd go all HTTPS

 

[andygambles]

If your going fully https it could be worth going for an EV cert which will show the green address bar. This is much more noticeable and may increase conversions more.