The risks
If your site uses HTTP instead of HTTPS, an attacker could do things like:
- appear to change your website's content – giving customers false information
- steal information customers submit to your website, including login details, personal information or financial details
- insert ads or malware into any of your webpages without your knowledge. Your customers could also unintentionally download this
malware
to their computers.
These types of attacks are known as a 'man-in-the-middle' attack.
Man-in-the-middle-attack – Wikipedia
Why HTTPS matters – web.dev
Why it matters
There are several benefits to adding HTTPS to your website, and it doesn’t cost much to implement.
Trust in your website
Customers know that a website with a padlock is more trustworthy than one without.
Limited browser warnings
If your website doesn’t have HTTPS, your visitors may get a warning message telling them that your site is not secure.
For example, when you visit a website or web page that doesn’t use HTTPS on Chrome, it warns you that the connection isn’t secure. A 'not secure’ message displays in the address bar next to the URL.
Improved security
Information on a webpage goes through several points between a browser and a web server. An attacker could intercept the information at any of the points along this path. By encrypting the information using TLS, you can stop an attacker from:
- stealing your customers' data, or
- putting their own data onto your website.
Better search ranking
Search engines include the use of HTTPS as a factor when they’re ranking your website in search results – so using HTTPS gives your website a boost in search results over similar sites that don’t.
As more sites implement HTTPS over time, it’ll become obvious if your website doesn’t have it — and it’ll be harder for your customers to find.
How to protect your website
To make your website use TLS you’ll need a digital certificate, called a TLS certificate. It's sometimes called an SSL certificate too. Some issuers of TLS certificates can even issue you one for free.
If you have a technical support person, talk with them about moving to HTTPS. If you manage your own website, ask your hosting company if they provide SSL/TLS certificates. If they do, they can probably help you implement it.
They’ll need to:
- get and implement an SSL/TLS certificate for you
- add a permanent redirect to your site (from HTTP to HTTPS), and
- update any links to
third party
scripts to include HTTPS.
You’ll need to:
- update any links inside the content to include HTTPS. This includes links to images, downloads and tools
- set a reminder for a month before the certificate expires – this will make sure you renew it in plenty of time and avoid letting it run out.
Protect your website
Get help
If you need help implementing HTTPS on your website, talk to your IT service provider.
Choosing an IT service provider