We’ve had a lot of changes over the past 6 weeks, and there’s one I want to highlight that at first may not seem like a big deal, but in reality is fairly significant.
When we officially evolved from Junger Media to Digital Ink (and launched our new site, dgtlnk.com), it became the perfect opportunity to make some back-end changes. As with all of our projects, we’re constantly improving upon what we’ve done in the past, and implementing new technologies and best practices we learn along the way.
One of the changes we made with the new website was to purchase a security certificate and make the move to HTTPS. Wikipedia has a simple explanation of the main differences between a secure, HTTPS site, and a non-encrypted, HTTP site.
HTTP is not encrypted and is vulnerable to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information, and modify webpages to inject malware or advertisements. HTTPS is designed to withstand such attacks and is considered secure against them (with the exception of older, deprecated versions of SSL).
Traditionally, HTTPS has been used on sites that process payment transactions or secure user data. We don’t do that — we don’t even have comments on our blog posts — but there’s been a big movement online to move to HTTPS for better security and a host of other reasons.
In fact, Google has called for “HTTPS Everywhere” — and when Google says jump, historically the rest of the Internet has said “How high?”
So, even though we don’t process payments or transfer sophisticated user information, here’s why we switched to HTTPS.
When you’re viewing our secured site, there’s no chance you’re getting content from a third-party site that’s injecting itself into the experience. Everything you’re seeing is from our site, guaranteed.
The type of hack where you may have a third-party involved is called a “Man in the Middle Attack.” Here’s how Kaspersky Daily explains it:
The concept behind the MITM attack is remarkably simple, and it is not limited to the computer security or online worlds. In its simplest form, the attack requires only that the attacker place himself between two parties that are trying to communicate and that he be able to intercept the messages being sent and further have the ability to impersonate at least one of the parties.
For example, in the offline world this could involve someone creating fake bills or invoices, placing them in a victim’s mailbox and then intercepting the checks that the victim attempts to mail back as payment. In the online world, the attacks are somewhat more complex, but the idea is the same. The attacker puts himself between the target and some resource that she is trying to reach.
The attacker’s presence must remain unknown to both the victim and the legitimate resource he is impersonating in order for the attack to be successful.
Because we’re using a security certificate, you know that the content on our site is actually coming from our site, and not a man-in-the-middle attack.
In 2014, Google announced that it would use HTTPS as a ranking signal in determining where sites appear in their search results.
It’s not a huge factor in Google’s algorithm, but if you’re in a field where there is a lot of competition for search engine placement, HTTPS does get used as a “tie-breaker” when sites are otherwise similar. As TheSEMPost explains:
Google uses HTTPS as a tie breaker when it comes to the search results. If two sites are virtually identical when it comes to where Google would rank them in the search results, HTTPS acts as a tie breaker. Google would use HTTPS to decide which site would appear first, if one site is using HTTPS while the other is not.
Now, we don’t rely on Google for traffic to our site (or our business in general – that’s a horrible idea), but having better placement in search engine results is certainly an added benefit, and in all likelihood, security will become an increasingly important ranking signal for Google.
Switching to a secure site isn’t a costly or time-consuming process. It’s less than $100 a year for the security certificate, and the time to make the switch is minimal. Users appreciate knowing that their time on your site is secure, and you don’t have to worry about any third-party troublemakers screwing up that experience.
It just makes sense to switch to HTTPS. The upsides clearly outweigh the cost and effort needed to make the switch. (Webmasters, here’s some information from Google about securing your site with HTTPS.)
If you’re interested in making the switch, here’s a great article in the NY Times listing out additional benefits.