In this post, Blue Magnet will explain the complicated world of secure web browsing, outline the benefits of transferring your site to HTTPS, and tell you how to acquire and install an SSL certificate. While the post may get technical for a minute, it will also help you to futureproof your website in the rapidly evolving digital landscape.
You have probably seen the green lock followed by “https://” in your web browser, and you might intuitively understand that icon signifies something good. In the most reductive sense, that green lock means you are safely browsing on a secure website. Not only has secure browsing been a growing trend, it is undoubtedly the future of the internet.
A Barstool Explanation of Secure Browsing
Think of the transmission of online data as a conversation between two pals. Let’s call these pals Jerry and Kramer. Jerry and Kramer are neighbors and close personal friends. In the public, insecure hallway of their Manhattan apartment building, Jerry foolishly shares some personal and somewhat embarrassing information to his trusted confidant.
Unbeknownst to Jerry, his conniving, pugnacious, and dastardly neighbor Newman was also in the hallway. Hellbent on Jerry’s demise, Newman now knows his neighbor’s private, personal information and maliciously schemes to employ this intercepted knowledge to the detriment of Jerry.
Had Jerry conducted this conversation in the privacy of his secure apartment, that dastardly Newman would not have been able to co-opt this personal data. In this instance, the dead bolted door of apartment 5A would have acted as the online security granted by HTTPS browsing and an SSL certificate. Similarly, the open hallway of the 81st Street apartment represents the insecurity of HTTP browsing.
In every dark corner of the Internet, a Newman lurks. With an SSL certificate and HTTPS browsing, you can safeguard your website visitors from spammers and scoundrels like Newman.
A More Technical Overview of Secure Browsing
Why Secure Browsing Exists
When a guest’s browser requests to visit your hotel website, that person’s connection has to travel the physical networks of the World Wide Web, a term you probably have not heard elongated since 2001. The guest’s browser must make a physical connection with the server your website is hosted on; the connection has to travel the series of connected wires, passing from router to router, switch to switch, through different ISPs (internet service providers), all the way to the destination and back. This connection literally traverses the depths of the oceans and expanses of space, on certain occasions, just to ensure your hotel website loads.
Without safeguards, this connection is vulnerable to attacks throughout its epic voyage.
Simply put, think of your web traffic from as a fleet of ships traveling from harbor to harbor depending on the captain’s orders. Your web traffic is vulnerable to pirates and unsavory scallywags searching for unsecure vessels to spy on, commandeer, and steal treasure. Throughout a browser request’s entire journey across every switch and router, the connection can be read, and this information can be intercepted by spammers. To protect users from these threats, secure browsing was introduced.
So What Exactly is Secure Browsing?
Secure browsing is performed within a specific and defined networking architecture that safeguards your browser’s connection to its destination server and all points in between. This system essentially scrambles your connection with the host server, making it exponentially more difficult to intercept, decipher, and manipulate. The difference between secure and insecure networking architectures (or protocols) is best seen in the comparison of HTTP vs HTTPS.
Kevin Law, an Information Security Research Advisor for Secureworks, explains the fundamental difference: “When you browse a website without HTTPS, anyone on the path to and from can see what you’re doing. When you use HTTPS, it’s like a black box between you and the website. HTTPS is especially important when you are entering login information or a payment information.”
Now that you understand the importance in secure browsing enabled by an SSL certificate, let’s explore how this happens.
The Technical Differences Between HTTP and HTTPS
When a hotel guest’s browser makes a connection to your server, it follows a set of rules and standards so every message (response & answer) can be understood, not unlike the standardized syntax of sheet music. This universal protocol ensures all servers and browsers can communicate and understand the intent of one another. HTTP, or Hypertext Transport Protocol is the universally accepted protocol that has been the backbone of the internet (World Wide Web) since 1989; while it has been updated over the years, the rudimentary function has remained the same, and that is why every web address starts with HTTP.
Despite its status as a universally accepted standard, HTTP protocol does come with a few shortcomings. Privacy and security are the protocol’s primary limitations, which led networking engineers on a journey to secure the web’s beloved protocol. Every transport of data sent & received via HTTP is transcribed in plain text, meaning anyone who can see the traffic sent with HTTP can read it. As we mentioned before, there are many touch points, and your traffic has to be routed on its destination to and from the server, leaving multiple vulnerabilities when working with straight HTTP.
Enter the realm of HTTPS-secure browsing, and you will be able to shield each one of these gaps from the unscrupulous agents of the web. HTTPS browsing ensures the information (data) being transported via the standard HTTP framework is no longer in plain text but instead is encrypted or shielded by “scrambling” the message. To secure your hotel website and protect your guests from the potential attacks of an insecure protocol, you will need to purchase and install an SSL certificate.
So What is an SSL Certificate?
Forgive some technical terms and dense verbiage you will see in this section. We promise to unpack everything we introduce, so bear with us as we journey into the realm of SSL certificates! Additionally, we will cover the benefits of HTTPS for your website and how your hotel can acquire and install an SSL Certificate later in this post, so stay tuned.
As we mentioned, an SSL certificate (cert for short) is the main requirement to achieve secure, protected browsing via HTTPS. But what exactly is an SSL certificate?
SSL certificates are small digital files that verify, in a binding manner, a cryptographic key to an internet presentation (like your hotel website).
Now let’s break that down in English: your SSL certs allows internet browsers to confirm your website’s identity by using a file on your server and verifying it with complicated math.
A Quick Note on SSL & TLS
Protocols have been evolving and different segmental versions have emerged, each stronger than its predecessor. In fact, we are now technically past the days of Secure Sockets Layer (SSL protocol) and are now using the Transport Layer Security (TLS) protocol. But since the internet has grown up with SSL, the name has stuck and is semantically interchangeable with TLS.
Some resources describe an SSL/TLS cert as akin to a virtual “passport” that checks in with a website’s “customs” office to ensure everything is in order. Like we mentioned, this “check” is performed by complicated math algorithms that are impossible to solve unless you know the unique rules, formatting, and set variables ahead of time. These components are called keys and are the fundamental method of how cryptography secures the connection when browsing with HTTPS.
How a Secure Connection is Made
When a browser requests a secured connection with the server (website), the following exchanges of keys happen:
- The server sends a copy of its public (accessible by anyone) key to the browser.
- The browser will then creates a session key and will encrypt it using the asymmetric public key received from the server.
- The server decrypts the encrypted session key using its own secret key (only accessible by the server) and generates a symmetrical session key — usable by both server and browser but only by that specific browser and server and only during that specific time. If the browser accesses the same server the next day, a new symmetrical session key will need to be generated.
- With the symmetrical session key in place, the server and browser can then encrypt and decrypt all the transmissions back and forth since they are the only entities that know the unique session key.
This process is known as the SSL handshake and is required for HTTPS browsing. Think of this as a secretly coded message being passed between you and your friend, and only you two know the secret to decoding the messages. If your grade school teachers intercept the note, they will not be able to understand your message without knowing the secret password!
Content doesn’t have to be secret to make it worth securing
What are the Most Common Types and Strengths SSL Certs?
As we mentioned earlier, different types of SSL certificates exits, each with different strengths, weaknesses, and levels of security.
Self-Signed SSL Certificates
The lowest level of SSL certification is the self-signed cert and is not recommended. A self-signed certificate is created and signed by the same entity it certifies. Due to this fact, it provides little validation for the security of the protocol and browsers normally do not trust self-signed certs – nor do we.
Domain Validated SSL Certificates
One of the more common SSL types on the web is the domain validated (or DV) certificate. These are issued when the Certificate Authority (CA) verifies the person or organization requesting the cert has control of the correlating domain. This validation is typically done by uploading a file or snippet to the server or DNS record in order to “prove” you have control of the domain you are wishing to secure.
The primary benefits of domain validated certificates are of their ease of validation, modest price, and simple renewal process. Conversely, these DV certs do not vet the organization’s true identity, and therefore are not good for commercial grade transactions since users can not be sure who the end user is. However, if you do not conduct ecommerce transactions on your hotel website, sending guests to a third party reservation system or a secure brand booking engine, a domain validated SSL certificate will work just fine.
Organization Validated SSL Certificates
Organization Validated (OV) SSL certs similar to DV certificates but require an additional layer of vetting. For OV certs, the issuing CA checks the submitted data of the SSL request against submitted documents, like an incorporation article or legal government license, to more thoroughly confirm the identity of the organization.
Extended Validation SSL Certificates
Extended Validation (EV) SSL certs employ the highest degree of authentication by adding human evaluation and increased documentation standards to the acquisition process. Certificate Authorities require a manual validation to confirm the identity of the organization applying EV SSL certs. This cross-check references your application and verifies the applicant has a legal, physical, and on-going existence, an authorized the issuance of the cert, and exclusive rights to use the certificate’s domain.
Additionally, the contact information on the domain’s who.is must match the official records on the certificate and will be manually checked through organizational audit. If the applicant passes this procedure, the certificate is issued, and you will see not only the green lock but the green name of the organization the certificate is issued to.
Multi-Domain SSL Certificates
Subject Alternative Name (SAN) certificates, more commonly known as multi-domain certs are intended for organizations operating numerous domains and subdomains across a single server. Since SAN certs allow for easy changes, they are incredibly helpful when a multitude of domains need to be protected but require frequent additions or removals of websites to the certificate.
Wildcard SSL Certificates
Wildcard Certificates are SSL certs that secure all the first-level subdomains on an entire domain. A wildcard SSL cert may be useful for hoteliers that market their properties on subdomains of their primary brand or management group domains. For example, with a wildcard SSL cert, you can protect chicago.vallejohotel.com and kenosha.vallejohotel.com with the same certificate.
So, What Does an SSL Certificate Mean for Your Hotel Website?
Enough with the technical jargon. Now that you have a basic understanding of secure browsing and SSL certificates, we can discuss how an SSL certificate will benefit your digital marketing campaign and outline some actionable steps to migrate your website to HTTPS.
Benefits of an SSL Certificate
Secure have tangible, demonstrable advantages over non-secure websites, and transitioning your hotel website to HTTPS will improve your:
- Organic Search Rankings
- User Experience and Trust
- Relevance in the Digital Realm
Security is paramount, and SSL encryption will shield potential guests from a variety of malicious threats, including identity theft and man-in-the-middle attacks. Even if your hotel does not conduct monetary transactions on your domain (ie. you link to your brand’s booking engine or a 3rd party reservation system), having a secure website will protect your visitors from browser attacks, server attacks, and man-in-the-middle attacks.
To help deliver safe, seamless, and accurate searcher experiences, Google’s algorithm rewards secure sites. In 2014, Google first announced transitioning a website to HTTPS can provide a minor ranking boost in organic search.
Since that announcement, researchers have found steady yet significant ranking improvements among HTTPS pages on the first SERP. As of April 2017, Moz’s Dr. Pete Meyers found 50% of first-SERP pages were HTTPS and predicted that number could be as high as 65% by the end of 2017. The Mozcast also shows 82.1% of searches feature HTTPS results on the first page.
Together, this data shows a clear ranking advantage for HTTPS websites, and acquiring an SSL cert for your website will help your hotel outrank your competitors in organic search.
Improved UX and Trust
Secure websites effectively create trust, which enhances the user experience. When a potential guest lands on your secure website and sees the green lock in the browser bar, he or she will proceed confidently. Even if it occurs on a subconscious level, this sense of ease reduces friction in the booking process and will contribute to a conversion-optimized website.
Contrastingly, imagine a potential guests lands on your domain and sees the unnerving “Your connection is not private” page with the red strikethrough in the search bar and the alarming exclamation point at the start of the content. This jarring user experience will drive up to 82% of travelers away from your website and can hinder revenue from direct bookings.
Put simply, hotels with secure websites have significantly higher revenue potential than non-secure websites.
The Future is Secure
In February 2018, Google reiterated the future of the web is secure, which means SSL certificates may become more than a strong recommendation. Additionally, as scammers become increasingly deft and your competitors migrate to HTTPS, transitioning to a secure protocol will help your hotel stay relevant in an rapidly changing digital landscape. Acquiring an SSL cert will help your website evolve with the times and maintain digital trust with your potential and returning guests.
Additional SSL Certificate Considerations
While the benefits of getting an SSL cert significantly outweigh the downsides, Blue Magnet would like to point out the potential negative consequences of migrating your website to HTTPS. Since secure connections are more intensive, load times often increase slightly after procuring an SSL certificate. If your hotel website has outstanding site speed issues (and your transactions are conducted via a third party booking engine), you may want to correct those issues before implementing secure browsing. Decreases in sitespeed are typically nominal, but we recommend proceeding with caution to prevent exacerbation of site speed issues.
How to Acquire and Implement an SSL Certificate
Now that you know how secure browsing works and the benefits of migrating your site to HTTPs, we will outline how your hotel can acquire and install an SSL certificate.
Acquire Your SSL Certificate
SSL certificates can be purchased directly from trusted third party certification authorities like VeriSign, Comodo, Digicert, or Network Solutions. Hosting providers and content delivery networks (like Cloudflare) also offer SSL acquisition services. Typically hosting providers and CDNs act as brokers, purchasing certs from trusted certification authorities.
The purchase of an SSL cert does not differ greatly from other ecommerce transactions. Once you have chosen an SSL provider, select the strength and expiration of your certification. Upon payment, you will receive your unique SSL key and the essential files needed to install your new certification. These are the raw materials needed to access the secure protocol.
Get Your SSL Certificate Validated
If you choose a strong SSL cert that requires heightened vetting, you need to confirm your hotel’s identity so that your domain and certificate match. This validation establishes domain accuracy and creates a trust chain to facilitate safe, secure browsing.
Different levels of validations exist, but most commonly you will need to verify your ownership by proving you have control over the domain and website you are trying to secure. We go more into depth on the types of validation in the breakdown of the types of SSL above.
Install Your Cert
After you have validated your SSL cert, install it on your website. Add all relevant files, including your your certificate, keys, and CSRs (certificate signing requests) to your hotel’s hosting. In most instances, you can upload these files via your FTP, CMS, or cPanel.
If you acquired your certificate through your hotel’s hosting provider or a content delivery network, they may include installation in the SSL purchase price.
Have you purchased an SSL but need help installing it on your hotel website? Get in touch with Blue Magnet’s experienced development team, and we will help you enter the world of secure browsing.
Configure Your Website
To prevent error messages or broken content, configure your website to securely call all files and assets via HTTPS. Audit your site to ensure all scripts, images, and fonts are being pulled in by a secure source. Additionally, check your website for any hard coded internal links to prevent redirects of crawl errors. Tools like Screaming Frog and Monkey Test It will help you identify issues, but we recommend a manual audit as well.
While the aforementioned configurations foster a seamless UX to minimize friction in the booking process, a handful of technical elements also require updating to clearly communicate the change to search engines. Do not forget to update your sitemap, robots.txt file, rel=”canonical” tags, and schema markup to help tell crawlers the HTTPS version of your site is the official, authoritative version of your site.
Fun Fact: John Mueller, Webmaster Trends Analyst at Google has confirmed the benefit to doing this:
Yes, we prefer https over http for canonicalization, all else being equal.
— John ☆.o(≧▽≦)o.☆ (@JohnMu) April 28, 2018
Strategically Configure Your Traffic to HTTPS
After you have configured your website, send all traffic to the HTTPS version of the site. Without taking the appropriate steps, both HTTP and HTTPS versions of your site will be visible to potential guests, which can create a muddied UX, add gaps in your tracking, and potentially inhibit the HTTPS version of your site from getting indexed over the HTTP version.
While Blue Magnet typically employs rewrite rules in websites’ htaccess files, you can also force your traffic to https through server rules, your CMS, or a content delivery network.
Pro tip: employ caution during this step. Improperly-written redirects will bring down your site.
Ooh! Fore! I mean “Five!” I mean “Fire!”
Update Your Tracking
To maintain a clear understanding of your website performance, update your Google Analytics (GA) and Google Search Console accounts. In GA, correct your default URL in your property and view settings. While you are logged into Analytics, make an annotation to help benchmark the SEO benefits of your newly-secured website.
Since Google indexes HTTP and HTTPS sites differently, you will also need to create a new GSC property for the secure version of your site. During this process, submit your updated sitemap, link your new Search Console property to Google Analytics, and request indexing for your home, rooms, specials, and other key pages.
Optimize Your Digital Presence
Once you have successfully transitioned your website to HTTPS, update your various channels to reflect your newfound security. Update your Google My Business, social media channels, Yelp, TripAdvisor, event directories, marketing collateral, and other platforms with your HTTPS link. Many of these sites are powerful data hubs that distribute information across the web, and keeping your citations as uniform as possible will help your hotel compete in local search and improve your chances of ranking in the Google three-pack.
Of course, if you use a local listing tool like Moz Local or Yext, change your URL there as well.
Secure Browsing Made Easy
While the technical components of SSL certificates may seem endlessly vexing to the uninitiated hotelier, the overarching principles are simple. Procuring an SSL certificate will allow your hotel website to operate on the HTTPS protocol, and your website will be safe from a bevy of malicious behavior, provide a better user experience, and see a sustainable boost in organic search rankings. If you need assistance making the jump to secure browsing or just want to talk shop about the fascinating world of HTTPS technicals, contact the seasoned development experts at Blue Magnet!
This post was written by Don Angelo and Brian Surdel.