How does HTTPS benefit small sites such as blogs?

I've never doubted that I should install an SSL/TLS certificate for a web service that I have been building for a client. Any site that has at least one form should use HTTPS—not just the login screen, but the whole site. When it came to my personal site, I had to do a bit of research because I wasn't 100% sure that there were benefits for a simple site. Spoiler alert: I concluded that every site should use HTTPS.

About the site

My blog is the typical small category member, not only because of the number of unique visitors, but also because of the quantity of sensitive data users send and receive. I started blogging on March 13th, 2015, and, according to Google Analytics, I have had around 50k page views since I started. This number is very unreliable because of bots, but at least it indicates that there are visitors, possibly even humans. At the moment, there are no forms or other interactive elements a user would send data through.

When a person wants to hire me or ask something via email, then he/she clicks a link instead of filling out a form.

I have a main page that is served by the Node.js Express application, and the blog is self-hosted on the Ghost blogging platform. The site is running on 7 dollars per month Heroku dyno.

I aim to make the blog more interactive by continuing the conversation with you, the reader. Building an email list to connect with people is on my to-do list. I am writing about my plans now because they will increase the demand for a more secure site.

Security benefits

HTTPS encrypts all communication, providing the following benefits:

protects browsing history and credit card numbers with encrypted URLs
verifies that the server is communicating with the correct website
prevents (or hinders) man-in-the-middle attacks

I had to think about more than random visitors coming to my blog. As the blog owner, I also benefit from increased security. When I write a blog post, I need to log in to the Ghost blogging platform. Without my SSL/TLS certificate and HTTPS communication, my username and password would be sent in plain text. Besides that, my plans may require asking for readers' email addresses.

SEO benefits

Last year there was a fuzz about HTTPS being one of the factors that affect ranking in search results. Reading Google's announcement, we can see that this is not a big factor at the moment:

For now, it's only a very lightweight signal, affecting fewer than 1% of global queries, and carrying less weight than signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

When HTTPS adoption becomes more popular, it would be very logical to penalize the sites that neglect security.

One interesting SEO-related detail is that referrer data will not be discarded as often:

The HTTPS protocol is designed such that if you go from an HTTPS page to an HTTP page, you lose all referral data. That’s necessary because you’re going from an encrypted to an unencrypted connection; if you passed data along, you’d be breaking the security. If you go from HTTP to HTTPS or from HTTP to HTTPS, this is not the case and the referral is kept intact.

For example, Hacker News, a great source of traffic for me, uses HTTPS. That means that Hacker News would be shown as direct instead of preserving the referral data.

The switch. should you do it?

Switching to HTTPS went very smoothly, thanks to the services I use and their informative instructions. I bought a certificate from DNSimple (provided by Comodo), who had clear steps for installing the certificate on Heroku:

Instructions how to install certificate to Heroku

Then I had to force the Ghost admin section to always use HTTPS by adding a config option:

forceAdminSSL: {
  redirect: false
}

In the Express web app, I added the following middleware to force HTTP requests to be forwarded to HTTPS:

var forceSsl = function (req, res, next) {
  if (req.headers['x-forwarded-proto'] !== 'https') {
    return res.redirect(['https://', req.get('Host'), req.url].join(''));
  }
  return next();
};

x-forwarded-proto header is set by Heroku.

That was all! I have a Standard Validation Certificate, so people who visit the site will see the green lock in the address bar. There is also the more expensive Extended Validation Certificate, which can be identified by the larger green area.

PayPal address bar with green lock and background color

Larger sites may have more problems because they may have absolute links, sub-domains, important social share counters, etc. Moz.com has a comprehensive checklist.

I hope this post gave you some inspiration to make the switch! Let me know if you do!

Discussion on Hacker News

Resources

Encrypt the Web - Electronic Frontier Foundation
SSL Server Test After you have installed an SSL certificate, you can run the test; then you'll receive a comprehensive report.
Let's Encrypt - Free SSL/TLS Certificates