Skip to content
Home » Serving HTTPS Without SSL: Don’t Do It

Serving HTTPS Without SSL: Don’t Do It

Serving your website using HTTPS with an SSL Certificate is the minimum standard for web security these days. Even without an SSL certificate installed on your server, it’s still possible for a user to try to request the HTTPS version of your website. Although the connection won’t be secure, the browser will still try to load the URL.

Before the browser tries to load the URL being requested, it will prompt the user with a warning message stating the connection is not private; meaning the connection is not encrypted with an SSL certificate. We are asking the browser to load a secure URL, however, there isn’t a security certificate to validate the request.

SSL Invalid Screenshot - Google Chrome Browser
SSL Invalid Screenshot – Google Chrome Browser

How Browsers Respond Without SSL

In the screenshot above, we can see the Google Chrome browser displaying a warning page during this type of invalid request; this is for the protection of the end-user. Without the SSL certificate installed on the server, there is no encryption and the connection is not secure.

However, if the user tries to load the HTTP version, the page loads normally and there is no warning; the browser is not trying to validate an SSL certificate. Those were the old days, and now HTTPS is a must.

Google Chrome isn’t the only browser that will display this warning page. In fact, most modern browsers will display some type of warning to the user. Below is a screenshot of the Safari browser displaying a similar message to the user.

SSL Invalid Screenshot - Safari Browser
SSL Invalid Screenshot – Safari Browser

Problem: Poor Security & SEO

The major issue with this setup is the lack of security for the end-user. Any data transmitted between the user’s device and the web server will not be encrypted. Rather it is exposed, and vulnerable to attackers who can potentially steal the user’s information. This could be anything from submitting a basic email contact form to passing credit card information to the server to complete a purchase.

Another problem is the poor user experience when a user stumbles upon the warning pages shown in the images above. Although the user has the option to proceed through the warning page, they will likely leave the website, which can have a negative impact on your SEO efforts. Not to mention lost customers and potential revenue for your business.

Solution: Install A Valid SSL Certificate

To solve this problem, make sure you have a valid SSL certificate installed on your server and HTTPS enabled. In addition, it’s best to Force HTTPS Redirects so any HTTP requests will automatically redirect to their secure counterparts. It’s also a good idea to add both versions of your website to your Google Search Console, as search engines will treat both URL versions as separate pages.

Google recommends using robust security certificates with a 2048 bit key. There are many SSL certificate providers: including Comodo, GeoTrust, DigiCert, GoDaddy, Rapid SSL, Cloudflare, and more. Check with your web developer or web hosting provider; they can usually purchase, issue, and install the SSL certificate on your server.

This is a win-win for security and SEO!

Share with your Team