Why switching to HTTPS should be on the top of your list in 2018

Understand what the move to HTTPS is and how it will impact your customers
Mar 12, 2018 3 min read
Why switching to HTTPS should be on the top of your list in 2018

To increase privacy and security while browsing the internet, major browser vendors, like Google Chrome and Mozilla Firefox, started a movement to encrypt all web traffic with HTTPS. These measures mean that you will also want to switch your SuperSaaS schedule to HTTPS if you haven’t already done so. This blog post explains the basics of HTTP and HTTPS; what the browser vendors plan to do, and what steps you can take to change how your users access your schedule.

What is the difference between HTTP and HTTPS?

When you type a website address, your browser establishes a connection with the web server and asks it to send information about the requested web page. This communication between the browser and the server takes place via a protocol which is either HTTP (hypertext transfer protocol) or HTTPS (hypertext transfer protocol secure).

The HTTP protocol transfers the information as plain text, while the HTTPS protocol transfers the information as encrypted data. The plain text data transferred via the HTTP protocol could be read by someone eavesdropping on the connection. Even worse, someone with access to the connection could modify the page to steal credentials and perform various other mischief, without the user realizing that they are being hacked. In contrast to this, the HTTPS protocol transfers the information as encrypted data, therefore, making it very hard to read information or tamper with it.

How does the move to HTTPS impact you and your users?

Chrome and Firefox recently started displaying warnings to their users if they enter a password on an HTTP page. The browser vendors have expressed the intention to display increasingly strict warnings over the coming months on more and more pages.

The first stage of alerts started with browsers marking the HTTP sites as non-secure by displaying a red “x” over a padlock in the URL bar.

Warning for unsecured connection on HTTP site with Google Chrome Secure content with HTTPS on Google Chrome

Figure: How Google Chrome displays warnings for http sites

Warning for unsecured connection on HTTP with Mozilla Firefox Secure content with HTTPS on Mozilla Firefox

Figure: How Mozilla Firefox displays warnings for HTTP and HTTPS websites

The next stage of warnings appeared when a user tried to enter their personal details or password in either of these unsecured HTTP pages (see figure below):

Warning for unsecured connection with HTTP on Google Chrome

In the following stages, the warnings will increase until the majority of sites have moved to the HTTPS protocol.

If you’ve used an HTTP link on your site that points to your SuperSaaS schedule then your users will start to see these non-secure site warnings when they visit your schedule. These warnings may frighten your users and result in a negative impact on your business. To avoid this change the links to HTTPS as explained in the next section.

In essence, it’s as simple as changing the word ‘http’ to ‘https’ in the link that points to your SuperSaaS schedule, but you would want to take an additional step to ensure that links in email confirmations get updated as well. If your users access SuperSaaS through your own domain name then the process is a bit more complicated.

If you use the calendar on supersaas.com

STEP 1: Update the links. Everywhere you’ve shared the link to your schedule, for example your site, your Facebook page, or in emails, you can just add an “s” after HTTP in your schedule link, and the link should work properly. For example, if your schedule link is now:

http://www.supersaas.com/schedule/demo/Therapist
then it will simply become:
https://www.supersaas.com/schedule/demo/Therapist

STEP 2: Update your account to use SSL in the emails it sends out. Go to the Access Control page and select the option “Force SSL/TLS (HTTPS) connection encryption”. This will also ensure that any user who lands on an old HTTP link will be automatically redirected to the HTTPS version.

Force SSL/TLS connection

If you use the calendar with your own domain

If you are using the schedule with a custom domain name such as schedule.yourbusiness.com, it will need to be reconfigured to work through a proxy to allow an HTTPS connection. This custom domain tutorial has been updated to explain how to set that up.

Should you run into any issues following the linked tutorial, feel free to contact us through our feedback form.