Web Security

What is Always on SSL (AOSSL) and Why Do All Websites Require It?

It is safe to assume that you have landed on this article because you have already decided to install an SSL certificate on your website but not sure whether you need Always-on SSL (AOSSL). Well, you have arrived on the right page at the right time!

Always on SSL (AOSSL)

When your entire website is on HTTPS, it is called ‘Always-on SSL’ (AOSSL) or ‘SSL everywhere or HTTPS Everywhere.’

Entire website means all the webpages of your website, including sub-domains and Multi-domains. (Always-On SSL, AOSSL, SSL everywhere and HTTPS everywhere are the same things).

Some people are following an unpopular (and illogical) trend. For some reason, they keep some pages on HTTP and some pages on HTTPS for the same website. In simple words, they intentionally choose to encrypt only some webpages with SSL, while keeping others unsecured.

“so why do people not follow Always-on SSL and more importantly, do I need to practice AOSSL?”

If you have same question in your mind, you are not alone! Let’s dig into the topic and find out a sensible answer for the above question.

Popular Misconceptions about Always-on SSL

Some misconceptions and rumors have haunted the entire SSL certificate industry for a long time!

For example, some people think that HTTPS adversely affects page loading speed. However, sufficient research has now been done that proves that a website on HTTPS loads faster than the one on HTTP when they are enabling HTTP2. HTTP2 is a newer, faster protocol and it works only for HTTPS enabled pages.

Another misconception about SSL certificate is that it interferes with browser caching. This would be a problem, because allowing your users’ web browsers to cache (save locally) certain website files such as images and CSS stylesheets helps your website load faster. The good news is that browser caching works just as well on HTTPS as it does on HTTP. So, you can go ahead and switch your site to HTTPS without worrying about browser caching.

There is one more misconception popular among organizations: that they have to buy additional hardware in their IT infrastructure to force AOSSL. However, when Google implemented Always-On SSL, after extensive tests, their researchers concluded that even their high-volume site did not need additional hardware.

What extra technical steps do I need to follow to use Always-on SSL?

AOSSL technical setup is very simple. In most cases, when you install an SSL certificate, your website will load over HTTP and/or HTTPS. You usually need to make one small change to force redirects to HTTPS. For example, manually set up 301 redirects in htaccess or change settings in WordPress. Otherwise visitors can choose whether to visit your site on HTTP or HTTPS. However, these steps are easy and quick to follow.

Key Benefits of following HTTPS everywhere.

  • When some pages of your website are not secured by an SSL certificate, these pages become vulnerable. There are many ways hackers can attack those insecure pages to insert malicious scripts and weaken the overall security of your website.
  • Moreover, it is easy for hackers to track all the user movements from encrypted page to unencrypted page. Tracking user movements is not possible by a third party if all the webpages are encrypted. It’s like putting a strong lock on one door of your home and keeping the other door open. How hard would it be for a thief to track your movements and break into your home? Exactly! So, following HTTPS everywhere means making your entire website security stronger. It is like putting strong locks on all the doors of your home.
  • All the browsers favor HTTPS pages. If your website is showing ‘not secure’ sign for some pages, your hard-earned website traffic might abandon the session thinking that your entire website is insecure. For example, if you have secured your checkout page but not product page, a customer might not even reach the checkout page and abandon your website on the products’ page when s/he sees that ‘not secure’ sign in the address bar. So, to retain customers’ faith, all pages must be on HTTPS and show a padlock sign.
  • When your users bounce between HTTPS and HTTP pages, it gives extra burden to your server. Because every time a new handshake is made between browser and server when someone visits an HTTPS page. For smooth operations, all pages must be on HTTPS.
  • Google gives a higher rank to encrypted websites. When some pages of your website are not on HTTPS, your overall rank gets affected. To boost your SEO efforts, you must follow AOSSL.

How much does it cost to follow AOSSL?

Some people think that they have to pay extra to follow SSL everywhere best practice. In reality, the cost of any SSL certificate by default covers the costs for AOSSL. You do NOT need to pay extra to follow Always-on SSL best practice. All the webpages for a single domain will automatically be enabled on HTTPS:// even if you buy the simplest and cheapest SSL certificate like PositiveSSL for $8.61/year. It’s like paying for an entire pizza and eating only half of it to save money! Excuse me, but you have already paid for the entire thing. So throwing the half pizza in the garbage might save some calories but it is not going to save your money! Now you know why we have used the word ‘illogical’ in the first paragraph!

The cost for securing sub-domains and multi-domains is not that much higher than securing a single domain. A multi-domain SSL certificate starts from $23/year, and a wildcard SSL certificate starts from $85.66/year. Hopefully now you can understand how not following AOSSL even for your subdomains and multi-domains can be a dangerous mistake. Following AOSSL will ultimately reward your website with smooth server operations, higher customer trust, better search engine ranking, and overall robust security assurance.


These are the reasons for following Always-on SSL (AOSSL).

  • AOSSL technical setup is very simple.
  • No additional costs are involved.
  • Gain customer trust and reduce bounce rate.
  • Save your server from getting an extra load.
  • The entire website will be covered under SSL warranty.
  • Overall website security becomes stronger — a holistic security approach.
  • Improve overall website rankings and SEO efforts.

2018 Top 100 Ecommerce Retailers Benchmark Study

Analyzing the marketing and security practices of Top 100 ecommerce websites.

If you’re an ecommerce retailer, you need to know what your competitors are doing. If you don’t know what they’re up to, you won’t be able to create a strategy to beat them and win customers. That’s why we’re excited to release the results of our first annual Top 100 Ecommerce Retailers Benchmark Study.

There’s no better friend to any merchant than a fair competitor.

James Cash Penney

Ecommerce Marketing Tactics

In today’s crowded marketplace, companies are battling for customers’ attention. Without effective marketing, ecommerce companies won’t capture market share. We analyzed a few key marketing tactics being used by the top 100 ecommerce websites – here are our notable findings.

Organic Search Traffic Is King

Social media sites like Facebook may get most of the press coverage and buzz today, but it’s still search engines that drive most traffic and revenue in ecommerce. Analyzing traffic data for the top 100 ecommerce sites revealed that search was the leader by far, with social and referrals coming in as distant competitors:

  • Direct: 40%
  • Referrals: 5%
  • Search: 44%
  • Social: 3.5%
  • Display: 2.5%
Top Traffic Sources

Most Sites Don’t Use Cart Abandonment Emails

Sending cart abandonment emails can be a simple way to increase revenue by reminding customers about a purchase they were going to make. But less than a quarter (22%) of the top 100 ecommerce sites have implemented cart abandonment emails.

Ecommerce Security Practices

With data breaches making the news every week, data protection has become increasingly important to users. We analyzed the retailer websites in our study to identify security practices and technologies the top 100 ecommerce retailers have put in place. Here’s what we found:

93% Have Fully Switched To HTTPS

For many years, a typical ecommerce website was only partially on HTTPS protocol. Sites used HTTPS on checkout pages where users were entering their credit card details while the rest of the website would use HTTP.

More recently, Google and other industry players have been pushing websites to adopt HTTPS across all pages. We found that the top 100 ecommerce retailers are on board with this trend, with 93% forcing HTTPS on all pages on their site. The remaining 7% default to HTTP and only force HTTPS during checkout.


Just Under ½ Display A Security Seal

In addition to the standard padlock that displays in the address bar on HTTPS pages, there are a variety of security seals available for ecommerce websites to display to users. Many allow the user to verify that the site’s security is up to date. We found that 40% of the top 100 ecommerce sites have added a third-party security seal to their website.

These third-party security seals are even more valuable for smaller websites that the user may not trust as much as a well-known brand.

Nearly All Use A High-Assurance SSL Certificate

There are several types of SSL certificates (the technology that enables HTTPS security) available on the market:

  • Basic validation (aka DV). These certificates encrypt web traffic, but don’t validate the organization that runs the website.
  • Business validation (aka OV or EV). These certificates both encrypt web traffic and validate the organization running the website. EV certificates also enable an expanded green address bar.

Our analysis found that 97% of the top ecommerce websites use a high assurance (OV/EV) SSL Certificate. Ecommerce websites choose high assurance SSL certificates to increase customer trust and to provide customers additional assurance when shopping online. Increased customer trust leads to increased revenue, customer satisfaction, and average order value.

SSL Certificate Types

HSTS Is Just Catching On

HTTP Strict Transport Security, or HSTS, is a relatively new mechanism to ensure a website always loads over HTTPS. This means that even if a hacker gains access to the users wireless router, the hacker will find it difficult to intercept and steal payment details. This option is still catching on, with only one-quarter of the websites implementing HSTS so far.

Every Site Has A Security and/or Privacy Page

With security breaches in the news every week, security and privacy are big concerns for the average consumer. Top ecommerce websites recognize this – 100% of the top 100 sites have a security and/or privacy page on their website.

Most Have Implemented Minimum Password Requirements

Low security and shared passwords are a big security issue for brands and consumers. Of the top 100 ecommerce websites, 90% require passwords with a minimum length, and 60% require passwords that meet minimum complexity requirements (for example, with numbers or special characters.)

Ecommerce Password Requirements

Ecommerce Customer Experience Practices

Giving customers a smooth, enjoyable shopping experience is critical—not only for capturing the first sale, but for encouraging customers to come back and purchase again.

Make your product easier to buy than your competition, or you will find your customers buying from them, not you.

Mark Cuban

Most Sites Offer Phone & Chat Support

Fast shipping and good customer support are among the most important things customers expect from an ecommerce retailer. While part of the attraction of ecommerce is the ability to purchase from your computer or tablet at home, customers also expect to be able to interact with support staff when needed.

Of the top 100 ecommerce sites, 99 offer phone support and 53 offer live chat support.

Most Stores Offer Free Shipping

Amazon’s industry-revolutionizing approach still shapes the ecommerce market today, with just over two-thirds (68%) of the top 100 ecommerce sites offering free shipping. The average minimum to qualify for free shipping is $52.

Several websites, such as Dell, Nordstrom, and Zappos, offer free shipping on all orders with no minimum. A few websites go the other direction, requiring a $150 minimum order to qualify for free shipping. The average site sets a $50 minimum order size for free shipping.

Most Sites Allow 1-2 Months For Returns

Company policies on returns vary widely – from no returns at all, to money back guarantees with no questions asks. Most companies offer some ability to return unwanted products. The average return window is 67 days, while the median return window is 45 days. (The average is higher due to a handful of companies that accept returns up to one year from the purchase date.)