Securing your web site via HTTPS is about more than security, it is about building trust. When you implement HTTPS you not only add a layer of security, your customers see that dedication and feel more comfortable about doing business with your brand. It starts with an intentional effort to be secure:
"The encryption within HTTPS is intended to provide benefits like confidentiality, integrity and identity. Your information remains confidential from prying eyes because only your browser and the server can decrypt the traffic. Integrity protects the data from being modified without your knowledge.....
Encryption defeats sniffing attacks by concealing the traffic’s meaning from all except those who know the secret to decrypting it. The traffic remains visible to the sniffer, but it appears as streams of random bytes rather than HTML, links, cookies and passwords" - Mashable
Most consumers and non-technologist get the purpose of HTTPS. They don't care about the technical implementation, they care about the trust. When you implement HTTPS you are eliminating a layer of stress your customer might have. Even if they don't engage you with a concern over security, the sub-conscience enacts, making the customer feel more confidence in the relationship with your brand. They see a tangible effort on your part to ensure your relationship with them is safe.
Browsers Go Out Of their Way to Indicate HTTPS to the Customer
Have you noticed those padlocks in the browser address bar? Chances are you have, but don't really think about it until you feel something is a little phishy. Browsers have gradually been stepping up the user experience for the average consumer in recent years. Soon Chrome will start making it very apparent when a page contains either a password or credit card field. If those fields are present and not served via HTTPS they will display a big red visual warning the customer the page is not secure. This will of course lead to fewer and fewer scams succeeding, but will also cut into legitimate business conversions because they have neglected the application of HTTPS.
Google & Other Search Engines
Search engines are in the business of providing the best answers to customer questions. They do this by evaluating a battery of 'search signals' and creating a score for each URL. This score is used by the search engine to rank answers or search results to their customers. They know if they provide the best page to a customer's search needs they will not turn to a competitive search engine for answers. This translates to higher ad revenue for the search engine.
When a consumer choses a search listing, but quickly returns to the search results the search engine uses this data to recalibrate rankings. One factor that causes consumers to leave a site is security or perceived lack of security. That little padlock in the address bar tends to comfort the average person, even if it is subtle.
That was a long way to tell you to implement HTTPS on your site. Google and other search engines have publicly stated they consider HTTPS site more authoritative than non-secure sites with the same information. The reason is two fold. First the average web surfer will trust an HTTPS site more than a non-HTTPS site. It might just be a simple blog, or it could be a giant bank, the perception of security goes a long way.
So even if your site does not handle 'sensitive' information you should still implement HTTPS to boost your visitor's confidence in your brand and your search engine rankings.
The second reason search engines are pushing businesses and organizations to implement HTTPS is to verify ownership. You cannot install a legitimate TLS certificate without some sort of ownership verification. Generally a certificate issuer will send an e-mail to trigger a verification process based on the domain's whois record. When you register your domain you must supply real contact information, including an active e-mail address.
Bad guys tend to register domains with fake or false contact information so they cannot be traced. By requiring HTTPS search engines are signaling there is a modicum of trust in the site's ownership.
HTTPS Can Be Significantly Faster Than HTTP
Modern APIs Require HTTPS
We are currently in a technology phase where new high value APIs and features are being added quickly. These include service workers and HTTP/2, both require HTTPS. You may not also be aware that cellular carriers have also required SSL for sockets. While these APIs 'could work' without HTTPS, the security wraps these features in confidence. Think about it for a moment, the deeper a platform lets you integrate the more they will require of your application. For example, Windows desktop applications and libraries have a way t digitally sign them. Many enterprises will not allow unsigned applications to be installed. Not only does HTTPS provide some sort of chain of ownership they provide a known layer of security. Requiring HTTPS ensures a minimal amount of security and thus enough confidence by a platform you are not going to do evil things.
New capabilities requiring HTTPS is a way to force web sites to implement a new level of security and confidence. Ultimately this will make the web a better place.
Not Cost Prohibitive
Since the beginning of SSL certificates have come with a cost. Typically this was an annual cost. 15 years ago certificate typically cost between $100-500 a year. You can think about it like an annual business license. In fact to complete a certificate request you often needed a proof of business or organization. The issuing process was also time prohibitive. It often took 3-14 days to get a certificate. The issuing authority had a staff that evaluated every certificate request and accompanying paperwork. A very archaic process for a digital platform.
While enterprises do not blink at a $100 a year fee for their web site, the average small business does. There are thousands of small businesses for every enterprise. Beyond traditional small businesses there are millions of 'businesses', blogs, forums and other entities that make little to no revenue from their site. They can barely justify their hosting overhead. HTTPS is just not viable at those rates.
Another cost you might not think about is IP addresses. In the beginning SSL required a dedicate IP address. Despite millions of possible IP addresses, there are not enough, not even close. The limited supply of IP addresses also raises the price of HTTPS. This could add another $100 or more a year to the cost of hosting a site. Today, this has changed. Now a certificate maps to a domain. This eliminates this tax.
Today HTTPS requirements and costs have all relaxed. There are many low cost certificate providers. In fact you can obtain a certificate for free from Amazon or [Let's Encrypt](https://letsencrypt.org).
All businesses should implement HTTPS and abandon HTTP only protocol. HTTPS is no longer a performance bottleneck, nor cost prohibitive. You can add this layer of security to your web properties in a matter of minutes, often for free. Search engines and modern HTML5 APIs require HTTPS, giving you a distinct advantage over your competition that is too lazy to implement HTTPS.
Finally, customers want security. It build brand trust, which increases your business relationship. This leads to more engagement and sales. A simple investment to implement HTTPS will yield countless returns.