If your website does not have an SSL certificate, it can be marked as ‘Not Secure’ by Google’s Chrome October update.
The new update is part of Google’s continuing efforts to make using the internet safer by providing users a way to verify that the website they are visiting is authentic and the owner is legitimate.
What does this mean for you as a website owner?
Having your website marked as “not secure” can prevent customers entering your website and potentially damage your brand perception. To overcome this your website needs to change from HTTP to HTTPS.
In other words, you need to make changes to your website server. Or, allow your hosting service provider to do it for you. You will also need to ensure all your online business communications reflect the change, this include, the content of your WordPress website.
You should always protect all of your websites with HTTPS, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both your websites and your users’ personal information, HTTPS is a requirement for many new browser features.” Kayce Basques Technical Writer at Google.
Chrome flagging insecure websites
Since the beginning of the year, Chrome has been flagging HTTP websites as insecure if they have any kind of login or form for customers to complete (i.e. they enter some kind of information). This was the first part of a staged rollout that encourages websites to get rid of plain old HTTP.
The final step in the staged rollout will be that Chrome will label all plain HTTP pages as “Not Secure”. You need to prepare your website for the change.
If you are a website owner, you need to decide how to approach the change. To make an informed decision, here’s some background information.
Understanding the jargon
You don’t have to be an IT expert but it is helpful to have a handy reference for some of these terms for when your internet service provider or hosting service use them:
- HTTP – ‘hyper text transfer protocol’ – the standard way that web pages, content and information is transmitted across the Internet.
- HTTPS – ‘hyper text transfer protocol secure’ – the secure version of HTTP which includes the all-important data encryption.
- SSL certificate – standing for ‘secure sockets layer’, this certificate is a small data file that vouches for the identity of your website; originally used for secure online credit card transactions, this is what you buy to get HTTPS status for your site. It’s what locks the padlock that appears next to your site’s address.
Eventually, Chrome will show a “Not Secure” warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields.” Source developers.google.com
Does your website have an SSL certificate installed?
The easiest way to find out is to act as a customer (like a mystery shopper) and visit your own website. You’ll see “http://” or “https://” before your website’s URL in the address line at the top of your screen. If you don’t see either one, click on the ‘i’ symbol and it will tell you if your connection is secured.
From October, Chrome will also include either a red-for-danger “Not Secure” or a nice safe, green “Secure” sign with a padlock. The idea is to really draw people’s attention to your site’s status.
As part of your business’s branding, this sends a very clear message. Even if your site doesn’t deal in sensitive information, unless it has HTTPS, that red danger signal will still be there, chipping away at customer confidence. If only for the sake of your carefully created brand, HTTPS is a must.
WordPress websites and SSL
Up until now, many WordPress sites have been HTTP because they don’t require any inputting of information by visitors. If you have a WordPress website, it’s probably based on HTTP. This means the login page to your website – where you input your password to access your web pages and input content – is also HTTP and will be marked as non-secure by Chrome.
By getting an SSL certificate for your website, you will be telling Google’s Chrome that your WordPress site is safe to use.
Why is Chrome so important?
Chrome is the most popular browser with 55% of Internet users globally. The nearest rivals, Safari and Firefox, just about manage 20% between them. Therefore, it is important that your website complies with Google’s Chrome requirements.
Google has given three reasons for moving towards HTTPS and SSL:
- Authentication – it proves the ownership of the site and that it’s not a copy trying to steal visitors’ information.
- Data integrity – it guarantees that the data being sent from the site to a visitor’s device hasn’t been tampered with, and vice versa.
- Encryption – it stops anybody else reading communication between the visitor and your site; especially important for ecommerce.
Clearly, these are benefits to you and your business, especially if you’re communicating via web forms, i.e. contact and sign up forms. Being seen as secure leads to customer confidence in your products or services.
Another benefit to you is that on non-secure websites, it’s sometimes your internet service provider that is tampering with your site, adding adverts that you don’t see but that show up on your visitor’s screen! HTTPS prevents that possibility.
If you’re still not convinced, a few years back Google pointed out that secure sites have a better chance of showing first on their search engine. And finally, HTTPS website will load more quickly on users’ devices – so, not just more trusted but a bit faster too.
Securing your website with HTTPS
First you need to obtain an SSL Certificate from a Certificate Authority (CA). This certificate does a couple of things:
- It enables your site to encrypt data.
- Provides a stamp of approval from a trusted party (in this case, the CA) that says your site is legitimate and secure.
SSL certificate levels:
All SSL certificates protect and validate your data. But the validation method varies depending on the level of coverage you need. This will depend on the type of business and website you have. Levels are based on validation points performed by Certified Authorities (CA). Generally, there are three levels:
Domain Validated (DV)
- These certificates are checked against the domain registry but don’t require any identifying information to prove the owner is who it says it is. It can be obtained fairly quickly (usually a few hours). From all current paid certificates, this is the lowest cost option.
Organisation Validation (OV)
- This certificate requires more validation points than DV. The certified authority does due diligence to ensure that a website belongs to the company listed on the certificate they will issue. If you own an ecommerce website, this is the minimum recommended.
Extended Validation (EV)
- These type of certificates require more work from the CA to validate. EV is recommended for any website where transactions are happening, ie: banks, e-commerce, or any business who want to ensure they have the highest level of security applied.
Due to the complexities regarding certificates, we recommend obtaining them from a CA as they take steps to ensure your web address actually belongs to you. Some reputable CA’s are: Comodo and Digicert.
Once you decide which CA to buy from, you need to know the type of certificate your website will need.
SSL Certificate types
- Single certificate
- Multi domain
- Wildcard to secure dynamic subdomains.
Your options: free and paid SSL certificates
Free SSL certificate
However, free certificates usually only cover a single domain name and require renewal every 30-90 days, depending on the provider. Forgetting to renew your certificate with this necessary frequency could compromise your website.
Customer service and warranties are something to be mindful of when using free services. Also, some websites using free SSL certificates, won’t always show the green padlock (showing that the site is safe to visit) and might not work as expected on mobile devices and here is where money comes into play!
Paid SSL certificate
A paid SSL certificate, as well as providing data encryption also authenticates several domains and subdomains, if you have them.
Paid certificates are also valid for longer periods, often 1-2 years.
As for validation, with a paid certificate you also have the options of ‘organisation validation’ which means it’s been checked that the certificate purchaser does manage the domain, and ‘extended validation’ which means the legal identity of the purchaser has also been confirmed.
Paid certificates also come with customer service and a warranty.
You get what you pay for. No surprise, the small print is important to knowing exactly what you’re getting.
A word on Free SSLs
One of the consequences of making HTTPS certificates “automated and free” is that both legitimate and fake websites alike can take advantage of the offer and obtain HTTPS certificates for their websites.
See example above. This fake business is pretending to be apple. To the naked eye, it is! And you as a website visitor have no reasons to believe otherwise. But notice image on the right, that’s what the web browser is aiming at reading: to find out the real identity of the business to ensure visitors are safe.
What is concerning about the above sample, is that it contains a Secure message plus, a green padlock. Both signals are security signals. This is called homograph attack: it uses non-English languages that are designed to look exactly the same as common English words.
You have probably received emails pretending to be from paypal, ebay or the ATO. Attackers are doing a lot of ‘pretending’ work, making websites look alike others and crafting fake website names.
At the time of writing this article free options are making it easier for fake websites to get certificates. We do hope this free technology improves to help us keep websites costs down.
Purchasing your SSL Certificate from a reputable Certified Authority
Most major CAs support the view that certificates for malicious sites should be rejected or revoked. Publicly trusted SSL certificates also offer compatibility with standard web browsers software – so you have less to worry about if your certificate came from a trusted CA. And in the event of a problem, you are covered by their guarantee.
It’s worth mentioning other big players in the market place like Symantec have gotten into trouble, after Google discovered they had mis-issued thousands of certificates over the years.
Our advice is for you to contact your website hosting company and ask them to help you implementing the SSL certificate. They will be able to assists you and provide you with the required technical support in case of a problem.
SSL certificate, WordPress website updates and Google verifications: your choices
Do it yourself
Moving your site from http to https requires dealing with more tech than most small business owners prefer. However, this is an option for people who don’t want to spend money. Not an ideal situation, but you do have tools available to make this work for you. Be prepare to go deeper on the technical side of your online presence.
You will need to:
- Have access to your Web Hosting, WordPress back end and your Google account.
- Get an SSL certificate.
- Install your SSL certificate on your website’s hosting account.
- Make sure that any website links are changed from http to https so they are not broken.
- Set up redirects from HTTP to HTTPS so that search engines are notified that your site’s addresses have changed.
Get your web hosting provider and website developer to help you.
Your web hosting provider can assists you with the SSL certificate purchase and installation. Your website designer / developer will make the changes on your website to reflect the support the SSL change, as well as updating your google account.
SSL certificate service and WordPress updates exclusive to our Web Hosting clients:
Because of Chrome’s market share–55% of internet users worldwide, 45.12% in Australia (source: gs.statcounter) at Soul Space Design we recommend to our clients to make the change from HTTP to HTTPS. Also, to invest on a paid SSL certificate as a safer option. This will ensure their online presence follows best practice.
The biggest issue we see with free technology is that we can’t guarantee it. Purchasing the certificate from a CA means we have access to customer support and guarantees if an issue arises.
From October onwards, all websites designed and developed by us will include a paid SSL certificate.
If we are hosting your website, we are offering the following:
- Purchase and install the right certificate on your behalf.
- Update the configuration of your website to HTTPS instead of the old HTTP.
- Manually update links.
- Re-verify ownership of your website in Google Search Console.
- Verify that your HTTPS pages can be crawled and indexed by Google.
- Update the configuration in Google Analytics (if necessary).
- Test and confirm that everything works just fine.
HTTPS is only one of the signals that evaluates the trustworthiness of a website. However, as you can see in the ‘fake and real’ example previously, technology is not perfect. SSL Certified Authorities play a critical role in establishing trust on the internet. Each vendor approaches internet security and verification differently.
Having HTTPS for your website is now essential. Both for security of data and information. Keep up your good image and branding with current and future customers. Make sure you purchase your SSL certificate from a reputable and certified provider or if you are choosing to go for a free certificate do your due diligence.