Help! My Site is Insecure
Blog Post
If you have recently received a message from Google informing you that Chrome will soon start displaying a ‘NOT SECURE’ warning on your website, you will want to keep reading this post. If you haven’t yet received such a message, it is likely that you soon will, so we advise that you also keep reading.
There is no need to panic as there is a very simple solution to avoid the “insecure” label and there is no need to enlist the help of a therapist to deal with your website’s self-esteem issues either.
Why is Google Chrome requiring SSL certificates?
Well, in case you haven’t heard, the Internet is a terrifying place. With hackers trying to steal your personal information, ads that follow you from site to site like digital stalkers, and websites that look real but are actually just carefully crafted imitators ready to take over your computer and hold it for ransom, surfing the web these days is a harrowing experience. I know it, you know it and now Google knows it.
In an effort to combat the bad guys, Google has announced that their next iteration of Google Chrome (out in October 2017) will require all traffic to be secured behind an SSL certificate (more on this in a moment). Sites that do not have an SSL certificate installed will show a “NOT SECURE” warning when users enter text in a form on a page.
Many companies have joined forces in a campaign to ensure the web going forward is a safer place for us common folk. And a big step towards that goal is the requirement of an SSL certificate for your website.
What is SSL?
Let’s take a quick step back and explain some of these terms. The web was built on a protocol called HTTP (Hypertext Transfer Protocol) that allows web servers and clients (you) to talk to each other. Every link you click, every image you see, or video you watch is transferring back and forth from a web server to you. HTTP is not secure. It transfers information in clear text and hackers, disgruntled governments, or curious coffee shop employees can intercept these conversations and decipher the information that is passed between the sites. This is commonly referred to as “not good”.
What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) adds a layer of security by encrypting the conversation so eavesdroppers can’t understand what’s being said. This is commonly referred to as “much better”. This added layer of security is called SSL (secure socket layer) and in order to apply this to your website, you must get your domain verified by an SSL certificate provider. Long story short: to secure the traffic between your website and your clients, you should be using an SSL certificate.
Do I really need an SSL certificate?
Yes and here’s why: Google says you do. Google Chrome is the market leading browser and their search is the most influential traffic generator on the planet. When they say you need to do something, you need to do something. While clients will still be able to visit your site regardless of having an SSL certificate installed, having a warning that states your site is insecure will certainly make them think twice before visiting.
Not only that, Google has flat out said that they use SSL as one of their algorithm factors for page ranking, meaning that by not following suit you may be penalized in their search engine results. Using SSL is classified as a lightweight boost to search engine optimization (SEO) at the moment but clearly this is becoming more and more important.
Ok, what do I do now?
Now that you know you need an SSL certificate, what should you do? Well, if you’re a current Cubicle Fugitive client, we’ll be reaching out to discuss options. It’s a pretty painless process requiring a couple of quick conversations between your web host and an SSL certificate provider. Depending on the level of validation chosen, the SSL certificate provider may require some proof of ownership (e.g. business license, articles of incorporation, etc.). The whole process can take anywhere from a few hours to a few days.
If you’re not a current client and are just looking for assistance in this area, feel free to contact us and we’ll be happy to help. Most reputable web hosts provide a way to add an SSL certificate so reach out and we can go from there.
In summary, SSL is good, hackers are bad. Adding an SSL certificate will make your site more secure, more trustworthy and help improve your Google rankings. Protect your website with an SSL certificate and make the Internet a little less scary.
Additional Information
Should I read this next section? Sure, if you’re feeling brave.
There are many options when it comes to SSL certificates and some of it is downright confusing. We’ll make the right recommendation for you but below is just a short summary of the options if you haven’t had your fill of technical jargon.
Types of SSL Certificates
Domain Validation (DV) Certificates
This is the lowest level of authentication and also the cheapest ($100/year). DV certificates can be used for blogs and smaller sites. No validation is done on the business, only validation on the domain. These certificates are usually issued in a few hours. It provides $100,000 USD warranty. We use this type of certificate on our site.
Organization Validation (OV) Certificates
OV certificates are a more secure version of DV certificates but also more costly. These are recommended for businesses that do not provide eCommerce. In order to receive an OV certificate, a business must be verified (e.g. address, company name etc.) and this information is displayed on the certificate. These certificates provide a $250,000 warranty.
Extended Validation (EV) Certificates
This is the highest level of authentication and also the hardest to obtain and the most costly. These are primarily for eCommerce websites or websites sharing sensitive data. They provide validation of both the domain ownership and business authenticity and change the address bar of the site in the browser to green to signal the stringent vetting process. These certificates provide $1,000,000 warranty.
Other terms you may come across are wildcard SSL (used for companies with multiple URLs or websites) and free SSL (used primarily for bloggers and not a valid option in our opinion for professional websites because of the lack of warranty, the inflexibility of renewal terms and lack of support).
One caveat to keep in mind: Unless you are hosting your own site with your own IP address, you need an SSL certificate called SNI (Server Name Identification). SNI certificates are perfectly valid (and preferable these days) but they are not recognized by very old browsers (e.g. Internet Explorer 6) and very old operating systems (Windows XP). We believe this is not an issue as this type of web traffic is below 0.5% of all traffic, and honestly, if you’re still on XP, you have many other security issues to worry about.