From Jan 31st 2017 Google Chrome web browser will be warning all your visitors that your site is insecure if you do not have a HTTPS security certificate protecting your website.
On January 31st 2017 Chrome will roll out an update and Chrome version 56 will come with something that will cause a big problem for your business if your website is not secured with an SSL/TLS security certificate.
Time to take security seriously, it is no longer optional for your website…
Read on about how this big change will affect your business.
What is HTTPS Everywhere? (and why does it even matter?)
HTTPS Everywhere is a collaboration between The Tor Project and the Electronic Frontier Foundation to help create a safer web for all. Google signed up to support the aims of https://www.eff.org/https-everywhere and they have been steadily pushing website owners towards HTTPS security.
What is HTTPS?
HTTPS is that little padlock you see when you go to your bank or favourite shopping website. If you look at the top of your browser, you should see it on our website.
HTTP or “Hyper-Text Transfer Protocol” is the way that content is shared over the internet, that wonderful invention of Tim Berners-Lee that gives us the ability to see cat videos. Well HTTP is relatively insecure as it was never designed with banking, shopping and sharing of very sensitive personally identifiable data. So along came HTTPS or “Hyper-Text Transfer Protocol Secure” You may see HTTPS referred to as TLS, sometimes SSL or combined as TLS/SSL just to make sure people know what you are talking about.
- “TLS” = Transport Layer Security
- “SSL” = Secure Sockets Layer
Put simply HTTPS is a way that servers can communicate with your browser in an encrypted way. Whatever it is referred to as HTTPS is the process where the user’s browsing session is encrypted end to end. This gives the visitor peace of mind that the website being visited is the actual website they intended to visit, it gives the user privacy protection and ensures the integrity of the exchanged data between server and the users computer.
Here’s what happens, in simple terms…
HTTPS (TLS/SSL) uses a secure “certificate” issued by a regulated third party, which authenticates your websites to the users browser and shows your users that the browser session is with the website you want and the data is encrypted end to end.
What is encryption and how does it work?
Imagine you wanted to send a box with something very valuable in it to a friend, the contents are precious but the method of transporting it is not secure, however as long as no one can look inside the box everything will be OK.
The problem is, how do you send a locked box full of valuables with the key? You can’t give the key to the courier, they will open the box. You can’t send another courier because they could work with the first courier and open the box. You can send the box, wait for your friend to tell you they received it and then send the key, but what if the message from the friend is not actually from your friend? There are too many “holes” in your security trying to get the box and the key to your friend.
So, the solution was figured out by Alan Turing, it is devilishly simple. You need two locks on the box and this is how it works.
You send the locked box to your friend.
On receipt your friend puts their lock on the box.
The courier returns with the double locked box.
You unlock and send the box back to your friend.
Your friend unlocks the box and retrieves your gift.
At no time has the box been unlocked in transit, and your gift has always been safe. It does take more trips BUT it means two people who never meet can exchange information without ever having to know what the other person’s security is. It is a more complex variation of this type of encryption that is used for HTTPS and web encryption.
If you want to know more view the article here; http://www.makeuseof.com/tag/encryption-care/
What are the benefits?
If the data flowing from your machine gets interrupted and someone positions themselves between you/your browser and the target of your browsing session and the data is not encrypted then they can see everything you are “talking” about. With HTTPS no one can monitor the traffic with, what is known as a “man in the middle” spyware or hack into any session and seize sensitive information.
HTTPS (TLS/SSL) has always been the de-facto standard with eCommerce but now with the rise of identity theft and more and more hackers seeking to gain access and control Google is raising the bar on website security and more or less forcing website owners to upgrade their security.
Google and many others simply wants all browser sessions to be encrypted to increase the overall level of security on the web and ensure that your safety and security is protected online, so when they send you from their search results you are arriving at the actual website you want to go to, not some “spoofed”, hacked or hijacked version of the site.
Cuts down on identity theft and reduces wasted time and money dealing with the problems that relatively minor number of people cause but the effects of it can be felt by individuals for years afterwards. The cost is also passed on to business and thus it makes it safer and overall lowers the cost of doing business online.
So What’s Changed Now?
Chrome, like other browsers has always notified users of HTTPS sessions, visit any HTTPS protected website and as we have already stated you will see a green icon in the left hand side of your browser address bar with a green padlock. There are various levels of certificate protection for different applications, however even the simplest HTTPS SSL/TLS certificate will give you the green padlock protection.
In the latest version of Chrome that notification will be turned upside down so that sites without any form of SSL/TLS will be “outed” to the visitor. Currently the browser shows a simple “secure” notification with a green padlock and sometimes the signing authority details.
HTTPS – This is what Chrome Displays pre-Jan 31st 2017
HTTP – This is what Chrome Displays pre-Jan 31st 2017
Instead as of 31st Jan 2017 with the new Chrome version update, the Chrome browser will warn visitors that any non-HTTPS site is “not secure“, this will start with a simple notification but these warnings will escalate over an unspecified time period until when arriving at your website they will simply see an exclamation mark inside a red triangle with the letters HTTP next to the web addresses of your non-HTTPS site.
This is what Chrome Displays after Jan 31st 2017
HTTPS-encrypted site (top)
Non-HTTPS site (middle)
Faulty HTTPS or plain HTTP (bottom).
This is the first part of a staged roll-out that encourages websites to get rid of plain old HTTP and here is how stage one will work.
As of 31st January, anyone using Chrome version 56 (remember, Chrome usually auto updates) will see the word “Not Secure” on any page that collects passwords, has a login form or asks for credit card details. This is how it will look:
Notification that Chrome Will Show
Furthermore: Chrome will warn visitors that all HTTP pages in incognito mode are “Not secure” the developers believe that users of incognito mode have an increased expectation of privacy and will prefer this alert.
Eventually, ALL non-HTTPS web pages will be labelled as “not secure” it is therefore worthwhile starting the process of moving to HTTPS.
Google commissioned research to find the most alarming icon to fit the message and they found that the warning icon was most effective at alerting and alarming end users. Google really does want this to cause concern in end users.
I have a WordPress website, will it affect me?The short answer is yes, you will start to experience “not secure” warnings if you have a membership area, a shop where a user may create an account or ask for user details to access specific areas or request payment via a form. This includes logging into the admin area for site admins, editors, authors or other “back end” authorised users.
Expect this to be the “thin end of the wedge” and the changes to eventually include ALL your pages on your site. Google is just signalling its intent and giving sensible and security conscious site owners a heads up to start getting security savvy.
What do I need to do?
Get a security certificate! NOW!
If you fix it now, you don’t have to worry about future changes. SSL/TLS Certificates are available from your web hosts, however not all web hosts know how to install them correctly and just because they are installed on your server you will still need to update your website, change all your web URLs to reflect the new “HTTPS” URL and ensure all media, code functions and forms call the “HTTPS” URL.
If you haven’t done it before, don’t try to learn now!
There are quite a few very technical settings changes that need to be made and we’d always suggest you get someone to do it who has experience of HTTPS certificate install. If you get it wrong your site could become inactive, or worse, parts of it are secure and other parts are not, causing all sorts of problems in the future.
If you do want to see how it is done and are prepared to wade through it all then Google has a handy guide to enabling HTTPS: https://developers.google.com/web/fundamentals/security/encrypt-in-transit/enable-https
Third Party Content
One BIG issue you may face is publishing third party content on your website via iFrames, such as adverts or videos. If the source is not HTTPS enabled and is being transported to your site via HTTP (with no security from SSL/TLS) then you will fail any HTTPS test from the browser. So it is very important that you review any ads served to your site or content coming from third party providers and make sure these are also using HTTPS.
What else Should I know?
Your search ranking can be affected positively when using HTTPS as Google uses HTTPS as a “positive search quality indicator” meaning that it gives you a small boost in search positions,
If you have a large site with a lot of traffic you might want to migrate the site in chunks or sections to monitor the effect on traffic and conversion, however smaller sites we would suggest just making the move in one go. check here for more info about this ranking factor.
Ensure your site is managed through “Search Console” formerly known as Google Webmaster Tools, this will alert you to any issues quickly and allow you or your web devs to pinpoint problems early. Your web devs should have access to the Search Console in their account so you may need to make them admins. Here is a Search Console Help article on how to Transfer, move, or migrate your site with Google Search Console follow their guides to help maintain your website search rank.
It is worth noting that Bing also publishes guidelines to help you stay the right side of their search algorithm and rule, Bing Webmaster Guidelines are here
For all dates to do with Chrome check the dedicated website for Chromium Development Calendar and Release Info so you can keep up to date with the changes.
Can Mister Metric Help? Short answer: Yes.
We can help to install a Certificate, and update your website and we can help with better hosting and more robust security end to end for your visitors.
We have also seen the rise of attacks on websites over the past couple of months and we take this seriously so we have upgraded all our security and migrated to much more robust hosting.
Our secure hosting starts from £216 +vat per year
See our hosting packages here https://www.mistermetric.com/hosting/
if you wish to register then please call us on 01420 398080