In January 2017 Google is planning to change how Chrome displays whether a user’s connection to a website is encrypted or not – that is to say, if the site uses HTTPS and uses it properly.
It’s part of a major push by Google and other browser vendors to help make the web a more secure place for everyone. Mozilla (the folks behind Firefox) and Apple (the folks who create amazingly stylish adapters and cables) are also working towards more encryption; and US Government sites are required to use HTTPS by default by the end of this year. Google has already been giving sites using HTTPS a slight SEO boost as a way to encourage adoption, but their changes next year take things up a notch.
To be honest, it’s a pretty big notch.
Currently a site with a secure connection will display ‘HTTPS’ and the green padlock in the address bar. Non-secure connections show ‘HTTP’ and have a circle with an ‘i’ in it (which is meant to invite you to click on it for more information), and broken connection (when a site is trying to use HTTPS, but isn’t doing so properly) has a grey padlock and a red ‘x’ through it.
In January, this will change to a green padlock and the word ’Secure’ for HTTPS connections and the words ‘Not secure’ for a non-HTTPS site or a site with faulty HTTPS. For Google Chrome this process will begin with sites that gather credit card information and passwords and over time be extended to include all websites.
The ultimate goal for Google is to allow people to see which websites are securing their information and which are not, so the public can become more aware and avoid leaving themselves open to cybercrime attacks (such as MITM aka ‘Man in the middle’ attacks).
What does this mean for my site?
Previously, if your site didn’t involve credit card payments or submitting of sensitive information via forms, then it was considered fine to not have a SSL certificate installed.
However, owners of those sorts of sites now face a choice – to continue without a SSL certificate, and risk users being put off by seeing the big red NOT SECURE warning, or to purchase and install one. This is something which will cost money - SSL certificates aren’t free, and in addition to the purchase cost there is usually a small amount of developer work required in order to make a site HTTPS-ready and to install the certificate.
What’s involved in moving a site to HTTPS?
A quick warning – this section is a little bit technical, but we think that some people out there might be curious about the process. If that’s not you, then you can click here to skip to the next section!
Still here? Right, let’s continue.
First, your web developer (that’s us!) ensures that resources such as images, styles and scripts are all served over HTTPS. If a single non-HTTPS resource is present in any page, that page will be marked as ‘not secure’ by the browser. There’s really good security reasons why the browser does this, but they’re outside the scope of this blog post. The amount of development work required here will depend on the complexity of the site, but typically this will be a couple of hours of work and testing.
Next, a SSL certificate needs to be purchased and installed against the site on the server. Purchasing a security certificate is a multi-step process. It needs to be purchased online (and there are a number of different types of SSL certificate to choose from – take a look at https://www.ssls.com/ to get an idea of the array of options available). The certificate vendor requires that we demonstrate we’re authorised to buy a certificate for this site (i.e. we have control of the domain - because owning a valid SSL certificate for someone else’s site allows you to do a bunch of rather nasty things which are again, outside the scope of this blog post!).
This validation can be done in a number of different ways. We can add a DNS entry to your domain (usually this would take the format of some random characters which they supply, so 281b33f2341465.mydomain.com); we can upload a validation file to the website (again, random characters in the filename); or we can receive an email to the domain. The vendor then checks whichever method you choose, and uses that to ensure you’re authorised to request this SSL certificate, i.e. that you “control the domain”. In addition, there’s a cryptographic process required in order to initiate the final step of the purchasing process, and this needs to be done from the server hosting the website. Once that’s completed, there is an approval period for the certificate to be issued, which can vary - it can be hours or days depending on the type of certificate requested, and then the certificate can be installed on your website.
Unfortunately, we’re still not done yet! To finish off we need to add some redirection so that the HTTPS version of your website is seen as the one and only version. As Christopher Lambert said in the movie ‘The Highlander’, THERE CAN BE ONLY ONE. This redirection sends any visitors to the HTTP version over to the HTTPS version automatically, and for search engines it also issues a code that tells the search engine to update its index and treat the HTTPS version of the page as the “right” copy. If this isn’t done, then customers and search engines will treat the HTTP and HTTPS pages as duplicate content and penalise you.
As mentioned previously, there are different types of certificate (for example, the more expensive ones also display your company name in the address bar), and just like a domain name you have different options for time periods when you purchase (i.e. 1 year, 3 years, and so on). As you’d expect, you also have a renewal process, which is slightly less complicated than the initial setup but still requires some effort (tip - buy a 3 or 5 year certificate if you can afford it).
The fact this process touches a number of different things has some implications. It means that purchasing and installing a certificate is something usually done with the customer (company owner) working together with Ignition Development, that the process usually takes place over a couple of days, and that it does cost a bit of money.
Wow, that sounds complex
Yeah, it’s a little involved, and there’s going to be a lot of customers and sites where the cost is hard to justify.
There has been some concern that smaller companies will suffer because of having to pay for encryption of their sites, or individuals who don’t necessarily gather information (such as bloggers or small community newsletter sites) will now be perceived as ‘bad’ because they don’t have a security certificate, and this concern is valid. Free certificates available from Let’s Encrypt (which launched in April 2016) are designed to help make it easy for all sites to be encrypted so that secure connections are the default and unsecured ones are the exception. However these certificates need to be manually renewed every 3 months, which means they’re not a viable choice for most commercially hosted websites.
While some people might think that this sounds like a bit of a dick move from Google, their intentions are good. Hopefully, the result will be a more secure web for all. There will be increased certainty for users that the secure sites are authentic, that fake sites which may look like the real thing will be more obvious and people won’t fall into the trap of giving sensitive information to nefarious types.
In reality, things are a lot more complex. The use of HTTPS is only a single factor which can help improve overall security on the web, and is by no means a magic bullet that guarantees total security – that’s simply not possible. However what HTTPS does offer is a really good bang for buck improvement which will help give some simple protection against a large number of attacks.
Ok, I want a green padlock! What next?
Would you like to talk more about getting a shiny green SSL certificate for your site? Get in touch with us now . We’re happy to answer any questions you might have about these upcoming changes, and help you choose the best option for your business.
If you’re not interested in adding SSL to your site and would like to talk through the potential implications of this decision then please feel free to also drop us a line. We’ll be happy to talk through the pros and cons in the context of your site and help you make the decision that’s right for you and your business.