Monetization Magic

Colorado Website Development

Google Chrome to Show HTTP Sites as Not Secure

By

Changes are occurring in the way websites are viewed. Website owners who do not secure their website with an SSL/TLS certificate will have to rethink their online strategy.  In a push to make the Internet safer for all users, Google will soon be issuing a stronger warning to visitors who navigate to a website that does not have the protection of an SSL/TLS certificate.

With the release of Chrome 53 on Windows, Google has changed the trust indications to introduce the circle-i. Subsequently, Google has announced a new warning message will be issued when a website is not using HTTPS.

In January 2017, with the release of Chrome 56, a “Not secure” message will be presented on pages with password and credit card form fields that are not protected with an SSL/TLS certificate.

This should really help answer the question, “Is this site secure?” Or, maybe a better question “Is this site encrypted?” The answer is, “No, the site is not encrypted, so not secure.”

Google does not plan to stop there. In a to-be-announced release, Chrome will not show the circle-i, but will show the red triangle for all HTTP pages. This is the same indication that is provided for broken HTTPS sites and will further stress the “not secure” message.

Website owners and administrators need to consider Always-On SSL or the HTTPS Everywhere concept. Now HTTPS will provide the following advantages:

  • Security to all websites and pages regardless of content
  • Mitigate known vulnerabilities such as SSLstrip and Firesheep
  • Provide browser user privacy
  • Support HSTS that will provide a browser error if the site is not secure
  • Support HTTP/2 providing higher performance and less latency
  • Higher search engine optimization (SEO) for Google
  • Higher trust indication with a green lock icon and no “Not secure”

With proper installation of an SSL/TLS certificate, the “not secure” warning will disappear and be replaced by a green lock icon. Then the answer to the above questions will be “Yes, the site is secure.”

Fortunately, there is a solution:

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

According to their website, “We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.”

Currently, this is just Google Chrome doing this. Google Chrome encompasses 56% of website traffic currently. I expect that the other browser companies will also adopt this standard as well.

I just checked with one of my hosts, Hostgator, and found out that they will install Let’s Encrypt for a $10 fee per site. I’m choosing to migrate my personal accounts to another host instead. Go Siteground!

As with all things digital, it takes time to install and test all software. If your site has been live for a while, then chances are that it is indexed by search engines. Other people may have linked to it using http in the URL. Once the virtual switch is flipped, you need to make sure that all traffic is redirected to the https URL. If you have Google Analytics installed on your WordPress site, then you need to update its settings and add your new URL with https. The time investment would be approximately 90 minutes if everything goes smoothly.

Is YOUR WordPress website being hacked?

By

BruteForce+AttackI received this notice from the boys and girls that provide security over my website:  “As of 11am eastern time this morning, we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date.”

Do you have a security program plugged into your website?  Do you know when your website is under attack?  Do you know HOW people are trying to attack your website?

I use a plugin called WordFence for my security on my websites and I love it!  I am immediately notified when anyone logs into my account with administrator privileges (including me).  I also know when someone attempts to log in to my account and uses the wrong password.  I am also able to block specific individuals from logging into my account.  There is no danger in blocking someone because they are there to do harm not to work with me.

Most WordPress developers know this already; however, I’ll mention it again here: do NOT use the default username of “admin” for your WordPress website.  When you do, the potential hacker already has 1/2 of the equation to breaking into your website.  Once they’re in that far, all they have to do is to employ a password guessing tool and before long they’re in your website as the administrator and they can do anything they want to once inside…just like you can.  It is also advisable not to use any derivatives of “admin” as well such as “admin123”.  If you already have your administrator account set up with the user name of admin, go now and create a different administrator account and remove the default administrator account.