Changes are occurring in the way websites are viewed. Website owners who do not secure their website with an SSL/TLS certificate will have to rethink their online strategy. In a push to make the Internet safer for all users, Google will soon be issuing a stronger warning to visitors who navigate to a website that does not have the protection of an SSL/TLS certificate.
With the release of Chrome 53 on Windows, Google has changed the trust indications to introduce the circle-i. Subsequently, Google has announced a new warning message will be issued when a website is not using HTTPS.
In January 2017, with the release of Chrome 56, a “Not secure” message will be presented on pages with password and credit card form fields that are not protected with an SSL/TLS certificate.
This should really help answer the question, “Is this site secure?” Or, maybe a better question “Is this site encrypted?” The answer is, “No, the site is not encrypted, so not secure.”
Google does not plan to stop there. In a to-be-announced release, Chrome will not show the circle-i, but will show the red triangle for all HTTP pages. This is the same indication that is provided for broken HTTPS sites and will further stress the “not secure” message.
Website owners and administrators need to consider Always-On SSL or the HTTPS Everywhere concept. Now HTTPS will provide the following advantages:
- Security to all websites and pages regardless of content
- Mitigate known vulnerabilities such as SSLstrip and Firesheep
- Provide browser user privacy
- Support HSTS that will provide a browser error if the site is not secure
- Support HTTP/2 providing higher performance and less latency
- Higher search engine optimization (SEO) for Google
- Higher trust indication with a green lock icon and no “Not secure”
With proper installation of an SSL/TLS certificate, the “not secure” warning will disappear and be replaced by a green lock icon. Then the answer to the above questions will be “Yes, the site is secure.”
Fortunately, there is a solution:
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
According to their website, “We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.”
Currently, this is just Google Chrome doing this. Google Chrome encompasses 56% of website traffic currently. I expect that the other browser companies will also adopt this standard as well.
I just checked with one of my hosts, Hostgator, and found out that they will install Let’s Encrypt for a $10 fee per site. I’m choosing to migrate my personal accounts to another host instead. Go Siteground!
As with all things digital, it takes time to install and test all software. If your site has been live for a while, then chances are that it is indexed by search engines. Other people may have linked to it using http in the URL. Once the virtual switch is flipped, you need to make sure that all traffic is redirected to the https URL. If you have Google Analytics installed on your WordPress site, then you need to update its settings and add your new URL with https. The time investment would be approximately 90 minutes if everything goes smoothly.