The world awoke after the global surveillance disclosures by Edward Snowden. These disclosures revealed programs that, not only captured and stored all digital traffic, it also showed that the National Security Agency (NSA) was infiltrating links to Yahoo and Google data centers worldwide. As such there has been an explosion in the use of encryption with both individuals and providers like Google, Yahoo, Facebook and others.
We’ve known that Google’s wildly popular Chrome browser was beginning to rank secure HTTPS sites higher for some time—as have marketers and others performing search engine optimization on their, and their client’s, websites—but Google is now accelerating their Chrome browser security seriously and sites not using SSL come January will display a warning.
Wired magazine lays out the issue in their article, “Google’s Chrome Hackers Are About to Upend Your Idea of Web Security“:
Starting in January, Chrome will flip the web’s security model: Instead of warning users only about HTTPS-encrypted sites with faulty or misconfigured encryption, as Chrome currently does, it will instead flag as “not secure” any unencrypted sites that accept a username and password or a credit card. That unmistakable alert will appear to the left of Chrome’s address bar.
Soon after, the team also plans to announce another category of sites that will be flagged for not using HTTPS by a deadline later in 2017. Among the candidates they’re considering: any unencrypted page visited through Chrome’s Incognito mode and any non-HTTPS site that offers downloads. Check your daily tour of web forums, download sites, and registration-enabled media outlets for the telltale lack of a green padlock, and you’ll see many are set for an unpleasant wakeup call when they fail those tests. And over the coming years, Chrome plans to hold more and more types of sites to that HTTPS standard.
For most startups and small-to-midsize businesses, the move to HTTPS shouldn’t prove too difficult. While you can buy and install a certificate from multiple providers or your webhosting company itself, most webhosts are now offering the Let’s Encrypt SSL certificates. Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).
Many webhosts (e.g., Dreamhost; SiteGround; Media Temple; Squarespace) are offering easy, one-click, Let’s Encrypt SSL certificate installation and most also provide automatic renewals. But simply adding a secure certificate is not all you have to do to get your website ready, unfortunately.
Securing a website and its content is usually not trivial, especially since a single external resource may have an embedded, insecure HTTP link to it (e.g., in scripts). 100% of all links need to be dealt with so the site will display to Google Chrome that the site, and everything on that specific page the visitor is viewing, is secure.
HTTPS SET UP TAKES SOME EFFORT
At my Innov8Press firm we have secured all of our own sites, client sites, and I’ve done my personal ones as well. All run on WordPress and, after setting up a Let’s Encrypt SSL certificate, we add Really Simple SSL to force all links to be https or to be slightly modified to work but not show as insecure. If you’re not starting from scratch or have a very simple website, seek professional help.
Then there are sites like this one, Minnov8. With all of our podcast links—and RSS feed connections to both the iTunes and Google Play stores as well as podcatcher apps that already have our non-HTTPS RSS feed links that are often cached—we are proceeding with caution. We know, however, that Minnov8 has to be completely secure by end of this calendar year.
The other issue is that older browsers only recognize SSL certificates as secure if they have a dedicated, unique IP address for the domain. While many shared webhosting companies do offer dedicated IP addresses for some amount per month (usually $14 or more), many do not offer them at all. So if you have an audience that you know still uses any of these you may want to tread carefully as well: Windows XP versions of Internet Explorer; the default browser in Android 2.4 “Gingerbread” and earlier; and various mobile browsers like SymbianOS, Blackberry and old versions of Opera Mobile.
Start the process of securing your websites now so you’re ready for the inevitable come January 2017: visitors asking you why your website is insecure; a percentage of them being alarmed and just leaving, abandoning your website for good; or thinking less of your firm or brand since you didn’t strategically anticipate what should have been obvious.