Starting in July 2018, Google will name and shame websites, via their Chrome browser, that do not have the SSL (Secure Sockets Layer ) certificate installed.
Gone are the days when you only NEEDED to have a SSL certificate installed if you were running an eCommerce site, or collecting any other sort of sensitive client information. Now you NEED to have it because Google said so! If you don’t, visitors to your website will be greeted with a very scary warning about being on an “unsecure” website. I’m sure you can imagine how quickly they’ll move away from your website.
What is SSL and How Do You Know if You Have it on Your Website?
Very briefly (and in non-technical terms): SSL secures the connections between a website and its visitors with encryption. It changes the URL from HTTP to HTTPS and helps protect you from intruders injecting their own ads into your site or tricking users into installing malware. You will know if your, or any website you’re viewing, is secure when you see the padlock.
The “Not Secure” example is the more subtle warning. This warning started appearing in Chrome (v62) in October of last year. You have to click on that “i” to see the warning. The more scary version uses a pop-up window with everything shy of red flashing lights.
SSL adds a level of security, but it’s not designed to prevent your site from getting hacked. There’s no such thing as a “100% hack proof” website. I recently cleaned up a hacked site that had the SSL installed.
In fairness to Google, it’s not just Chrome. Mozilla Firefox, Apple Safari and Microsoft Explorer will also be doing the same, though I have no date as to when that will happen. I suspect on or about the same time, or very shortly thereafter, Chrome. Google’s been making announcements about this upcoming change since January. If you have a WordPress site, you have already noticed a security warning on the login screen. Each browser will have its own variation of security warnings; some are being more in-your-face with the warnings than others.
On the upside, this is being rolled out in phases, starting with putting up warnings only when you go to enter a password, or enter credit card information, or hit a Send button. This gives everyone time to get the certificates on their sites. Depending on the size of your website, the entire process can take as little as an hour from start to finish (“finish” being when all links, on all pages, and all images have been checked and corrected if needed), or as long as… insert unknown time frame… here.
This is all part of a bigger plan by the browsers to force everyone to install a SSL and use HTTPS. Eventually, the browsers plan to mark ANY webpage — not just the pages you have a form on, or require a password — served via HTTP as “Not Secure.”
What You Need to Do About SSL Right Now
Your SSL Options: Free or Paid
The most common question I’m getting from my clients is, “Should I get the Free SSL, or purchase a more secure certificate?”
The majority of web hosting companies are offering a free version of SSL either using Let’s Encrypt or Encryption Everywhere and will install it on your server for you, if you ask them to. If you have a small site, no eCommerce, and not collecting credit card information or other sensitive information, then the free one provided by your web hosting company will suffice — UNTIL if/when Google decides they will no longer accept SSLs from Let’s Encrypt or Encryption Everywhere. Maybe they will always accept these free versions. It was only recently when they decided they would no longer recognize certificates from long-established companies such as GeoTrust (which was recently bought out by Digicert). Long, boring story.
I Have the Certificate Installed. Now What?
Once the certificate’s installed, whether by your web hosting company or you install it yourself, the next step is to check every link on your entire website. This includes any images you’re linking to and any web pages you’re linking to; within your own site or to another website. Also any scripts that you’re using. If there are any links on a page that are not using the HTTPS protocol, your site will still have the padlock, however, there will also be a “blocked content” warning.
TIP: If after checking over your entire site you’re STILL getting the blocked content warning and cannot figure out what’s on the page that’s causing that to happen, chances are you’re using a Google fonts script. I had that “Ah ha!” moment last week after switching a site over to HTTPS.
You may also want to set up server redirects via your .htaccess to automatically redirect users to your secure connection. How you set up redirects depends on the server you’re on (IIS, Apache).
If all of this sounds like a major time-suck to you and you would rather I take care of all of this for you, contact me. I’ve been doing this task free of charge, but only for websites on a maintenance plan. However, since this is task is not part of a maintenance plan, once I hit overload level (which is rapidly approaching), I will be charging the hourly rate for this task.