Browsers now alert users if your site is not secure

Back Posted on 01 Mar 2017

Websites that don't have an SSL certificate to provide a secure connection are now flagged as not secure by major browsers including Chrome and Firefox.

Icon: too long; didn't read

Chrome and Firefox are the first browsers to actively push for all websites to be served over secure https connections.

If your site collects payment or login details and doesn't have an SSL certificate the browser now flags your website as Not Secure.

For the sake of customer confidence, Google rank and the wider security of the internet you should get an SSL certificate asap.

It is well known that Google strongly advocate and push for a better web - faster, more organised and now more secure.

In September 2016 they announced that websites served over http connections would be flagged by Chrome as not secure.

http has always been insecure - malicious users can watch and even modify traffic before it reaches you.

Now Google and others including Mozilla, makers of Firefox, are rolling out updates that will begin to make http a thing of the past.

Updates to Chrome will be phased.

Initially only pages that collect sensitive information such as password or credit card details will be flagged as insecure
Later anyone using Incognito (Chrome's private browsing mode) will see any page served over http flagged as inseure. This is because Incognito users have a greater expectation of privacy
Eventually all pages that do not use a secure https connection will be flagged with the same red triangle that alerts users to websites with broken secure certificates

Screenshot from Chrome showing address bar alert that web page with user login form is not secure when served over an http connection.

Screenshot of Chrome alert detailing effects of http website not being secure
Screenshot showing more detail about why website is not secure in Chrome.

Why is this is important?

Between them Chrome and Firefox represent 56.38% of the browser market [1]. And with the W3C and the US Government calling for universal use of encryption other browsers will soon follow.

Chart showing browser market share in February 2017
Chart of browser market share in February 2017.

So right now over half of your users could be told your website is not secure which won't exactly inspire confidence in your brand or ability.

Does this affect me?

At the current stage of implementation only websites with login or payment forms are flagged by Chrome as not secure.

This means online stores and websites with password protected member areas must act now.

What do I need to do?

Installing an ssl certificate on your web server means connections can be made over the secure https protocol.

There are two types of certificate:

Trusted means a number of checks have been carried out by the certificate authority to ensure you are who you say you are. Browsers will show users the padlock symbol to indicate the connection is secure
Self signed means traffic is encrypted but you can't trust the operator is who they say they are. Browsers will alert users that the certificate is not trusted

How to get an SSL certificate

You can get an SSL certificate from your:

website host
domain provider
web developer
dedicated certificate provider
various third parties

Is anything else required?

Depending on your choice of provider you may require a dedicated IP address before you can install an SSL certificate.

This costs around £5/mth and is sometimes paid annually in advance. Moving to a dedicated IP requires additional configuration to your domain name and hosting settings.

How to install your SSL Certificate

Your website and potentially domain name will need some updates made to their configuration before they can use https. For most small business websites this can be done in a few hours.

Things to be aware of

There is a cost for most certificates, the more checks performed to verify your identity the greater the cost
Paid certificates have a recurring annual fee
Certificates are valid for a specific time after which they need to be updated on your server. Usually your host or web developer will do this for you or sometimes this process can be automated
Some certificates are free but have restrictions that make them unsuitable depending on your requirements eg. a dedicated IP address is required or in the case of SNI based certificates, some browsers and third party services may be unable to connect to your website

When do I need to do it?

If your website collects sensitive information such as credit card details or has any password protected areas these pages are already flagged as not secure and you need to act immediately
Google have not yet announced when Incognito mode will flag http sites as not secure, updates will be posted on the article Moving towards a more secure web

Ultimately every website must transition to https. And if security wasn't a good enough reason remember it builds trust with users and Google use https as a ranking signal.

If you need help or have a question about how to secure your website and transition to https you can find me on Google+ and LinkedIn or send a message.

Sources

netmarketshare.com

Jump Links