Browsers now alert users if your site is not secure
Back Posted on 01 Mar 2017
Chrome and Firefox are the first browsers to actively push for all websites to be served over secure https connections.
If your site collects payment or login details and doesn't have an SSL certificate the browser now flags your website as Not Secure.
For the sake of customer confidence, Google rank and the wider security of the internet you should get an SSL certificate asap.
It is well known that Google strongly advocate and push for a better web - faster, more organised and now more secure.
In September 2016 they announced that websites served over http connections would be flagged by Chrome as not secure.
http has always been insecure - malicious users can watch and even modify traffic before it reaches you.
Now Google and others including Mozilla, makers of Firefox, are rolling out updates that will begin to make http a thing of the past.
Updates to Chrome will be phased.
- Initially only pages that collect sensitive information such as password or credit card details will be flagged as insecure
- Later anyone using Incognito (Chrome's private browsing mode) will see any page served over http flagged as inseure. This is because Incognito users have a greater expectation of privacy
- Eventually all pages that do not use a secure https connection will be flagged with the same red triangle that alerts users to websites with broken secure certificates
Screenshot from Chrome showing address bar alert that web page with user login form is not secure when served over an http connection.
Screenshot showing more detail about why website is not secure in Chrome.
Why is this is important?
Chart of browser market share in February 2017.
So right now over half of your users could be told your website is not secure which won't exactly inspire confidence in your brand or ability.
Does this affect me?
At the current stage of implementation only websites with login or payment forms are flagged by Chrome as not secure.
This means online stores and websites with password protected member areas must act now.
What do I need to do?
Installing an ssl certificate on your web server means connections can be made over the secure https protocol.
There are two types of certificate:
- Trusted means a number of checks have been carried out by the certificate authority to ensure you are who you say you are. Browsers will show users the padlock symbol to indicate the connection is secure
- Self signed means traffic is encrypted but you can't trust the operator is who they say they are. Browsers will alert users that the certificate is not trusted
How to get an SSL certificate
You can get an SSL certificate from your:
- website host
- domain provider
- web developer
- dedicated certificate provider
- various third parties
Is anything else required?
Depending on your choice of provider you may require a dedicated IP address before you can install an SSL certificate.
This costs around £5/mth and is sometimes paid annually in advance. Moving to a dedicated IP requires additional configuration to your domain name and hosting settings.
How to install your SSL Certificate
Your website and potentially domain name will need some updates made to their configuration before they can use https. For most small business websites this can be done in a few hours.
Things to be aware of
- There is a cost for most certificates, the more checks performed to verify your identity the greater the cost
- Paid certificates have a recurring annual fee
- Certificates are valid for a specific time after which they need to be updated on your server. Usually your host or web developer will do this for you or sometimes this process can be automated
- Some certificates are free but have restrictions that make them unsuitable depending on your requirements eg. a dedicated IP address is required or in the case of SNI based certificates, some browsers and third party services may be unable to connect to your website
When do I need to do it?
- If your website collects sensitive information such as credit card details or has any password protected areas these pages are already flagged as not secure and you need to act immediately
- Google have not yet announced when Incognito mode will flag http sites as not secure, updates will be posted on the article Moving towards a more secure web
Ultimately every website must transition to https. And if security wasn't a good enough reason remember it builds trust with users and Google use https as a ranking signal.