If you’ve been following website security industry changes, you may know that the move by browsers to warn visitors of webpages served via HTTP as “Not Secure” has been in the works for a while. And, if you’re like many other organizations and businesses, preparing for this inevitable change has been on your to-do list for a while, lingering there, waiting to get crossed off. Unfortunately, pretending there’s no fire doesn’t mean you won’t eventually get burned.
What's This July Deadline About, Anyways?
While the move towards mandatory HTTPS has been gradual and the end date pushed out a few times, according to the recent announcement by Google you will need to get an SSL Certificate for all your webpages - not just the ones with login requirements or forms - by the time Chrome 68 launches in mid-to-late July. With this latest release, Chrome will universally alert visitors on any HTTP webpage that it is "Not Secure". What began as a nudge from Google and Mozilla that only impacted pages with unencrypted logins or text fields has become a no-exceptions requirement. And since Chrome accounts for over 60% of browser market share, the majority of visitors to your website will see this message unless you get encryption in place. When Chrome 70, slated for October 2018, is released the "Not Secure" warning on HTTP pages will turn red in colour and be unmistakable to visitors.
While it might feel as though mandatory HTTPS is being pushed forward quickly, in reality, it's been a gradual process. Google first began downranking unencrypted websites back in 2015, followed by Chrome displaying warnings on pages with unencrypted password fields beginning in 2016. Google upped the ante again last October when Chrome started showing a ‘Not secure’ warnings whenever visitors entered data into a text-input field of any kind, such as a search bar. And the push towards HTTPS everywhere, also backed by Mozilla's Firefox, is working - in February of this year, Google announced that over 68% of Chrome traffic on Android and Windows was already protected, with that number rising to 78% on Chrome OS's and Mac. Given this "incredible progress" in encryption, the Chrome team settled on a July deadline for enabling HTTPS.
HTTP served Internet users well for many years. Unfortunately, given today’s cybercrime-ridden web, it has one crucial flaw—it’s not secure. That means data in transit can be stolen or manipulated. HTTPS is secure and shows visitors https:// in the browser bar indicating encryption is authenticating the server and protecting the information being transmitted.
So, it’s easy to understand why web browsers are now requiring it as a basic standard. Beyond just encrypting information, HTTPS also helps you leverage faster performance enabled by HTTP/2, confers an up to a 5% boost in search engine visibility, provides a more seamless user experience and is necessary to unlock many new browser features, particularly those required in progressive web apps.
How do I get HTTPS?
SSL Certificates enable HTTPS—so the sooner you install one on all your webpages, the better off both you and your visitors are. That said, website security is about more than simply encrypting data. With the rise of phishing websites, verifying the identity of who is receiving your important personal or transactional data has become equally important. This is where the three different levels of identity validation come into play - domain validation (DV), organizational validation (OV) and extended validation (EV). For SSL certificates to be trusted, certification authorities (CAs) need to confirm the identity of the business or organization intending to use it. While the encryption level is the same, the more thorough vetting and verification process associated with OV and especially EV which features the universally recognized green address can be beneficial in increasing both visitor trust and conversions on transactional websites.
Next Steps - Getting Compliant Ahead of July's Chrome Update
If you don't have SSL installed yet, you still have of time to get it done before the release of Chrome 68 slated for July 23rd. Webnames offers approximately 20 different SSL certificate options, with domain validated (DV) certificates starting as low as $20/year for simple brochure or blog websites, through to enterprise solutions fit for securing hundreds of active domains and/or subdomains.
We understand that choosing the right SSL certificate might be confusing for some, so we're here to help you sort through your options, find the most cost-effective way to meet Google's deadline and help you get it installed on your website. Give us a call to get the help you need so your website inst labeled "Not Secure."