SSL is suddenly a hot topic thanks to Google. So here’s some information to help you make an educated decision about your SSL requirements.
Now, anything to do with website security can become quite a complex topic very quickly. So my goal here is to inform you about SSL (giving you some background information) while hopefully not overwhelming you with too much jargon or technical information. If you are short of time, go for the ‘in a nutshell’ for a short read.
So what the heck is actually happening?
Well, the image below shows the warning that will be displayed in late October if you:
- Visit a Non-SSL web page, and
- That page asks you to enter data (has a web form on it), and
- You are using the Chrome web browser
In a Nutshell (the short story):
- SSL stands for ‘secure sockets layer’ and it turns your site from http:// to https:// – and it encrypts the information sent between a personal computer and a website on the internet.
- Prior to 2017, only some websites needed SSL (e-commerce sites or those that collected sensitive information)
- Since 2014, Google has been stating that they’d like to see all websites move to SSL – see this video if you are interested in their reasoning (it gets technical)
- In 2017, Google announced to Web Masters that its Chrome web browser would mark some web pages as ‘Not Secure’ within the browser location bar.
- If a site uses SSL then a green lock and the wording ‘secure’ is displayed in the location bar (see image below for an example)
- To get SSL you need an SSL certificate installed on your website hosting
- There are free and paid SSL certificate options:
- Free SSL certificates can be obtained from Let’s Encrypt and CloudFlare
- Paid SSL certificates offer a monetary warranty and can be purchased via the issuer directly or via your web hosting company
- Many web hosting companies support the free Let’s Encrypt certificate offering a ‘one click’ installation option within your hosting control panel
- Some web hosting companies have decided not to support Let’s Encrypt for various reasons
- It won’t be a disaster if your website is not using SSL by the end of October – millions of sites are still not using SSL but they will keep working for their owners. But don’t bury your head in the sand, this is not going away and you should start taking steps to move to SSL now
- Your web hosting company might have already installed SSL on your hosting account – and you may just need to start using it. Put your domain name into this SSL checker service to see if your host supports SSL for your domain name – https://www.sslshopper.com/ssl-checker.html – if it comes back positive, contact your web designer to have your website URL changed to HTTPS (there will be some work on their part to make sure your site is fully SSL enabled).
The Longer Story…
Since 2014, Google has been recommending that websites adopt the SSL standard. SSL stands for secure sockets layer – and it is the technology that encrypts information sent between a web browser (the software you use to access the web) and the website you are viewing. If this information is not encrypted, it can be intercepted along the way – causing a breach of privacy and security. E-commerce websites have always been set up using SSL for this reason – as they had the most to lose from data breaches.
For most other business websites, SSL has not been necessary. Despite this, many new websites in the last few years have been SSL enabled.
Google has been very proactive in encouraging website owners to move their sites to SSL, but they have taken a graduated approach to this – slowly widening the criteria for pages that will generate the Not Secure warning.
Then in Jan 2017….
As of late January 2017, any website that collected passwords or credit cards and was not using SSL, was marked as ‘Not secure’ within the Chrome web browser. The Chrome web browser is the web browser that Google developed and it’s a very popular alternative to Firefox or Safari.
Now in late October 2017
Google announced that in October 2017 it would mark web pages as insecure in two new situations, these being, ‘when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode”. This affects pretty much all SME marketing or brochure websites that have enquiry forms on them.
Don’t panic – but start investigating now how you will enable SSL onto your site.
While I wouldn’t recommend ignoring the call to HTTPS and the sky certainly won’t fall down if you don’t move to it before Google adds this warning. It is a warning on one browser (Chrome), affecting some of your pages. And while some alert users of your site might lose confidence due to the warning, many visitors will be completely unaware of the issue (until it hits the mainstream media).
Ok, so we’ve established you need SSL, so how do you get an SSL Certificate and what does it cost?
There are free and paid SSL Certificates. An example of a free SSL Certificate is the one offered by Let’s Encrypt. You can also get a free SSL Certificate via CloudFlare (CloudFlare also have a paid option too).
The paid SSL certificates vary in cost depending on the amount of financial warranty that comes with the certificate.
So Paid or Free SSL?
You would need to discuss this with your website developer to determine your exact requirements. However, most SME marketing websites would be fine to avail themselves of a free SSL certificate. The Let’s Encrypt service is proving to be very popular and is what many web designers install for their clients. Many web hosting companies support Let’s Encrypt and offer a one-click install of the SSL Certificate to your web hosting account. However, some hosting companies will not offer Let’s Encrypt for their own reasons, so you need to check with your website hosting providing. If you are of the cynical mindset, you might be thinking that many SSL providers stand to make a lot of money out of this situation as do web hosting companies, so a free option is pretty disruptive to their industry.
So, who is Let’s Encrypt?
Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG) and exists to offer “a free, automated, and open certificate authority (CA), run for the public’s benefit”. Its goal is to make SSL ubiquitous and much easier to obtain. There are some very large companies that are sponsors of this initiative – including Mozilla (makers of Firefox), Chrome (Google’s browser), Facebook, Shopify, and many other large hosting companies and tech companies. See https://letsencrypt.org/sponsors/ for the full list of sponsors.
Ok, what do you do next?
For most websites, the no-fuss solution is to get SSL via Let’s Encrypt. Many New Zealand web hosts support Let’s Encrypt, so check with your hosting company or web designer. For specialist WordPress hosting with SSL – see https://wpnet.nz/mwp2.
If your web host does not support Let’s Encrypt they will have a paid SSL option. You could also consider moving your site to a host that does support Let’s Encrypt. Buying, setting up and installing an SSL certificate from a 3rd party provider is not an easy task – its a mix of bureaucracy and technical know-how best left to the server experts.
If you do decide to move your web hosting, one very good international hosting company that supports Let’s Encrypt with a one-click install (and is a major sponsor of Let’s Encrypt is SiteGround) – they also offer a free site transfer to their service. SiteGround is the go-to hosting company for many web designers and they offer amazing support. While they are not based in New Zealand, you can choose three different locations for your site depending on your market – either Asia/Pacific hosting, Europe Hosting or US based hosting.
Final Thoughts
Like many things web-related, big changes can be scary and can be an opportunity for some to ‘rort’ the system with fear mongering and scary statements. There’s a lot of money obviously riding on this transition for some businesses, so just be aware that there will be a lot of misinformation out there too. Best of luck with your decision making and the transition to https.