Google Chrome & SSL Security
Chrome’s New “Not Secure” Warning on Login Pages
About a year ago, we told you about we told you about Google’s addition to their Web Master Guidelines, recommending that all websites move to the SSL (https) protocol for the sake of security and privacy of internet users. One of the questions back then was whether this would affect search engine rankings negatively or positively, and for the most part, we’ve seen a slight improvement for websites that have migrated to SSL.
It is not only our own experience, but others who also have analyzed search engine rankings and sites using SSL, have noted that Google gives a positive nod in search rankings to those sites that are using SSL.
Perhaps this is more understandable when one realizes that part of the search engine rankings is about trust – and SSL provides some guarantee of authenticity; you are visiting a website that really is who they say they are.
Privacy & Encryption With SSL
Another benefit of SSL is that all information transmitted between a browser and a website is encrypted traffic. Unless there is a known security flaw discovered, no one, including governments can snoop on Internet users to find out what kind of messages they may be sending on contact forms, when SSL is being used. Another advantage is that when you use SSL to login to your own WordPress admin areas, or other sections of a website that require a username and password, this data is all being sent while encrypted. This makes it more difficult for “bad guys” to intercept usernames and passwords that you may be using to sign into websites.
Chrome’s New SSL Warnings
Recently, Windows versions of Chrome has been released – Version 56 – which now warns internet users when they visit a webpage that asks for a username and password and is not running through SSL. The url address bar now contains a “Not secure” warning message and this is all part of Google’s plan to move sites away from using plain hold http toward implementing https.
This, of course, does not mean that entering a username and password will not work; Google just wants you to be aware that there is a security risk if you do. It is debatable whether the risk is great or small but it’s all part of Google’s hope and plan for a more secure internet that protects privacy and offers a greater level of security.
What Should You Do About SSL Now?
In the early days of the Internet, obtaining an SSL certificate could be an expensive as well as a time-consuming affair. Today, there are many more options available including various levels of SSL certificates ranging from relatively inexpensive domain authentication to more expensive certificates where full business identity and checking is carried out. The latter certificates take longer to issue, however, the domain authentication certificates often can be issued within minutes of applying and paying for, by an SSL Certificate issuer.
There are some things that need to be done before an SSL certificate is issued:
- You will need to know if your host supports website hosting on https. For some hosting companies, this can be a large added expense. It is likely that you will have to pay extra for your hosting costs when running https. One of the reasons for this is because generally speaking, your website requires a unique IP address in order to implement https.
- You will need to have a certificate private key and a certificate signing request (CSR). The private key should be kept securely and is installed on the webserver along with the SSL certificate that is issued by the issuer. Many issuers also send a long what is called a Certificate Authority Bundle that also must be installed on the webserver.
SSL certificates are issued for a minimum of one year and multiple years may be ordered. However, we don’t see any advantage to that other than giving you a break for whatever length of time you’ve chosen to not have to go through the process again. There may actually be disadvantages to obtaining certificates that expire beyond a year – considering new technologies that might come out in the meantime.
Do I Need An SSL Certificate For My Website?
At this point in time, you may not “need” an SSL certificate (although you will need one if you want to implement https). However, our recommendation is that all websites start planning on moving towards an implementation of SSL. There are some other considerations as well, which you should consider, however:
- If you have a contact form on your website, it’s probably a very good idea to implement SSL site wide including the contact form. At some point, browsers will be going further than warnings only on pages asking for a username and password; but also on any pages not running through SSL that requires any user input.
- If you have any type 0f e-commerce, you should already be using SSL on that part of your website that takes financial payment information. Previously, when servers were slower and encryption took up more resources, most recommended that only that part of the website that asked for financial information be encrypted via SSL. Today, we’re suggesting that if you have SSL, you may as well also implement it site-wide.
- If search engine rankings are important to you, then you really ought to consider SSL. While the ranking benefit may not be huge, it could mean the difference between you and a competitor, with their site ranked higher for some keywords.
“I Don’t Have Time To Figure This All Out!”
If you’re concerned about your website and want it optimized for security, we can help you. We’ve been working with https and SSL certificates since 1999. We can help advise you on which certificate is the best for you (in most cases, the least expensive one will do), and can do everything for you from obtaining the CSR, helping with the website authentication, procuring the certificate and having it installed.
There will be some other things will need to happen in order for your website to fully implement SSL and to ensure there are no error messages generated in web browsers (this can occur when content such as images have been hard-coded or linked with http url’s, for example). Some platforms are easier and more straightforward, while others may take a bit of time. Give us a call (519) 940-3504 or visit our contact page and let us know you want some help.