If you’re serious about your business, you’re probably serious about your website (or you should be). And that means you really need to be thinking about migrating your website to the SSL protocol instead of the “regular” http. Google has been hinting for some time now that in their opinion, SSL is extremely important for both trust and privacy protection.
Let’s discuss both and how SSL increases trust and personal privacy. Then we’ll discuss why it is now time for you to get that SSL certificate for your website.
SSL & Privacy
IN the “old days,” it was mostly only E-commerce sites that purchased an SSL certificate and hosted their websites using the SSL protocol. And even then, due to processing requirements of serving website pages over the SSL protocol, only checkout pages that required credit card information were “protected” with SSL. In those “old days,”(Pre 2000/01) there was pretty much only one browser recognized issuer of SSL certificates – Verisign – and obtaining an SSL certificate was both a complicated and expensive venture. I can recall assisting clients with obtaining SSL certificates and secure hosting in those days – and it was not a simple process as it can be, today.
Protecting with SSL means that communication between a website visitor’s browser and the website is encrypted. When you fill out a form and enter information, and then click the “Submit” button, the information that is being transferred between you and the website in an encrypted format. Any eavesdroppers along the “route” between your browser (it could even be someone trying to eavesdrop on your PC or device) can only view the encrypted text – encrypted in such a way it would be virtually impossible for them to know what information you sent.
Where could an eavesdropper “set up shop” to try to intercept and read your communications between your browser and some website? As mentioned, it could even be someone that has taken control of your computer (although, if they have a keylogger installed, you’re out of luck in trying to hide what you typed), someone who has control of your home router, or any other router along the path between you and the website you are communicating with.
A rogue employee at your ISP who has admin access to the servers and routers could set up “listening” devices and view the information that passes from your computer or device, through their network, as you click that submit button. Most people today don’t seem to think much about their privacy – and often have the attitude, “Well, I don’t care who sees what I am doing,” however this is a very naive attitude to take. It could be your neighbour doing creepy things and you just don’t know that he worked for your ISP.
SSL enabled websites will NOT protect your privacy while sending unencrypted emails, or while using unencrypted chat channels, but it will protect your privacy including usernames and passwords, messages you are sending, and personal details such as credit card information you have entered in a website form, when that page is using the https protocol.
It’s important to remember that this encryption and security is ONLY during the transmission of that information – it does not guarantee, for example, if the information is stored on the website server in an unencrypted format, that it cannot be viewed by an admin or during a security intrusion on that server.
But, the security and encryption of data passing between an internet user and a website is a big step toward individual net privacy. And Google would like to see privacy improved for internet users, around the world.
There are possibly some considerations that you may have not even considered but think about NGO’s and others working or fighting for freedoms in nations that are corrupt or that abuse human rights. Those governments can easily spy on its country’s residents and know what information is being passed to websites. Even our own governments in the western so-called “free world” are not immune from these practices of intercepting communications between internet users and websites.
Personal privacy is a big issue for many, including search engines such as Google.
SSL & Trust
Running a website over the SSL protocol with an SSL certificate that has been issued by a recognized certificate issuer also helps internet users trust that the website they are visiting is the one they mean to be visiting and not one that has been spoofed. IF you visit a website that is using an SSL certificate that has been issued to another domain, your browser will give you a warning and quite possibly stop you from visiting unless you add an “exception.” Browsers will also warn you if you are visiting a website that is using an expired SSL certificate – and there could be many reasons for this, including the simple fact the site owner(s) forgot to renew the SSL certificate before it’s expiry date.
In order to obtain an SSL certificate, both a “Certificate Key” and a “Certificate Signing Request” (CSR) are generated by a server. During the generation process, information that includes the domain name is entered. The “Key” is a private key and should always be protected, but is required to be on the server that is serving webpages via SSL.
The CSR is then submitted to an SSL certificate issuer, and depending upon the trust level of the certificate required, validation of the request is carried out. For less expensive domain validated certificates (which do the same job of assuring an SSL connection with the website domain), this validation can include email or through DNS.
For websites that require a greater level of trust to be communicated, which includes the official corporate, business or organizational name in the URL bar alongside the “padlock” icon, obtaining and renewing an SSL certificate can take much longer and is more epensive.
Google, in it’s search algorythms, also considers “trust” factors when ranking websites. We see this in Local SEO, where it’s vital that business data be as uniform as possible in citations about a business. The more citations that exist for a business where business data (address, exact and correct business name, phone number) is not uniform will lose trust signals with Google than a business that has more citations that show the same data.
In organic search, SSL certificates provide a level of trust that Google recognizes in addition to helping make the internet more private and secure. Google has stated that a SSL enabled website may get a bump in the search engine rankings over those sites that are not. In fact, Google has been pushing very hard for websites to use the SSL protocol for a few years now.
And that brings us to….
Now Is The Time If You Have Not Already Switched To SSL
As noted, Google has been pushing webmasters to migrate their websites to the SSL protocol for several years. In fact, if you have to “login” to a website using a username and password, and the page is still using the http protocol, you may have noticed a security warning when using browsers such as Firefox and Google’s Chrome. The warning to you is that you are entering password information which will be transmitted in plain text and if intercepted, could give your username and password to anyone eavesdropping.
Google Is Ramping These Warnings Up!
If you have a Google Search Console account associated with a website that has a contact form, and you’re not running https, you probably have received a warning message from Google. The search engine is now planning on warning ALL visitors who land on any web page that has a form not protected by SSL, that the page is “NOT SECURE.”
In addition, Google will be showing a “NOT SECURE” warning for ALL HTTP pages when users are using Chrome in incognito mode. That’s right – not just webpages with forms or username and password fields, but all websites pages that are not using the HTTPS protocol.
Google plans to implement these warnings during the month of October, 2017.
What this means is that you could have a visitor to your website, and they want to contact you. You’ve provided a handy form visitors can use to send you messages, perhaps inquiries about your products and services. Having a form is a nice way to reduce email address harvesting by spammers, but now – Google will be warning your potential new customers and clients that it is not secure for them to use that form.
The consequences of this could be lost business as visitors decide to steer clear of a “NOT SECURE” form.
This is why, if you have not already implemented HTTPS, now is the time to do so. It can be tricky to do, depending on many factors including how you’ve structured site links and image url’s – if incorrectly, even if you secure the text content on your website, there could be a warning that some elements of a website are not secure and therefore could possibly originate from an untrusted website.
We Can Help With Your SSL Migration
As noted earlier, we’ve been involved in SSL migrations since the 20th century! Much has changed since those early days – and SSL certificates are easier and much less expensive. But there are still an array of choices available; we can help you decide what level of trust you need. In addition, we can assist with obtaining the certificate, having it installed on your website host, and fix up any https related issues that you encounter.
Whatever you do, it’s going to be vital for you to switch to SSL/HTTPS if you have not already done so – both for the trust relationship between your site and it’s visitors, and the trust relationship your site will have with Google. Not to mention helping to work towards a more secure and private internet for all of it’s users.