Is your website HTTPS-enabled and serving all pages over a secure connection? The answer to this question is crucial to your online success. That’s because beginning with Google Chrome version 68, which was released this month, users will see a “Not secure” message in the address bar when visiting non-HTTPS websites. The impact will be widespread since according to W3Schools.com (which tracks 50 million monthly online website visits) 79% of people online use Google Chrome.
A “Not Secure” message could scare away potential customers resulting in reduced engagements, and ultimately, lost sales.
There are many reasons why we should make sure our websites are HTTPS-enabled. Not the least of which being that Google rewards HTTPS-encrypted sites with better search rankings (you can read more about it in this post from Google’s Webmaster Central blog). As early as 2014, at its annual developer conference, Google called for “HTTPS everywhere” on the web. We can expect this movement to progress as Google responds to consumer concerns over privacy and rampant identity theft.
Sites without HTTPS are also more vulnerable to hacking attempts. The lack of an SSL certificate increases the chances of a visitor’s ISP injecting ads and malware into your site. While making your site HTTPS-enabled is only a part of the security protocols you need to secure your site – it is a very important component.
Since our last post, we’ve received many additional questions about this issue. We thought we’d share our answers to these Frequently Asked Questions:
Q: What percentage of visitors will be using Chrome 68 and will see the “Not secure” message on non-HTTPS sites?
A: Based on previous Chrome user version upgrade patterns, its reasonable to expect that within 30 days of its release, the vast majority of Chrome users will be browsing using version 68. For example, Chrome version 66 was released this April and by the end of May more than two-thirds of Chrome users were using version 66 or above (stats from W3Schools).
Q: What about subsequent versions of Chrome?
A: Every subsequent version of Chrome will also display the “Not secure” warning message for Non-HTTPS sites.
Q: Why is regular HTTP not secure?
A: HTTP is susceptible to sniffing and spoofing (yep, that’s what they call it). HTTPS encrypts all the data packets that are sent between your site and the visitor’s browser (and vice versa). If HTTPS packets are intercepted, they can’t be decoded and they can’t be spoofed.
Q: What if I’m not sure if my site is secure? How do I check?
A: One of the best ways is to simply visit your website via a browser and take a look at the address bar. The graphic below shows the padlock symbol that accompanies the URL of an HTTPS-secured site when displayed in a browser.
You should click through and view all of your site’s pages to ensure that none of your pages show the yellow warning symbol over the padlock.
Q: Where did I get an SSL certificate for my site?
A: If you have shared hosting or managed WordPress hosting, your hosting company can help you procure and install an SSL certificate. You may need your developer or webmaster to ensure that all content is forced over HTTPS. If you have dedicated hosting or a virtual private server (VPS) you’ll need your developer or webmaster to install the SSL certificate for you.
Q: If I already have an SSL certificate for my e-commerce site, is my site secure?
A: If you have an e-commerce site, we recommend a full security audit to ensure that your site and your server are both PCI-DSS compliant. Depending on the data you collect, you may also need to be compliant with other standards (such as HIPAA or FERPA).