SSL changes – introduction
In October 2017 the launch of Chrome 62, Google’s browser raised the importance of protecting website content with SSL encryption (HTTPS). The general idea is to make ‘non-secure’ websites more noticeable to web page visitors. Initially, the new directive will only affect web pages dealing with sensitive information, such as payment processing involving cards, forms, and log-ins. In the future, all pages of a website may need to be secured with SSL.
This affects all websites built before and after October 2017 including yours, however large or small.
What is SSL
SSL stands for Secure Sockets Layer and put very simply, is an extra level of security to prevent sensitive information being intercepted by hackers. This extra security is known as encryption.
If you look in the address bar of your browser, you may have noticed that some websites start with ‘http://’ while others start with ‘https://’. The difference is the extra ‘s’ in the website’s address. Up until recently, secure sites (with the extra ‘s’) were confined to sites where sensitive information such as credit card numbers were requested. Most reputable ecommerce sites have an ‘https//’ at the start of the URL. The ‘s’ is a signal to the site’s visitor that any data shared is protected and that all data passed between the web server and browser remain private.
So what’s changed?
Google want to encourage better security on the web.
In October of 2017, Google release a new version of Chrome (version 62), which now indicates that a page is not secure if it contains any sort of form or payment processing gateway, but does not have an SSL certificate enabled. A large error message pops up in Chrome and asks the user if they want to proceed. Of course, this is very off putting and most people won’t want to proceed! In fact nothing has changed on your site. It may have operated perfectly well for years and will continue to do so. Try explaining that to your visitors when they see a large, red security warning! Other browsers do not show this warning, but is highly likely they will follow suit in not too distant future.
Theoretically, if your site does not contain any payment processing system or any type of contact form processed on your site, an SSL certificate is not really necessary as there is nothing to be intercepted. The exception is the WordPress login screen which requests your username and password. If you try to do this in Chrome, the worrying security message will appear. In theory, someone could intercept your username and password if you don’t have SSL installed. However, if your website’s content is well backed up, your site should be restorable in the unlikely event that someone decides steal your username and password, login and delete all your pages for some reason.
In the long term, it is likely that all websites will need an SSL certificate as security becomes more and more important. Also, if you are remotely worried that your site does contain sensitive information, then you will need an SSL certificate – see below for options.
From an SEO perspective, Google has said that a site with SSL enabled will always be given priority over one that does not have SSL enabled for a particular search. Therefore there is an obvious SEO benefit to enabling-SSL on your website, and across all your content.
What solutions are available?
1) Do nothing – SSL is not compulsory yet (but it will be eventually)
If your sites does not:
– have a form processed on site
– accept and process any payments on site
…you may not need an SSL certificate just yet, assuming that site’s content is well backed up (as with all things related to the internet, this advice may change if Google change their rules again).
You also need to accept that if you have a self-editable website, whenever you try to login to your WordPress website using Chrome, you will get a security error message (which you can ignore). It should have no effect on your visitors’ browsing experience.
In addition, you need to accept that not having an SSL certificate on your site can negatively affect your SEO performance on Google (although the effect will be minimal if you are not a business with close competitors).
Finally you must accept that some browsers (especially Chrome) will display a disconcerting ‘Site Insecure’ message when they view your site, which is bound to put off some visitors.
Remember that nothing on about your site has changed. The current fuss about SSL is because Google are tightening up security on the web which is a good thing.
However, if you are nervous about security, then you should opt for one of the SSL solutions below.
2) Opt for one of the generic SSL certificates available.
We use either Cloudflare Universal SSL or Let’s Encrypt. There is no charge for using the certificate and it renews automatically. The main problem with these Universal SSL certificates is that they are not domain specific so that your website is not named on the actual certificate. This means that some browsers will throw up random security messages if they comes across websites with universal SSL certificates. Free certificates are ideal if you need encryption without a guarantee of ownership (which helps keep costs down).
All our new sites will have a generic SSL certificate installed as standard. For a small charge, we may be able to install generic SSL certificates on older sites.
3) Opt for a professional level SSL certificate
These certificates will display your domain name in the certificate contents and are issued solely to you. The certificated also comes with a warranty of $1,000 offered to the end user should something go wrong.
The cost of a professional level SSL certificate is £60 per year and this is a recurring yearly charge.
Prices quoted are for May 2018 and are guides only. They are subject to change if the hosts alters their pricing.
Bright Sea Media Ltd, Web Designers, Steyning, West Sussex