Following several years of communiqué, Google has pushed the button and decreed all websites must become “secure” and adopt https. If your site visitors use Chrome, pay attention.
You have, no doubt, used websites displaying the green padlock in the top left of the browser.
This means the website has installed an SSL or TLS certificate to create a secure connection, and data exchanged between the website and the visitor cannot be deciphered by a third party even if it is intercepted.
These sites also display the https protocol in the address bar. Http stands for “hyper text transfer protocol” and the “s” on the end stands for “secure”.
Typically, it’s for protecting credit card details on eCommerce sites, yet in a world where privacy is climbing the social and tech agenda, any type of website collecting any type of data needs to be secure.
Creating a generally improved internet experience is Google’s agenda (so they say) but as usual, there’s more to it than selfless tech philanthropy.
What Does TLS Do For a Website?
Before we discuss what you need to do to secure your website, here’s a few quick points on what SSL/TLS does:
- Verifies that you are communicating directly with the server that you think you are communicating with
- Ensures that only the server can read what you send it and only you can read what it sends back
An SSL or TLS certificate is essentially a text file claiming a particular identity.
Anyone can set one up but it is the digital signature from the certificate authority which allows a party to verify that another party’s claim to an identity is legitimate. Then the so-called “handshake” between server and client can take place.
Someone else with a greater understanding of security certificate technology than I published how does https actually work?
Chrome Will Show Website Security Warnings
How much the provision of an SSL or TLS certificate will move the needle for website ranking is unclear.
It shouldn’t be viewed as a silver bullet that would catapult your site into pole position in search engine results pages, but rather a minimum requirement for helping your site appear trustworthy.
In September 2016 the Chrome Security Team published a blog about the impending browser updates in which warnings about non-https sites would begin displaying warnings to users.
As stated at the Chromium Project website “The goal of this proposal is to more clearly display to users that HTTP provides no data security.“
I’ve already seen explicit warnings in Chrome alerting me to errors about broken TLS certificates on certain sites. In these cases, the https was present in the address of the site but disputed by Google.
In January 2017, Chrome began gently cautioning users about plain old http websites by way of the information symbol to the left of the URL.
Clicking this symbol reveals the message, “Your connection to this site is not secure”.
Eventually, users will begin seeing a warning symbol for http sites that have not switched over to https.
At the time of writing this article, it’s May 2017. In 2016 Google said these https changes will occur gradually:
Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria.
Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature.
In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.
If you’re planning to build a website or improve your existing one in some way, get a security certificate added to your site to display the symbol.
You can bet the other browsers will implement a similar policy. As of May 2017, Opera and Firefox are displaying the “soft warnings” so we should probably expect those to eventually become explicit too.
Google Produced a Study
Google’s think-tank Chromium organisation produced a study asking 1,329 people about indications of trust or lack of in their normal browsing activity.
Most of the respondents had a basic understanding of https (secure) but knew less about http (non-secure).
One of the concerns cited in the study was the number of new users coming online for the first time via mobile, where the screen decorations are reduced in size and number. This reduction of mobile web design makes it difficult for browsers using a narrow screen to accurately communicate the level of risk.
Is It Worth It?
How much of a problem this website security issue is for small business websites remains to be seen.
How much the provision of a security certificate will improve your business is unclear.
A terrible site with poor content, few or no backlinks and no reputation isn’t going to suddenly rank well because of a security certificate. That said, once the Chrome browser warnings are cranked up, the lack of a certificate might seriously deter someone from using your site.
Try and see https as entry level criteria when building your site. If your site is live and you haven’t already done so, make it a priority to secure your site.
Let’s Encrypt Offers Free TLS
There’s a new certificate authority offering free TLS called Let’s Encrypt, a project driven by Google, Mozilla and the Linux Foundation.
This means you can add https relatively easily at no charge.
I’ve already added Let’s Encrypt for free to some of my own websites and client websites, which was fairly straightforward since I happen to use Dreamhost, who are partnered with Let’s Encrypt.
Better still, if you’re using Cloudflare (also free), you have the extra layer of protection since it is compatible with Let’s Encrypt.
You can go ahead and buy a TLS certificate through your current webhost if you want to but if you use an LE partnered webhost you won’t need to spend anything.
Use a Let’s Encrypt Partner Webhost
Sadly, GoDaddy is not a partner host. SmallBizGeek is currently hosted on GoDaddy so I’m curious to see if I really can procure a Let’s Encrypt TLS certificate for a shared Linux host despite being told I definitely cannot although I’ve read you definitely can.
Using Let’s Encrypt with GoDaddy shared Linux hosting might just be a time-consuming vanity project that only saves a mere £40 a year; the approximate cost of GoDaddy SSL/TLS.
The issue with using Let’s Encrypt outside the remit of the partner hosts is that you’ll need to set up a cron job for renewal every 90 days, which is how long these certificates are valid for.
A cron job is technobabble that translates as “a set of rules that schedule tasks on a web server”, in this case, to renew the Let’s Encrypt TLS certificate.
The advantage of using one of the partner hosts is that they take care of reissuing your certificate automatically, taking the worry of sudden downtime away.
You could always move your site to a web host supporting Let’s Encrypt if you really want to save the money on the SSL/TLS certificate to get the https set up.
Analysis: Security Matters
Even if you’re running a simple site, go for https. It doesn’t matter that you’re not making electronic financial transactions through the site.
Think about email enquiry contact forms, user login credentials and members’ area data. When a user submits their personal information to your site, they want to know that it’s encrypted.
If you’re in a competitive niche, and your rivals have already added https to their site, arguably, they’ve got an advantage over you, however small, not only from a search engine ranking perspective but a peace-of-mind-for-visitors perspective.
The inevitable gold rush mentality of marketers trying to get any and all SEO advantages is without doubt underway. Don’t fool yourself into thinking this will make a huge ranking difference.
Consider https a minimum requirement in a world where hacking is the norm and security concerns are high on the agenda for consumers.