You might be relatively familiar with web addresses that start with http:// and https://, and you’re probably also aware that the HTTPS variety is the secure one. Basically all this means is that when a visitor sends or receives any information to or from the website (e.g. if they log in or fill out a contact form), if your website has HTTPS their information is transmitted securely. If not, it isn’t.
Emily Schechter of the Google Chrome Security Team recently published a blog outlining Google’s plans to start marking HTTP connections as ‘non-secure’ in Google Chrome. Currently, HTTPS connections are marked as secure, but HTTP connections are not explicitly marked with anything, which can make users complacent about entering their information.
Chrome is by far and away the most popular browser, currently used by around 40% of all UK users, and 55% of desktop and laptop users, and its popularity for desktop and laptops continues to grow. This means that any changes that affect Google Chrome will immediately affect a very large chunk of your website’s users.
Starting January 2017, HTTP sites that transmit passwords or credit card details will show a “non-secure” warning in Google Chrome. If this describes your website, you need to ensure you make the switch to HTTPS as soon as possible. (If you’re not sure how, we can probably help!)
In following releases, all pages loading over HTTP will be labelled as “not secure” when using incognito (or private browsing) mode. Eventually, all HTTP pages will be labelled as non-secure, showing a red warning triangle and the words “not secure”.
There is a risk that users will perceive websites displaying these warnings to be “broken” or “dangerous”, so we’re currently working with all of our clients make the switch to HTTPS. In fact, all new website projects which we undertake will now include HTTPS for the first year as standard.
All you need is an SSL certificate, and if you’re using our website hosting, we can set one up for you. When we set a basic SSL certificate up, we will use a free certificate authority, so the only cost is our time to set it up for you.
If you have higher security requirements, for example if your website transmits passwords or credit card details, we would recommend using a certificate authority which performs some basic checks on your company when you purchase a certificate through them. Typically, the certificate authority will verify your company details against Companies House, and check your supplied address. This increases user confidence in your certificate and your website’s credibility. These certificates also include warranties which protect you in the unlikely event that a customer’s details are stolen as a result of a weakness in the SSL certificate itself.
If your website handles highly sensitive information, we recommend purchasing an Extended Validation certificate, like the one our website uses. This typically displays a big green bar with your company name in the browser’s address bar. These certificates involve much more stringent checks being performed by the issuing authority to verify your company details. The exact requirements and checks for these vary and are kept secret to prevent people trying to cheat the system, but they often involve a site visit and phone calls to both the provided phone number and any other publicly posted phone numbers for your company.
HTTP leaves your website’s communications with its users vulnerable to eavesdroppers. HTTP is like sending information back and forth on postcards. Someone can easily intercept the postcards in both directions and see the entire conversation without either party involved being any the wiser.
HTTPS encrypts the information sent both ways. The information is encrypted using an SSL certificate which is issued by a trusted Certificate Authority (CA). This gives our eavesdropper a much harder time since they do not have the private key to unencrypt the information.
Yes! A couple of years ago, Google began to update their search algorithm to prefer sites using HTTPS, since those sites tend to be more reputable and are more likely to contain information useful to the user.
Additionally, you might not realise it’s also quicker than HTTP. Modern browsers implement a standard called HTTP/2 which actually loads pages over HTTPS much faster than it’s possible to load them over HTTP - you can prove this for yourself using this test page: http://www.httpvshttps.com/