If you’ve ever visited a large corporate website (think Google, Twitter, or even your online bank), you’ve probably noticed the little lock icon in your browser window. What that means is that your connection is encrypted, and nobody (short of Chloe O’brian from 24) who intercepts the communication will be able to decipher it. That’s why you can put in your personal information, credit card numbers, etc., without worrying that someone else will possibly get a hold of them.
If you look up at the browser on this site, you’ll also notice the lock icon. This site, like most of the ones we develop, is configured to force this type of connection. Even thought we don’t typically deal with credit card information, we still deal with sensitive information – people who fill out the quote form, their budget, email addresses, etc. We feel like it’s important to make sure those are kept safe as well.
In 2014 Google went on record as saying it wanted all websites to be secure in the (near) future. To help push that change forward, they have indicated that soon they will start lowering the rank of websites in Google searches if their websites are not secure.
In an upcoming version of the Chrome browser, there is even an option to flag insecure websites and show them with a special icon indicating that they shouldn’t be trusted. Right now about two-thirds of the entire internet is still insecure, and those will be flagged and possibly de-ranked in the not too distant future.
The push for having a secure internet is hitting peak momentum now, with all US .gov sites mandated to have completed the conversion before the end of the year. Apple and Mozilla, two other internet giants, are also behind this massive push.
I’m Sold! Now What?
Unfortunately switching to a secure website isn’t always a straightforward endeavour.
First, on older websites, many of the links to images and other assets use http:// (insecure), and the browser will show a warning message (usually a broken lock) indicating that while the site is meant to be secure, it’s not entirely living up to that promise. Those links need to be converted into https://, or even better, // (which will use whatever the user types into the browser window, http:// for insecure connections and https:// for secure ones).
Second, you need to purchase and install a SSL certificate on the server. This certificate shows information about your business, the domain name, and contains the cryptographic information necessary to start an encrypted session on the internet. The problem is not all web hosting providers allow clients to install their own SSL certificates. The ones that do often require a unique IP address (which isn’t normal on most cheaper hosting plans, as they typically have hundreds of clients on the same physical server sharing the same IP). So this process often involves the web hosting provider, the person who manages your website, and a certificate authority (the company that issues and manages the certificates) like Namecheap.
The best option at this point involves use of the free Let’s Encrypt project, but unfortunately to make use of those certificates you need server access that is unavailable on most shared hosting providers. All of our premium WordPress hosting packages contain Let’s Encrypt SSL certificates installed by default, so you’d get that out of the box.
Google is rumoured to start de-ranking by the end of this year. If you have a website that’s insecure, you may want to move quickly on making it secure prior to these changes, otherwise you may risk losing traffic from Google. If you’d like to discuss what’s involved in making your site secure, get in contact with us.