For many of our Ridgefield Group customers, security on their website is important. From e-commerce transactions to customer data, our clients’ sites handle thousands of requests every day that require stable and strong security. So when Google says they will “step up” their requirements for new security practices, we tend to pay attention.
Google has made several changes over the years that push sites towards better security standards. From indicating that a site “may have been hacked” in the standard search results page to preferring HTTPS sites over non-HTTPS sites, Google has slowly ramped up the game on how encryption online should be considered. And, it’s about to get even more harried.
In January 2017, Google will update their Chrome browser (Chrome 56) and, when that update is automatically installed for many users, an important nuance will be shown. On Chrome 56 pages which are not HTTPS will be marked as explicitly “not secure” for users. This is a big change from the current “neutral” display that Chrome has used to notify users in the past and its part of an overall strategy by Google to support an”HTTPS Everywhere” policy.
Even further, Google indicates that this is not the last step in the plan. Citing studies indicating users fail to respond to sites which passively indicate warnings, Google will eventually label any non-HTTPS page with a more elaborate and alarming notification:
Currently the “red triangle” warning is only used for sites which have broken SSL’s. Eventually, that will be the warning given for sites lacking an SSL.
So, what can you do?
First of all, realize that this is Google making these changes to their Chrome browser. While other browsers may follow suit, we’re not aware of any current plans from Microsoft, Mozilla, or Apple to warn users this same way. But if history is any indicator, these other browsers will likely do something similar.
Second, this is different from changing encryption standards. Some older algorithms (such as the SHA-1 hash) are no longer secure. These should be replaced by now anyway, and for most SSL users, this has already been handled. What Google is promoting now is a warning for the lack of an SSL, not just an indication of a weak SSL.
Third, this is a plan which will not discriminate against any website. If you’re not leveraging SSL, then you’ll get hit with this “red triangle” warning — regardless of whether or not you really need an SSL on your website! It won’t matter if your blog is just about the most perfect chicken recipes or some innocuous topic. Just because you don’t handle customer data or transactions will no longer be sufficient (in Google’s perspective) to not have an SSL.
Finally, realize that this can be a simple fix.
Our team of internet and hosting pros can help you select, configure, install, and support an appropriate SSL for your website.
If your site is really very basic you’ll be pleased to know that costs are extremely low. And, if you already have a more elaborate SSL for ecommerce or other transactional purposes, we anticipate this demand will keep downward pressure on certificate prices.
We invite you to contact us today and let us know how we can help you avoid these issues with your website. Ultimately, it’s better for your customers and protects your firm from risk.