Google Chrome is the most popular web browser in the World, with over 50% of market share. The next release of Google Chrome, scheduled in January, will change how the browser handles un-encrypted websites and could result in your site being labelled as "insecure".
Read the Google blog post here: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
How do I know if my site is "un-encrpyted"?
If your website address starts with "http://", it's not encrypted.
- http://www.mywebsite.com - Boo! This is using an insecure connection
- https://www.mywebsite.com - Hurray! This is using an encrypted connection
What is "http" and why is it a security issue?
"http" stands for "Hyper-Text Transfer Protocol". This is a standard for sending data over the internet. When data is sent through http, it's sent in "plain text" - so anyone "eavesdropping" on the communication can see what's being sent to and from your browser (this is called a "man in the middle" attack).
If what's being sent from your browser is a password, or credit card details, clearly that has security implications.
So what's the alternative?
Instead of using insecure "http://" - you should use secure "https://".
"https" stands for "Hyper-Text Transfer Protocol over SSL". When data is sent from to and from your browser over https, it is encrypted - meaning that eavesdroppers cannot (without great difficulty) decipher the contents of the data that is being sent. Passwords, credit card details and so on, are considered secure when sent over https.
So I can just send people to my site at https:// to be secure?
Sadly it's not quite as simple as that.
- your website hosting needs to be setup to support https. That may be the case already.
- you need a security certificate for your website. There are many different providers, some free and some paid for.
- you need to make sure that all content on your site is accessed via a secure URL.
- you should make sure that Google knows to send people to the secure version of your site from search results.
- you should make sure that anyone visiting the insecure version is automatically redirected to the secure version.
So how do I know if my site is secure already?
- If you visit your website address, replacing "http" with "https", what happens? As a basic rule of thumb, if you see a green padlock in the address bar of your browser, that's a good start!
- Go to https://www.ssllabs.com/ssltest/analyze.html and enter in your website address, then run the tool. This will test your website's security certificate and takes about a minute to complete.
- Go to https://www.jitbit.com/sslcheck/ and enter in your web address including "https://" at the start. If you see warnings about "pages with insecure content", then you'll need to review your web content and make sure everything is using a secure connection.
- When you look your site up on Google and click through from a search result - does it send you to the secure (starting with "https://") version of the site?
My site isn't secure - what should I do?
If we provide your hosting, we'll make sure that your site is properly configured with an encrypted connection.
Otherwise, I'd recommend speaking to your website designer / developer / agency, and/or your website hosting company.
If you want advice - feel free to give us a shout.