Google has issued new HTTPS guidelines due to take effect in October. Some of you may remember an email I sent out several months ago. The subject was Google’s push to get every site on the web secured by SSL encryption. Well, Google has now upped the ante.
All Forms Affected
Today, if your site is HTTP and you browse to a page with a form containing “hidden” information, such as passwords or credit card info, you will see a “Not Secure” message to the left of the URL. Chrome is currently content to indicate the lack of security this way. Firefox puts up a much more prominent message warning that any information entered into that screen is subject to interception and compromise.
When Google’s changes go live in October, any page with a form on it whether passworded or not, will get the “Not Secure” message. This includes opt-in forms and all other forms into which visitors can enter information. The idea is that all user data needs to be secured.
Needless to say, this is a big deal. If you haven’t already secured your site with an SSL certificate, now is the time to get it done.
The Problem
In the not too distant past, SSL certificates cost quite a bit of money so most sites that could do without them chose to do so. Within the past year, Comodo, one of the larger SSL certificate issuers, has collaborated with Google and other internet companies to create LetsEncrypt.
The Solution
LetsEncrypt is a free SSL certificate that is adequate for many websites. Many of the better web hosts are now installing LetsEncrypt on all their shared hosting accounts by default. VPS and dedicated servers typically have LetsEncrypt, as well. It may have to be requested from the host’s support team.
Because LetsEncrypt is free, if your host supports it, there is no longer an excuse not to secure your website.
Does My Host Support LetsEncrypt?
There’s one sure way to find out. Contact your host’s support team and ask them. Many hosts do not support LetsEncrypt and indicate that they have no plans to. They would rather charge you to purchase and install an SSL certificate you don’t need rather than taking the initiative to provide LetsEncrypt.
So, you have two choices: purchase an SSL certificate and install it on your existing host, or move to a host that provides LetsEncrypt as part of their service. My preferred host, A2 Hosting, is one that does provide LetsEncrypt on their servers.
Can I Use LetsEncrypt?
If you’re not sure whether you can use the free LetsEncrypt certificate, feel free to contact us and we’ll be happy to evaluate your site for you.
The primary thing to be aware of is whether you collect credit card data onsite. If you use PayPal Standard where the buyer goes to PayPal to complete the transaction and then returns to your site, you’re safe. Stripe and Authorize.net (and probably others) collect the credit card information on your site and transmit it to the payment gateway for processing. For that scenario, you will need a paid SSL certificate.
What If I Need a Paid Certificate?
A standard SSL certificate is about $50/year, give or take a farthing. There are cheaper certs out there, but you need to be careful because not all certs are recognized by the major browsers. The price of the cert is generally like the price of insurance. The more insurance you buy, the higher the price. Certs are a sort of insurance policy.
The $50 certs check to see that you are who you say you are, on a basic level. Some of the cheaper ones do, too, but they’re often less careful about that. Higher priced certs are domain verified which means that they have verified that the domain exists, you own it and it’s on the up and up. As the price gets higher, you get more liability protection, e.g. $10,000, $50,000, etc. You must decide what level of protection is appropriate for your site.
What’s Involved in Converting to HTTPS?
Done right, all the URLs on your site are converted from HTTP to HTTPS. Any mixed media, i.e. images or scripts that you’ve linked to on other sites, should be changed to HTTPS, as well. If the external site is HTTPS-compliant, that’s not a problem. If the site is still on HTTP, that can be an issue.
There are quick fix plugins out there that essentially re-route all HTTP requests to HTTPS. Yes, they work to a degree, but they are a hack and can cause performance problems as well as other issues with your site. In short, have it done right. It’s not hugely expensive in most cases, so at the very least check into it before going with one of the freebie solutions.
We Can Help
Please email us to get an assessment of your site’s needs and a quote to get your site protected properly. October is going to be here before you know it and you want those ducks in a row before your visitors start seeing obnoxious “Not Secure!” messages all over your site!
Protected by WebARX
Great article John!
Thanks for enlightening us about LetsEncrypt and other issues that can come up when moving to the https protocol.