19 February 2016
Google's Chrome web browser is used on 52% of the world's computers. Its search engine is the world's biggest. If it decides to move the goal posts, it's worth paying attention.Alex
Website SSL rules – don’t get penalised
Google will soon name and shame all websites that are unencrypted. In a future release of their Chrome web browser due this summer, unencrypted websites will be flagged as “insecure.” This will be highlighted by a red padlock symbol in the address bar, for all website visitors to see.
Google have made it clear that the web of the future should be totally encrypted, and all sites should be served over secure HTTPS as opposed to the standard unencrypted HTTP protocol most websites use today.
Google is by no means alone in its desire to get everything on the internet to travel over secure channels. The Mozilla Foundation, creators of the Firefox browser, and Apple who make the iPad and iPhone devices have also shown an interest in pointing out websites that do not offer encryption.
HTTP stands for hypertext transfer protocol, which is a mechanism for the transfer and display of web content between a server and computer. It is an unencrypted protocol. Websites have been using this protocol since the invention of the internet.
HTTPS is the same as HTTP but travels over a secure layer called SSL– which stands for secure socket layer. HTTPS traffic is encrypted between server and computer and cannot be read or intercepted by anybody except the intended recipient(s). Websites that handle financial transactions such as e-commerce or banking have been using HTTPS for many years, to protect sensitive customer and financial transaction data. Even big social media networks like Facebook and Twitter are now enforcing users to view their sites in HTTPS. Unfortunately, the majority of non-financial, non-e-commerce websites do not use HTTPS and this is something the web’s super-powers a’ la Google, Mozilla and Apple wish to change.
The rule of thumb for all online transactions is to ensure that you are using an HTTPS encrypted site, to keep your data secure. You can tell when a page is using HTTPS in two ways: 1) There will be a padlock icon in the browser window, usually to the left of the address bar. 2) The address displayed in the address bar will have the prefix https://
Back to Google: Their head of Engineering Security recently tweeted that Google’s intention is to “call out HTTP for what it is; unsafe.”
The rationale is that every time a user browses an unencrypted site, the full “conversation” between computer browser and web server is in the clear. Anybody could snoop on the connection whether it be a reclusive hacker or repressive government. This enables passwords, private messages and other sensitive information to be stolen.
Spoofing websites has long been a tactic of hackers across the globe in attempts to fool users into revealing sensitive information. HTTPS doesn’t just protect data. It also ensures the user is connecting to the real site and not an imposter one. This protection is enforced by means of digital certificates, called SSL certificates, issued by reputable certificate authorities. A website owner has to purchase a certificate from a certifying authority after verifying their legitimacy and identity, and install it onto the server that hosts the site. The end user’s web browser will then do the rest of the work in identifying and checking the SSL certificate, and thus the HTTPS connection, when the user browses to the website.
Google signalled its preference for HTTPS websites as long ago as 2014 when it announced that sites which are HTTPS enabled will automatically have a higher ranking in search results. This means that if a site is configured for HTTPS, it will generate more traffic by appearing above non HTTPS websites in Google searches. More traffic drives more interest, and eventually more business, therefore the benefits of HTTPS are not just limited to protection of data.
Apograph offer bespoke web design and hosting packages to all individuals and businesses in the UK. Whether your website is hosted with Apograph or elsewhere, we can enable your website for HTTPS and provide the required SSL certificates. If you wish to discuss your HTTPS requirements, please contact one of our consultants today.
As an indication:
- We can generate an SSL certificate lasting for one year for £72.00 plus VAT.
- If your site is already hosted by Apograph or Web Lab, the cost of reconfiguring it for HTTPS and installing the SSL certificate will be an extra £65.00 plus VAT *SSL certificate purchase required*.
- If your site is hosted elsewhere, the cost of reconfiguring it for HTTPS and installing the SSL certificate is £130.00 plus VAT, based on a simple website. For more complex websites, we reserve the right to change the cost due to the work involved.
However, we are currently offering a site hosting transfer to Apograph/Web Lab for £130.00 plus VAT which includes your first year hosting fees. Adding SSL reconfiguration on top of this will require the cost of £72.00 plus VAT to be added for the required SSL certificate.