October is Here, Migrate to HTTPS Before Chrome Marks Your Site “Not Safe”!
You’ve probably noticed that some URLs start with “http” while others start with “https”. But have you ever asked yourself why? Why would some websites have the “s” at the end of the “http”? Additionally, you may also have noticed that “https” websites have a green padlock at the beginning of the URL.
There is a reason for this. The extra “s” stands for secure and is powered by a technology known as SSL – Secure Socket Layer. To have the “s” placed at the end of your “http”, you need to get an SSL Certificate.
In general, the “s” at the end of the “https:” is supposed to tell web users that your site is safe; that they can confidently browse your pages without fear of their personal and financial information being stolen by hackers. All this is aimed at tackling the growing threat of cyber crime.
Now, Chrome set to mark http sites as “Not Safe”
In line with the efforts already being made to fight cyber crime, the world’s most popular browser Chrome will from October 2017 mark all sites without the small “s” as “Not Safe”.
This will happen to all non-HTTPS pages that contain input fields like contact forms and search bars. But that will just be the beginning. Eventually, all HTTP sites will be marked as “Not Safe”. HTTP sites viewed Incognito will also be affected.
The “Not Secure” alert will be displayed boldly in the address bar right at the beginning of the URL. Web owners were first warned about this in April and a follow-up warning sent via email in August.
The search giant reasons that failing to secure information being shared on the internet between visitors and web servers puts both parties at risk.
What does this mean for you?
You may be wondering the implication of this development. It’s really simple. Even with a perfectly working website, you need visitors to hit your digital marketing goals. Without traffic, you’d be reduced to nothing. A “Not Safe” warning right at the beginning of your URL is enough to keep most of your potential visitors away!
Approximately 50% of internet users use Google Chrome for daily browsing. It means that with the “Not Safe” sign, you could lose about half of your traffic. With that, your sales, revenue, and profit would all be affected.
But, you can avoid this – by getting your site secured. How – by getting an SSL Certificate for all your domains.
So, what exactly is an SSL Certificate?
According to SSL.com, SSL is a standard security technology for establishing an encrypted connection between a web server and a browser. The encrypted connection ensures that all data passing between the web server and browser remains private.
The internet, though critical to daily communication, isn’t as safe as most people imagine. This is especially true when sending or retrieving sensitive information such as financial and personal data to or from a web server. Without proper security, someone can easily place tools along the communication path to intercept the data for their own criminal gains.
For instance, when applying for a loan online, you’ll be asked provide your bank and employment details. Even in the offline world, we usually do our best to keep this information completely private. However, the nature of the internet makes such privacy very difficult. With a simple software program, a hacker can listen to your keystrokes or even intercept the data you’re sending through man-in-the-middle attacks. Once this information lands in the hacker’s hands, there is no telling what would ensue.
An SSL certificate is basically a digital computer file (or a small piece of code) designed to secure such communications by performing two main functions;
Authentication and verification
An SSL certificate contains information about the authenticity of the businesses, persons, or website in question. This information can be viewed by clicking the green padlock symbol or the trust mark appearing at the beginning of a secure website’s URL. During online communication, the information is usually verified and authenticated first, and a connection to the website only established if all is well.
SSL certificates also encrypt data being sent over the connection. It means that sensitive information cannot be intercepted or read by anyone else other than the intended recipient. In the same way you lock your doors and only a person with the right keys can open the lock, encryption makes information inaccessible to persons without the right key. Only the person with the right decryption key can “unlock” it.
To ensure maximum security, each SSL session consists of two keys;
A public key used to encrypt (scramble) the information
A private key for decrypting the information and restoring it to its original, readable format.
How SSL Certificates work
Each SSL certificate given to a CA-verified entity (read website) is issued for a specific server and web address (domain). When you use your browser (Firefox, Chrome, Internet Explorer, etc) to navigate to a verified address, an SSL handshake (greeting) takes place between the browser and the server and a secure connection established.
To alert you that you’re on a secure connection, you will notice certain changes to the URL. For example, a trust mark will appear, the URL or a portion of it will turn green, and a green padlock will appear at the beginning of the URL. Of course, you will also notice the “s” after “http”.
You can click on the trust marks to see additional information about the website you’re connected to. Among others, you’ll be able to see the type of SSL certificate being used and the issuing SSL Certificate Authority.
Once the connection is established, you can safely request information from the server. Your browser will first check for the SSL certificate of the web page you’re requesting, and, once the SSL credentials are approved, form a binding (no-gaps) connection with the server. The binding connection is so secure that no one beside you and the website you’re connected to can see or access whatever information is being sent or retrieved.
The great news is that the secure connection happens without intervention from you. You just visit the website and the connection is established automatically within seconds!
Choosing the right SSL Certificate for your website
That was the simple part. Now, you need to get an SSL Certificate to protect your visitors as well as your business. Keep in mind that the best certificates come at a premium. But, they are worth every cent.
The following is a step-by-step guide to help you find the most suitable certificate for your needs.
Step 1: Is your domain registered?
A number of WordPress users haven’t registered their domains. Before you even think about getting an SSL Certificate, find out if your domain is registered. Only registered domains can be provided with public SSL Certificates. Why? Because the Certificate Authority (CA) issuing the certificate needs to verify the domain ownership first.
Essentially, a non-registered domain means that your domain name or IP is part of a private network such as mydomain.local.com or mydomain.internal.com. Beginning November 2015, CAs can’t issue publicly trusted Certificates containing reserved IPs or internal server names. This is because internal names are not unique, making it difficult to verify the company that owns them.
But, you can still secure communications between your internal servers that use internal server names. Since you can’t use publicly trusted SSL Certificates, a cleaver option is usually to use self-signed certificates. Another idea is to set up an in-house CA and issue certificates from there. The best idea however, is to find a company that provides Certificates issued from a non-pubic root. This way, you can secure your internal servers without the need to host your own CA or self-sign your certificates.
Step 2: What trust level do you need?
Although all SSL Certificates secure sessions and encrypt any information being sent or retrieved, they differ in terms of how they display in browsers and how much information is included in the certificate – both factors of which can have a major impact on consumer trust. In general, there are three certificates choose from;
Domain Validated (DV) Certificates
Domain Validated Certificates are the most basic type of SSL Certificates. They have the least amount of identity information and at best only tell the browser that the website owner has control over the domain.
In fact, one of the biggest drawbacks of DV Certificates is that they don’t include any company information. For instance, if you’re getting a DV Certificate for www.companyxyz.com, there won’t be anything in the Certificate to verify that it is run by Company XYZ.
For this reason, we don’t recommend DV Certificates for ecommerce establishments. There are already advanced phishing attacks where criminals create a similar site to the one they intend to attack, and can even obtain a DV certificate for the imposter site. Therefore, a DV Certificate that doesn’t contain your company name doesn’t inspire much confidence. Yes, it’s better than nothing. But most consumers, especially B2Bs, will not feel 100 percent safe on your site.
Organization Validated (OV) Certificates
The second type of SSL Certificate which is slightly better than DV Certificates is Organization Validated Certificates. OV Certificates require business authentication meaning that a lot of information about the business has to be verified before the certificate is issued.
However, OVs still fall short of maximum security. For instance, company information is not prominently displayed. If a user wants to view your company’s identity information, they must open the certificate and click on a subtitle named “Details”. Since most consumers don’t have time for this, it could cost you sales.
Extended Validation (EV) Certificates
This is by far the best SSL Certificate you can obtain for your business. Aside from including the most company data leading to the highest level of trust among customers, a business must meet the most stringent requirements of any type of SSL before receiving this Certificate.
During the verification of an EV SSL Certificate, the owner of the website goes through a globally standardized verification process to prove exclusive rights to the domain and confirm that it’s legal. You must also prove that the CA has authorized the issuance of the certificate. The verified information is then included within the certificate with important pieces such as your business name displayed prominently in the browser window.
EV Certificates offer the best security
As such, if you want total security and are interested in conveying the highest levels of trust, chose an EV Certificate. These certificates are actually much better at deterring phishing attacks. They do this by displaying the verified site’s identity front and clear – presenting it directly in the address bar. You may not know it but consumers are increasingly looking for these trust marks. In addition to the green padlock, they also want to see the company details in green. This is only possible with EV Certificates.
Step 3: How many domains do you want to protect?
As with other businesses or organizations, you may want to protect multiple domains. Or, it could be just one domain. There are different SSL Certificates to choose from based on these needs too;
To protect just one domain – use a standard certificate
If all you’re concerned about is one domain such as abc.com, then you can purchase a single domain or standard certificate. The standard certificate can be DV, OV, or EV.
For multiple domains – use a multi-domain certificate
For instance, if you want to secure abc.com, abc.net, abc.org, etc, then you need a multi-domain certificate. These certificates make it possible to secure several domains using just one certificate. Each domain will be listed as a Subject Alternative Name (SAN) in the certificate (explaining why these certificates are sometimes called SAN Certificates).
For multiple sub-domains – use a Wildcard or multi-domain certificate
You may have multiple sub-domains to your abc.com website, such as payment.abc.com, products.abc.com, about.abc.com, etc. To secure all these sub-domains, you can again turn to a multi-domain certificate, or get a Wildcard. The choice typically depends on how many sub domains you wish to secure. If you have a lot of sub-domains, a Wildcard will be your best option. For just two or three sub-domains, use a multi-domain certificate. You can opt for any of the three trust levels.
From HTTP to HTTPS: Choosing the right SSL CA
Finally, we want to give you a few tips on selecting the right Certificate Authority. Since the migration to HTTPS started, dozens of Certificate Authorities have come up. Some are even free. So, how do you go about choosing the right one for your WordPress site?
Here the four main factors to consider;
There are industry standards established by the WebTrustTM program for Certification Authorities. European CAs also have to adhere to the European Telecommunications Standard Institute requirements. The best CA should meet or exceed these standards.
Every CA must verify details about a business’s identity before awarding a certificate. If a CA isn’t verifying these details; then that’s not the right CA. Additionally, find out if the verification process has ever been breached. Have there been cases where someone obtained a certificate from that CA through the backdoor?
Certificate management system
The best CAs make it easy to manage your SSL Certificates. If you have multiple certificates for your many domains, the authority will provide you with a management system that allows you to easily keep track of things such as the data on each certificate, expiry dates, and certificate renewal so that you’re protected round the clock.
Lastly, you need reliable support from your Certificate Authority. Every website on the internet is potentially vulnerable. Your server can go down anytime or there could be a technical glitch with your SSL Security. When this happens, speedy technical support is needed to get your site back up and running.
After considering these four factors, go ahead and consider things like price. While some of the best SSL Certificates are also very expensive, if you look keenly, you’ll definitely find some not-so-expensive options.
Tired of looking? Here’s a great deal!
Simplemachine has partnered with some of the best web security companies in the world to bring you the most reliable SSL Certificate at the best price. Check it out and grab yours today!