At the start of July Google released the Chrome 68 update and since then they have been marking all HTTP sites as ‘not secure’.Google has been giving gentle nudges to users for a number of years to encourage them encrypt their sites with HTTPS starting in 2015 when they began to down-rank unencrypted sites.
Site admins need to take action now or risk losing visitors, who will see their site as untrustworthy. Put yourself in the position of a potential site visitor. If there is any question of trust regarding a site you may have shown interest in visiting, then the likelihood is that, you won’t visit it then or in the future, even if it has addressed the HTTP issue. Since early 2017 Google has been marking any HTTP site that collects personal and or financial data from its visitors as “not secure”
According to Google the stats as of February 2018 are:
- Over 68% of Chrome traffic on both Android and Windows is now protected
- Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
- 81 of the top 100 sites on the web use HTTPS by default
Look at it this way. What if you passed a retail outlet on a high street and the sign in the windows says, “we sell great stuff but there’s a chance you might get ripped off if you shop here”. Of course, you’re not going to enter that shop and will move on to the one next door that says, “we sell the same great stuff but we can guarantee that you won’t be ripped off here”. Your website is still the biggest marketing tool available to you, and in particular for the small business, who may have a limited marketing budget. Once trust is lost it may never be regained.
What are the benefits of moving to HTTPS
Besides the obvious labeling as “Not Secure” Google identify several reasons to switch on their website migration guide:
Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:
- Encryption. Encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages or steal their information.
- Data integrity. Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
- Authentication. Proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
So, does HTTPS protect me from an attack
In a word NO. What HTTPS does is to protect the interaction between your website and the visitor. Here is an explanation for https://www.smashingmagazine.com.
“The protocol transfers information between the browser and the server in clear text, allowing the network, through which the information passes, to see the information transmitted. This is a security concern, so HTTP Secure (HTTPS) was introduced, allowing the client and the server to first establish an encrypted communication channel, and then pass the clear text HTTP messages through it, effectively protecting them from eavesdropping”.
Your website is still vulnerable to a number of attacks including:
- SSL/TLS Vulnerabilities
- Brute Force attacks
- DDOS attacks
- Downgrade attacks
- Website, server or network hacks
- Vulnerabilities with Software
- Common bad practices and complacency by website admins
How to migrate to HTTPS
There are a number of guides available online to guide you through the process. I highly recommend that you read the following:
If protecting the sensitive data of your customers doesn’t motivate you to switch, then remember this. All sites marked HTTP and therefore “Not Secure” will find a negative impact on website SEO. What this means is that, you are going to find it harder and harder for your site to rank in Google search results. I’ll finish with a borrowed quote I’m very fond of using “The best place to hide a dead body, is page two of Google Search Results”.
John Grennan – IT.ie