Google Plans to Scare You into SSL this October

August 25th, 2017 / Shane Larrabee

chrome not secure ssl warning

“Not Secure”, That’s Scary!

Starting in October of this year, the Google Chrome browser is going to start scaring your website viewers by showing them the above in their address bar on pages with forms if you don’t have a secure (SSL/HTTPS) website.

You may have received an email that looks like the following over the last couple weeks letting you know how serious they (Google) are about this:

chrome ssl email warning

Who Cares? The Majority of Your Web Visitors!

How do we know it’s going to scare your users? Well, because Google Chrome is the world’s most popular browser so statistically speaking it would be a safe bet to say that upwards of half your web traffic (and probably more) is from visitors that use the Chrome browser (desktop or mobile).

browser usage statistics 2017
source: https://en.wikipedia.org/wiki/Usage_share_of_web_browsers

Why Would it Scare Them?

Your average web user has no idea that this is a big industry push by Google to make the web a safer place, to reduce information theft and curtail some hacking activity… they are simply going to think it’s your website that is “insecure” and won’t understand that it might not be inherently “insecure” but that it simply doesn’t meet the new security mandate of the behemoth internet company.

Visitors may choose not use the forms on your website. 

So is My Site Secure or Not?

I don’t believe in a “secure website”, there is simply no such thing. However there is a site that is built to and hosted to industry standards, a site whereby precautions have been taken and security measures are kept up to date.

Just because your site does not have SSL/HTTPS enabled does not mean it’s insecure from a hack/malware standpoint. However it does mean not everything has been done to protect your users and the internet as whole.

What Google is pointing here is that any data sent from a form on your website is not encrypted and therefore not as secure as it could be. 

So What do I Do?

You simply order an SSL certificate, get it installed and take steps to ensure your site is ready to be served over an encrypted connection. It’s sounds hard but most hosts and of course the team at FatLab can take care of a lot of that for you.

How Much Does this Cost

FatLab is offering each of our clients a flat rate package to covert the sites we manage to SSL/HTTPS which includes the effort it takes to convert your website and the security certificate.

Security certificates are maintained on an annual basis and the cost is dependent on the number of years you register the certificate for and what kind of certificate you get. The ones we sell here cost around $190/yr, with discounts for multi year plans.

There is also the effort it takes to update your website to handle traffic across SSL and this effort can be variable. Again we have a flat rate plan for our clients.

I Hear There are Free Certificates

There are, just check out Let’s Encrypt for more information. In fact I think this is an awesome cause and believe in their mission… I just won’t use their certificates. Currently, and this may change over time, it comes down to effort and process.

One of the reasons to force websites to SSL is that SSL requires a validation process. Basically as a website owner you have to prove you are who you say you are and are operating a legit website. The validation processes of Let’s Encrypt (and some other providers) is not as thorough as others. So I have to ask, if validation is too easy and certificates are handed out like candy, is the internet truly a safer place? But this argument is more philosophical, let’s get down to the real reason we do not yet support the free certificates.

Let’s Encrypt certificates expire every 90-days and have to be renewed. Where as the ones you buy from companies like GeoTrust and Symantec last at minimum a year. For our hosted clients, to maintain our high up-time, we run a fairly complex system of load balanced servers behind a firewalls and CDNs. The certificate for any one site has to be renewed and installed in several places and this most be done each and every time we renew. The cost of an annual license is honestly cheaper than our hourly rate to renew these certificates every 90 days.

I also have to admit that the management of so many certificates on a 90 day cycle sounds like a recipe for disaster, i.e. down websites. So I believe the cost of the annual license is totally worth it.

So What’s the Process?

I have written a few times on moving a WordPress site to SSL but here is a short version.

You need to order you a certificate from a reputable certificate provider . We have a few that we sell and will recommend one to each client. As part of the certificate validation process, the certificate issuer will take some steps to validate your business and upon validation the certificate will be issued, FatLab will install it and then work to convert your site to SSL/HTTPS which is an effort that is variable and dependent on your website.

Once your site is running on SSL you will want to go into Google Analytics, Web Consul (Webmaster tools) and any other analytics or third-party tools you use to take steps to ensure that the new HTTPS domain is reflected in your settings.

The Goal

I believe in what Google is doing here. Though I do feel they are being a little bullish about it, it’s the right move for the internet in the long run. It would be my goal that within the next few months all the site we host are running on SSL and effective immediately all new sites that we host will be required to run on SSL.

We Wrote the Book on Website Security

Or at least we wrote 'a' book on website security. Download our free, no strings attached, non-technical guide on website security. Use it as a checklist or see what you may be missing.

Download Now