Secure Your Site
In July 2018, after a two-year push to encourage better security practices across the web, Google Chrome began labeling all sites served over HTTP as "Not Secure." HTTP (Hypertext Transfer Protocol) is the standard protocol which browsers use to grab the contents of a website or submit the data you enter into a website to a server. Because it’s unencrypted, HTTP interactions can leave your data vulnerable to hackers and other unscrupulous characters.
In order to secure your site, you need to make sure your visitors are using an encrypted protocol: HTTPS. To use HTTPS, you need to have an SSL certificate on your site’s server. In this post, I’ll go over why you’ll want an SSL certificate and how to get one.
Note: As of September 2018, Chrome is by far the most popular web browser with a 65% market share. Since no other browser comes close to that level of popularity, this article is focused solely on how Chrome treats websites that do or do not have SSL certificates.
What is SSL?
SSL is a protocol for establishing encrypted connections between a web server and a browser. To facilitate SSL connections, a certificate is installed on your web server, which is then presented to browsers attempting to make a secure connection to your website.
Creating an SSL certificate requires some level of verification of your domain through a Certification Authority (CA). When a browser receives an SSL certificate it checks that the CA is trusted, that the certificate is valid, and that the domain listed on the certificate matches the domain requested by the user. If these checks pass, an encrypted session is established between the browser and the server, and all data transmitted between the browser and the server will be encrypted. If these checks fail, the browser will display a warning indicating that the site is insecure.
Why You Need SSL
One of the most important messages to convey to the visitors to your website is “This site is secure.” If users feel, for any reason, that your site is “sketchy” or insecure, they’ll be quick to move on (and probably go straight to one of your competitors' sites). Google, the makers of Chrome, have made it very easy for users to tell a secure site from an insecure site by displaying a padlock icon in the address bar for secure sites and “Not Secure” along with an information icon for insecure sites. The image below shows two screenshots of the address bar in two different sites. The first one is an insecure HTTP site and the one below that is a secure HTTPS site.
Having that padlock next to your URL tells users that your site is trustworthy, and in turn that your company or organization is trustworthy. But the main reason you need an SSL certificate is to ensure that the data that your users submit to your website is encrypted and unable to be intercepted and stolen or altered by hackers. If a hacker were able to intercept your users' data, your organization could be liable - not a good look.
How to Get It
Before getting an SSL certificate, you should first decide what type of certificate you want. There are three types:
- Domain Validation - Free and suitable for most sites
- Organization Validation - Shows organization name in the certificate but appears the same as domain validation in the address bar. Requires purchase.
- Extended Validation - Shows organization name in the URL bar. Requires purchase.
Domain Validation SSL certificates are often free and offer the same level of security as Organization Validation and Extended Validation, so this is what we typically recommend for our clients. There are two major sources for DV certificates: Cloudflare and Let's Encrypt.
Cloudflare provides a multi-service speed/protection layer in front of your website, including free SSL, which is why it is our preferred recommendation. Included in their feature-set is a content delivery network (CDN), which has the added bonus of making your website faster. It does this by hosting your large website assets (files, images etc) on a distributed network of servers and then serving them from the server that is closest to the user. It also provides a firewall layer to detect possibly malicious users and prevent them from ever hitting your site, and most customers needs are met by their free tier.
It should be noted that Cloudflare approaches SSL a bit differently, by acting as a proxy server to serve your website over HTTPS instead of requiring your own dedicated SSL certificate on your server. If your eyes are glazing over as you read this, just know that Cloudflare is awesome and it’s usually the best option for SSL certificates and faster websites.
Let’s Encrypt is a great service from the Linux Foundation that provides SSL certificates for free, but depending on your web host it can require a little bit more web development knowledge to configure correctly. If your web host offers Let's Encrypt in their control panel, it's usually as simple as clicking a button and following a few steps. If your host doesn't offer this, or if you don't feel comfortable clicking around in the control panel, get in touch with us. We'll set up your SSL certificate for you.
Ensure the Site Is Secure
Once you've added an SSL certificate to your site, you'll want to be sure that everything is being served over HTTPS. You should set up a wildcard redirect to force any HTTP pages to redirect to HTTPS, for example http://www.coolrestaurant.com/menu would redirect to https://www.coolrestaurant.com/menu. You'll also need to check the site for "mixed content" warnings, which often happens when your site is referencing an image or a script that is hosted on another server insecurely. Fixing that issue is usually as simple as changing the code referencing the image from http:// to https://, so long as the server hosting that image or script has their own valid SSL.
As recently as a few years ago, adding SSL was costly and detrimental to performance, so it was generally reserved for websites dealing with private data and credit cards. These days, setting up SSL is simple, free, and performance is on par with unencrypted sites. There's no downside, and tons of benefit. If you haven't yet made the leap, now is the time.
Note: Throughout this post, we refer to "SSL" since this is still the most commonly used term in public discussion, but it would be more accurately referred to as "TLS", which is the modern successor to SSL.