Once upon a time almost all websites had addresses starting with
http://, except for maybe your bank. This meant that your internet traffic was largely unencrypted or exposed on the internet. Then, in the wake of the Snowden leaks in 2013, people started realizing that having basically all internet traffic unencrypted means that basically anyone, from the NSA right down to the kid next door could read everything you send, find out what video content you enjoy or if you are privately badmouthing your boss. With this of course, it became a good PR move for companies to give the NSA the middle finger, and Google swiftly did so by encrypting all their internal traffic. Quite surprising to many, however, was the fact that the craze to encrypt everything didn’t die down. Encrypting everything wasn’t just a one hit wonder… In 2014 Google announced that it would start giving better search ranking to sites running on https://. This means that sites that have SSL’s will now rank higher than those without the trustworthy “https:” and green padlock in their browser bar. It took more than a year for this new trend to gain traction in the public eye, suddenly obtaining SSL certificates for encryption purposes became easy to do and was backed by many big names, such as the EFF, the Mozilla Foundation and other big companies like Cisco and Facebook.
Which brings us to the present day. All key pieces in place, Google started warning users about the fact that a website is not using encryption. Google Chrome has started adding “Not Secure” warnings to websites that are not running https. It doesn’t matter what kind of site you have or even if you process credit cards on your site or not, now a non-secure warning will be shown in the browser bar when your potential customers are visiting your website if you don’t have an SSL. In the long run these warnings will be shown on all websites that are not secured well enough. And it makes sense. With more and more information available, identity theft is on the rise. According to some sources, it is even more prevalent than credit card fraud itself.
As a website owner however, this means that you have to get moving. Even if SEO is not a concern to you, having an ugly warning on your site is not going to be beneficial to your business. This ugly warning will shun the most promising potential customers in favor of a more secure competitor, seriously impacting your conversion rates.
As an added side-benefit, installing SSL certificates on your sites allows your developer to take advantage of HTTP/2, a new protocol which brings speed benefits with it. If nothing else, this should be enough motivation to start moving before your customers start asking uncomfortable questions about why your site is not secure.
So here’s what you need to ask your developer to do:
First of all, make a list of all the third party sources your website loads. These could be anything from Google Analytics to your ad network. Since your site will now run on a secure connection, these third party scripts need to be secured too. Luckily, most analytics and solutions offer your this as a service now. If you have this list, log in to each of these and make sure you have a method for testing if they still work after the change.
All done? Great this is where you come back in, next you need to find an SSL certificate.
In order to secure your site, you have to verify that the site indeed belongs to you. Otherwise a clever attacker could try to impersonate your site and steal data from you customers. If you want, you can spend a considerable amount of money and obtain a so-called Extended Validation certificate, which does write your company name in the address bar but will cost you an arm and a leg and takes a considerable amount of paperwork, or you can buy a standard SSL online for a few hundred bucks and have your developer install it. There is also a free option called LetsEncrypt that any competent dev can set up for you although this will take a bit of time for them to set up. If your dev needs help installing your SSL you can direct him here and after it’s complete you should now be able to type https://yourdomain.com and the site should load. If the lock next to the address is green, you’re done! If it’s not green, you may have a mixed content problem which your dev can learn how to resolve here or try this free WP plugin. If you want painless HTTPS transition, just hit up the chat box and we’ll get you moved to Entrecloud for free and setup your free instant Entrecloud SSL for you.
CTO @ Entrecloud, DevOps engineer with over 10 years of experience in system administration and software development; public speaker and author.
Likes crazy side-projects and when they mature, applying them in practice.