SSL For All
Most people using the internet today understand that when they shop and purchase products from a website and enter sensitive information on a form (credit card and other personal info), they should only do so when that site is secure. Many web browsers make it easy to distinguish that by displaying a padlock, typically near the address bar. This provides a secure channel to submit information that attackers will not be able to decipher.
So, exactly how does the process of securing a website work? Through Secure Sockets Layer protocol. Commonly referred to as SSL. A CA (Certificate Authority) issues a certificate for a webmaster to configure and install for a domain name on their hosting server. Not only does it provide encryption between the website and its’ visitors, but also validates ownership of that domain. This helps people from being fooled by bogus sites that appear authentic such as their banking website.
Most business owners probably aren’t concerned about encryption and validation. Sure, they may have a simple contact form that asks for name, email address, and phone number. But most of the information can be found through public record anyhow. Why would they want to go through the trouble of setting up an SSL certificate as well as pay for it? I’ll give several reasons below.
Google is forcing webmasters
While Google isn’t technically forcing webmasters to utilize SSL it sure wants to deter them not to. Before I get to the “why” let’s go over some statistics. It is no secret that Google’s Chrome browser is the most used on the internet. As of October 2017, it accounts for around a whopping 55% of the worldwide browser market share. The browser with the next most usage? Safari at approximately 14.5%. Not even Microsoft’s Edge browser that comes with Windows 10 can compete at a meager 2%. See for yourself.
Since Chrome is so dominant in the market, the influence Google can have in shaping security is very large. Not only have they given a minor ranking boost for sites with SSL / https versus those without, but the latest version of Chrome now informs users that a site isn’t secure when SSL is not present. We haven’t quite reached the doomsday scenario where you see a red triangle with an exclamation point inside. The sign that has Not secure | https next to it followed by the domain. However, that day may come in the near future.
Instead, a neutral looking circle with an i inside greets the user. Clicking on this circle does indeed mention the site is not secure. And with newly released Chrome version 62, whenever a visitor begins to fill out a form or even a search query that “circle i” gets the Not secure treatment next it. Unless, of course, that website has SSL installed.
Not secure in action
Check out the screenshot below. As of this post, even though CNN.com has an SSL certificate, it does not pass Chrome’s requirements. This also will happen when simply searching on a non-SSL website.
Hey, What is this?!? Fake News??
All kidding aside, one can understand the cause for concern. Especially if a visitor fills out a form on a website and those words appear. Even though Google is pushing for every website to be secure, I don’t think their method to influence webmasters is a bad thing. Why? Because you no longer need to pay for an SSL certificate. It may take some extra work, but trust me, it’ll be worth it to have that green padlock and Secure message next to your domain.
Getting your free SSL Certificate
In 2016, a Certificate Authority by the name of Let’s Encrypt launched a service that provides everyone and anyone free SSL certificates. They can offer this service because of donations and sponsors. And just because it’s free doesn’t make it inferior to certificates provided by other CA’s. The one catch is that certificates expire every 90 days instead of the typical 1 year.
If you’re hosting on a VPS or Dedicated Server with Web Hosting Manager, there is a feature called AutoSSL. It gives you the option of installing certificates through Let’s Encrypt or their own option, Cpanel (provided by Comodo). As the name implies, it will automatically go through all of the hosted domains on the server and check for certificates. If there is none for a particular domain it will set up and install it through a tool called Certbot. This tool will also inspect for invalid certificates as well as ones that are about to expire and renew them several days before expiration.
For web hosting companies who are on a shared server with no option to 1-click install Let’s Encrypt it may be worth checking out www.sslforfree.com. While I haven’t personally used this service, they appear to make the process as smooth as possible. I do advise you research them thoroughly as they are not an official partner of Let’s Encrypt. There are also other tutorials online that guide you step by step for installing certificates on a shared server. Don’t forget to take note of when you installed the certificate so as to prepare for when it expires in 90 days.
Switching from http to https
Installing SSL certificates is only part of the process of moving your website from http to https. You need to make sure that any assets you are hosting are embedded or linked using the https prefix. You shouldn’t have to worry about external assets. If the certificate has been installed and set up properly and you are still not getting the green padlock and secure notice, you have a couple of options available. One such option is Why No Padlock?. All you need to do is put in your domain name and it will show you any images, scripts, etc., that is causing the issue. You can also view the source code and manually search for any “http://” references and change as necessary.
For WordPress administrators, there is a plugin that works great from switching your site over to SSL. Really Simple SSL makes it extremely easy to make the change.
Active Installations: 500,000+ | Last Updated: 3 Weeks Ago | As of 11/2/17
Step by Step instructions
- Make sure you have already installed the SSL certificate on the website
- Navigate to Plugins / Add New in your wordpress dashboard
- In the Search plugins… box enter “Really Simple SSL”
- Install and activate the plugin
- It is highly advised that you back up your database before proceeding
- You should see a notice in the dashboard to enable SSL
- Once enabled, log out and your website should now have the https prefix
- If you have any issues with insecure pages see the above recommendations on troubleshooting
Getting used to SSL
Once you get the hang of the whole process it should start to become second nature. The benefits of installing SSL certificates far outweigh the time it takes to do so. I really believe it is only a matter of time before all websites utilize https. And while there may be some growing pains along the way, the internet will be a better place for it.