If you’ve updated your Google Chrome browser to version 68, you may have noticed the ‘Not secure’ warning in the address bar of some websites.
To explain the notification, a “secure” website is one that has an SSL/TLS certificate configured and operates over HTTPS instead of HTTP. When a website operates over HTTPS, all data that travels between the web server and your browser is sent encrypted.
HTTP has been the default for a very long time, and websites today aren’t any less secure than they were previously.
However, Google and others are pushing for all traffic online to be encrypted and implementing features such as the “Not Secure” notification to encourage website owners to use HTTPS.
Here’s Google’s explanation on their Security Blog (https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html).
Some of our clients may have started to notice Google Chrome marking their websites as “Not Secure” on screens with login forms. As of the latest updates to Chrome (version 68), any site without an SSL certificate will get that same notification appearing in the browser’s address bar.
To enable your site to run over HTTPS, you need to install a security certificate. This is something best managed by your hosting provider.
Security certificates are available as either free or paid options, with the the main differences between them being:
- Free options are generally used in conjunction with another more recent feature called SNI (Server Name Indication), which removes a requirement for an HTTPS website to have a dedicated IP address. This feature will not work for people using Internet Explorer on Windows XP (more recent versions of other browsers on Windows XP, as well as Internet Explorer on Windows Vista and above are fine). In most cases, this isn’t a concern, but there may be some industries that require that level of compatibility.
- Paid options can offer more in-depth validation of your organisation, which in turn can increase the apparent trustworthiness of your website.
- Paid options generally include varying levels of warranty which may be accessed in the event of a security breach due to a flaw in the certificate.
The encryption and security offered by free and paid options are all to industry standards and are technically equivalent. In most cases, unless a website is taking credit card payments directly via forms embedded on the website (i.e. not through a redirect to a third party gateway such as PayPal), the free options will be suitable.
At Arris, we have a number of options available to set up certificates for our hosting clients, including free options. Over the coming months, we will be migrating any of our web hosting customers that are not currently using HTTPS to a free option. Please contact us if you’d like to discuss your needs and instead consider the paid options.