Have you noticed that many of the smaller websites you visit using Chrome now carry the admonition of “not secure”? These websites have not changed, Chrome has changed.
Google wants the world to believe that it is truly concerned with the security of its customers, and has chosen one of its flagship products, the Chrome internet browser, to show the world that it is a leader in cyber security.
First, let’s look at how your computer accesses websites. You give your computer an address (domain name) which it locates on the internet and copies the page (or file or whatever) down to your computer. Then it disconnects from the internet. What you see and what you do is on your own computer…until another internet access is needed. If you go from the website’s home page to another one, the same process happens, only now you have copies of two pages on your computer. And so on.
The browser software on your computer uses an application (app) called a protocol. For decades these apps used HTTP (HyperText Transfer Protocol) to communicate. When websites started collecting personal information (like credit card numbers and passwords), a modified protocol named HTTPS (“S” for secure) was created which encrypted the communications to protect the privacy.
Before, whenever your browser encountered a website that used HTTPS, it would show you something like a padlock icon to let you know that SSL (Secure Socket Layer) was being used and your data was encrypted.
Today most browsers still do that, but not Google Chrome. Google now calls any website with the old HTTP as being not secure. If no personal information is sent to the website, does it make any difference? Technically, no. However, in the perception of the user, Google has just said the website is bad, maybe you shouldn’t go there.
Google is trying to come across as the market leader that is protecting the public. And it’s not just adding those two words, “not secure”. Google also penalizes the website in its search engine rating so it may appear lower in a Google search. More like bullying to me.
However, they are big enough to get away with such bullying and we are now advising our clients that they have an option to switch to HTTPS if they would like.
All of the other major browser makers are starting to follow suit, encouraging websites to change over to HTTPS. One cannot win against these cyber bullies.
How does a website change over? Your website provider or hosting service can acquire a special certificate for your web pages that says you are legitimate. Today, there are three levels of certification – at the domain level, the organization level, and at an extended level.
The SSL certificate verifies that the website really is who it says it is – either an individual or an organization. The certificate confirms the identity of the website owner and vouches for its authenticity.
At its lowest level, domain validation, the certifying authority (CA) only checks whether the applicant actually owns the domain for which the certificate is to be issued.
At the next level certificate, called organization validation, in addition to domain ownership, the CA examines relevant information, such as company public filings. Information that has been vetted is accessible to website visitors, which boosts the site’s transparency. The somewhat demanding nature of this certificate means that it can take longer and be more expensive to issue.
The highest level of SSL certification (today) is called extended validation and has the most extensive authentication level. This process requires company information to be even more thoroughly scrutinized. This exhaustive review should additionally increase the website’s credibility. This certificate is also the most cost-intensive of the three.
In addition to the actual certificates, software may review the website to make sure it works the way it says it should. For example, does contact information collected actually go to the owner of the certificate? These are things one should expect from a “secure site”.
The cost to upgrade to HTTPS varies with the level of certification and how well the website was developed in the first place. As you can expect, the higher the level the higher the cost.
For existing sites, the cost to convert can be minimal if you do it yourself, or up to several hundred dollars if you use a professional. Usually there are also additional costs to be included in your periodic hosting fees when HTTPS communications are used.
For a new website, the developer will probably build the cost for SSL and HTTPS into the overall price of the website and hosting.
Does a website really need HTTPS?
In the past, if the website didn’t collect sensitive data, like credit cards or social security numbers, the owner may not have needed an SSL certificate. However, with the new browser notices, it’s becoming more important to ensure that a website has an SSL certificate and is loaded via HTTPS.
It’s up to the owners to figure out how they want their visitors to perceive the security of the website. It’s up to the visitors to figure out if there is any perceived decrease in value without it. I’ll bet most people never even noticed the “not secure” notice from Google Chrome.
J. David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info
This article was first published in The Orange Leader on January 3rd 2019.