What is the Google Chrome “Not Secure” Warning?
Beginning in July 2018 with the release of Chrome 68, people who use Google Chrome as their web browser are being shown a “not secure” message in their browser bar when visiting websites that don’t use an SSL certificate (which encrypts the communication between your browser and the website). This message looks like:
Historically, websites that accepted and transmitted credit card payments were required by the Payment Card Industry (PCI) to use an SSL certificate, because if unencrypted credit card data was intercepted by hackers it could cause real problems. Other websites were not required to meet the same standard, though many sites that were collecting and transmitting other sensitive data, such as usernames and passwords, would still use SSL of their own accord. In 2014, to help encourage webmasters to develop a more secure web, Google started to use the presence of an SSL certificate as a ranking signal (ranking signals help determine how high up in the search results pages any given webpage shows up for particular search queries). Now, with the change to Google Chrome that shows sites without an SSL certificate as “not secure,” Google is further encouraging all sites to use SSL.
What is an SSL Certificate?
An SSL certificate (SSL stands for Secure Sockets Layer) is a digital certificate, issued by a certificate authority (CA), that encrypts information sent between your web browser and the website server, such as credit card information, usernames, and passwords (so if the data is intercepted, it is unintelligible and unusable without the proper decryption key). Some SSL certificates also confirm the identity of a website (that the website is actually the website the domain says it is, e.g., it’s not a spammy website posing as apple.com). When an SSL certificate is installed on a website’s server, instead of that website sending information through the standard HTTP protocol, it is sent through the HTTPS encrypted protocol.
Are there different types of SSL Certificates?
There are three types of SSL certificates available, and all provide encryption. Where they vary is in the level of “vetting” of the organization’s right to use the domain, and the amount of information about the organization that is collected and/or checked.
Domain Validated (DV) – domain validated certificates are the easiest to obtain, with the least amount of vetting. Certificate authorities will simply confirm the applicant controls the specific domain name they are applying for the certificate for.
Organization Validated (OV) – Before issuing an OV certificate, the certificate authority will confirm the applicant owns the domain they’ve applied for the certificate for, and requires the applicant to submit some additional information about its organization, including organization name, address, city, state, zip, and more.
Extended Validation (EV) – EV certificates are only issued once the company has been more vetted by the certificate authority, following strict guidelines that require the CA to check the organization’s legal, physical, and operational existence; that is has the right to use domain name the certificate is being requested for, and more. EV certificates, once installed, are indicated by the organization’s name appearing in green to the left of the domain in the browser window.
SSL certificates are also available as “single domain certificates,” “wildcard certificates,” and “multiple domain certificates.”
- Single domain certificates provide coverage for one domain (example.com) or subdomain (events.example.com).
- Wildcard SSL certificates provide coverage for multiple subdomains, such as example.com, shop.example.com, and events.example.com.
- Multiple Domain SSL certificates will cover multiple domains and subdomains.
The type of certificate you choose depends on the type of website you run – if it’s a basic blog or “brochure” site, you may not need anything more than a domain validated SSL certificate. If it’s an eCommerce site, a membership site, or a site where you’re asking your visitors to submit sensitive information, you may opt for an organization validated certificate, which provides added assurances for visitors that your site is “who” it says it is. Very few websites require extended validation certificates (and few companies or organizations are willing to pay for them).
Do I Need an SSL Certificate?
It’s a good idea for all sites today to use an SSL certificate, even if the website isn’t collecting sensitive data. Having an SSL certificate helps visitors feel more secure, and it is a small ranking factor in Google’s search algorithm which determines where sites rank in the search results.
How Much Does an SSL Certificate Cost?
SSL certificates range in price from several hundred dollars per year (for an EV cert) all the way down to free.
How Do SSL Certificates Work?
First, a certificate must be procured for the website and installed on the website’s server (where the website “lives”). You, your developer, or your hosting company will submit a certificate signing request (CSR) to a certificate authority like Let’s Encrypt, Comodo, DigiCert, GeoTrust, or others. The certificate signing request is generated on the server where the certificate will be installed and contains information that will be included in the certificate, such as the organization name, domain name, city/locality, state/county/region, and country. It also includes a “public key” which will be included in the certificate.
The certificate authority will then need to verify the applicant. Depending on which type of certificate you purchase, the validation process may be less, or more, involved:
- The validation process for “domain validated SSL certificates” is simple: the webmaster must either confirm they control the domain by replying to an email sent to the domain registrant email address, configure a DNS record for the website (which also proves they have control of the domain), or by uploading a file to the server.
- An organization-validated certificate requires the webmaster to both confirm ownership of the domain, and submit additional information about the company’s identity, including organization name, city, state, and country.
- An extended validation or EV certificate requires additional verification – the certificate authority will verify that the business is a real legal entity in addition to requiring business information be submitted that provides proof of domain ownership.
Once the certificate authority has completed the validation process, it issues the certificate to the applicant, who then needs to install it on the website’s server.
Then, when a visitor accesses a website using their browser (such as Google Chrome), the browser sends a message to the website server, basically asking the server to identify itself. The website server responds with the information that the browser needs, including a copy of its SSL certificate.
Next, the browser will check whether that SSL certificate is from a trusted Certificate Authority, and that it’s not expired. If it passes, the web browser generates a “key,” which it encrypts and sends to the website server; the website server decrypts the key using its own private key, and sends back a “digitally signed acknowledgment” which completes the “handshake” between the browser and the server – both now agree that a secure connection has been established and that information the browser sends to the server can be encrypted, then decrypted by the server.
How Do I Get and Install an SSL Certificate?
Generally, you’ll want to work with a website developer and/or hosting provider to configure your site for SSL and to procure and install the SSL certificate itself. For most companies, DigiSage recommends using the free SSL certificate provided by Let’s Encrypt (an open certificate authority managed by a nonprofit governed by industry leaders). Anyone with a domain name can use Let’s Encrypt to get an SSL certificate for free; in addition, Let’s Encrypt certificates can be set up to renew automatically. Let’s Encrypt issues both single domain certificates and wildcard certificates.
Issues to Watch For
Unless you’re using a certificate from a certificate authority like Let’s Encrypt, which can be automatically renewed every 90 days, you may be required to take manual steps to renew your SSL certificate every one to three years. Notifications to renew will be sent to the email address the SSL certificate was registered with, so make sure that email is monitored and appropriate steps are taken to review the certificate before it expires. Failing to do so can result in the “not secure” message being displayed to your website visitors.
Mixed Security Elements from Embedded Content
If you are embedding content in your website from a third-party source (the content “lives” on another website but you are displaying it in yours – such as a video, a calculator, etc.) you must ensure that content is being served over HTTPS as well. If the site you are embedding the content from doesn’t use an SSL certificate, browsers may warn users that your page is not fully secure. If the other website is using an SSL certificate but your code is requesting the content over HTTP, all you need to do to fix the error is change your code to request the URL over HTTPS rather than HTTP: https://example.com rather than http://example.com.
If the other website is not using SSL, you can ask them to add SSL to their website, then once they do, update the code on your website to request the URL over HTTPS rather than HTTP.
If the other website is unwilling to add an SSL certificate to their website, you may consider removing their embedded content from your site to avoid the mixed content warning, which may confuse or scare your website visitors.
In addition, when adding an SSL certificate for the first time, fonts, images, and other embedded media URLs need to be updated from HTTP to HTTPS.
Certificate Mismatch Error
Certificate mismatch errors occur when the SSL certificate is issued for the wrong domain – often https://www.example.com, when the site is actually configured to show content on https://example.com (no www). When registering the certificate, webmasters should be careful to enter the exact domain the site uses. (If the site returns content on both www and non-www versions of the domain, set up a canonical redirect from one to the other first, to fix this problem and also to avoid duplicate content penalties in Google).
Google Search Ranking Fluctuations
According to Google, when migrating from HTTP to HTTPS, “as with all migrations, you may experience some ranking fluctuation during a migration.” Taking proper steps to manage the migration will minimize any impact, and ultimately, moving to HTTPS is a smart idea. Be sure to verify the HTTPS version of the site in Google Search Console (in fact, you should verify all four versions as properties in Search Console: http://www.example.com, https://www.example.com, http://example.com, and https://example.com.
Reminder: “Secure” Doesn’t necessary Mean “Safe”
Just because a website has an SSL certificate installed, doesn’t necessarily mean the website is safe – it just means that information you submit is being encrypted as it’s sent to the server. If the website or server isn’t being properly maintained, the website could still be vulnerable to hacking, which could result in spam links being injected into the website, driving visitors to malicious or deceptive sites; or malware being added to the site, which could also impact its visitors. Adding an SSL certificate to your website is just one component of maintaining a secure, reliable website.
DigiSage can request a certificate on your behalf, install it, and keep it up-to-date automatically. Contact us for an estimate (though the certificate itself may be free, there are support costs involved in setting up the certificate and configuring the website to use it).