Check Your Encryption
Since July Google Started Turning Business Away From Your Site If It Was Not Encrypted
Hackers have triggered browser makers to demand encryption for all sites across the web.
Since July, Google Chrome started turning businesses away from your website if it deemed your site to be unencrypted.
“Google [rolled out the policy] to all versions of Chrome this summer,” said Peter Boyd, founder of PaperStreet, a web-design firm (www.paperstreet.com).
Specifically, Google Chrome brands your website as “Not Secure” in the address bar of its browser if it senses that you’re operating without encryption (https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html).
“Users presented with this warning will be less likely to interact with these sites or trust their content, so it’s imperative that site operators get their websites encrypted,” said Patrick R. Donahue, security engineering product lead for Cloudflare (www.cloudflare.com), a web-services provider. Moreover, Mozilla Firefox, Microsoft Internet Explorer, Microsoft Edge and Apple Safari started replicate that move by Google to police the web, according to Donahue.
Given that those browsers together service 93% of all the people surfing the web, according to Netmarketshare (www.netmarketshare.com), it’s no surprise that the “Not Secure” branding campaign is expected to trigger a stampede of businesses desperately looking for encryption.
The easiest way to determine if your business will be impacted is to type the web address of your website into the Google Chrome browser. If your website is lacking encryption, you’ll find a warning from Google in the address bar stating that your website is “Not Secure.”
Indeed, Google is even now posting more subtle warning notes in its browser about many websites that operate with encryption. The warning appears as an exclamation symbol in the address bar, which you need to click on to retrieve Google’s admonition that the site is not secure.
In contrast, the search giant has decided that its warning will be stark and dramatic. Visit any site that’s not encrypted, and that site will be branded with the words “Not Secure” right in the Google Chrome address bar—no clicking necessary.
“Google has been gearing up for the change since 2014,” Donahue said.
For years, the campaign to encrypt websites has been mostly limited to e-commerce websites, where shoppers enter credit card and other highly sensitive information that hackers are looking to steal. Such sites run on the Hypertext Transfer Protocol Secure (https) standard and often feature a green lock or other green emblem in the browser address bar, indicating that the website is encrypted and operates at a much higher level of security than other websites.
Amazon.com, for example, features the emblem of a green lock when its web address is called up in most browsers, clearly indicating that its site is encrypted. Standard websites that run on the older Hypertext Transfer Protocol (http, no “s”) are not encrypted and feature no such emblem.
Compounding the anticipated pandemonium over “Not Secure” branding is a related decision by Google to “remove trust” in any website certified as encrypted by Symantec prior to June 1, 2016. The reason is that Google has repeatedly expressed skepticism regarding the veracity of Symantec’s certification process prior to that date and has simply decided to invalidate such certifications for users of its browser. That decision is a major blow to website operators in its own right, given that Symantec is one of the largest purveyors of encryption certifications on the web.
Hardest hit by the dual decisions will be operators of non-e-commerce websites that require no passwords for entry and do not accept credit cards or other forms of digital payment. For years, such sites were not favorites of hackers, given that no monetary transactions took place there and, consequently, many non-e-commerce sites did not worry about getting encrypted. But more recently, hackers have been plundering those unencrypted sites by inserting code in their webpages that enables the hackers to download malware to someone visiting the website or code that directs a visitor to a phony web page that then asks for credit card or other personal information from the site visitor.
The good news for website owners looking for encryption is that many web-hosting companies have decided to offer basic encryption as a free, value-added service.
“Today, https is fast, simple to deploy, and cost-effective if not free—and there’s no longer an excuse for not using it,” said Cloudflare’s Donahue.
Many of the web-hosting companies offering free encryption work with Let’s Encrypt (www.letsencrypt.org), a non-profit organization whose mission is to offer free basic encryption to any website owner who needs it. Let’s Encrypt also provides the certificate you need to prove to website visitors—and to Google—that your website is encrypted.
If you’re looking to go the free route with Let’s Encrypt, your best move is to talk with your web-hosting company and verify that it has a tool on your website control panel that enables you to easily add a Let’s Encrypt certification to your website. Many web hosts without such tools also enable you to install Let’s Encrypt certification, but that manual process is tedious, and it’s often easier under such a circumstance to switch to a web host that features a Let’s Encrypt tool.
Either way, you’ll need your web designer or someone very web savvy to verify your website’s transformation to encrypted status and to ensure that all of the coding on your website reflects that change.
An easy alternative—if you have a very small site with just a few pages—is to simply purge your old site, re-establish it as an encrypted website from the get-go, and then simply rebuild the few pages you have from scratch.
Of course, there are also any number of web hosts and security providers more than happy to encrypt your website for a fee. But the bottom line is to get your encryption done before July, which will ensure that your website is not branded as “Not Secure” and that you’re not forced to approach encryption-for-a-fee providers as someone incredibly desperate for their service.
Joe Dysart is an internet speaker and business consultant based in Manhattan.