SSL certificates and your website
Posted by Malcolm Iliff, on 13th March 2017
2017 looks set to be the year when insecure web browsing dies! At CBJ Digital we want to help you make sure that your website is ready for when this happens.
What is insecure web browsing?
Since the World Wide Web was born in the mid-1990s, the protocol (language) for communication between a user’s web browser (e.g. Chrome, Safari, Firefox, Edge or IE) and the website server has been HyperText Transfer Protocol, or HTTP for short. You can see this at the beginning of a lot of website addresses, e.g. http://www.cbjdigital.com/
If a website is served over HTTP, all the data sent over the internet between your computer and the web server is unencrypted. This means that any bad guys - for example hackers, Russians, the CIA or MI5 (choose your favourite) - can snoop on your activities, change the information that’s being transmitted or even impersonate you online.
To fix this problem, a new protocol was created to secure communications over the internet, called HTTPS: HyperText Transfer Protocol Secure. You’ve probably already seen and experienced this on shopping sites where you enter sensitive data such as credit card numbers. When HTTPS is used on a website, all communications between your browser and the web server are encrypted, which means eavesdroppers can’t listen in and data can’t be tampered with or forged.
My website has been okay on HTTP so far, what’s changed that means I need HTTPS now?
Back in 2014 Google – the company behind arguably the most important search engine on the web - announced a call to action: for HTTPS to be used by all websites so that the internet as a whole could be made more secure. To encourage website owners to adopt HTTPS, Google said that all secure sites would be given a boost in their search engine results. So, if your site was competing for position against a site that wasn’t secure Google would give your site a little helping hand. However, Google also said that, in their search engine at least, websites that weren’t secure would not be penalised.
In January this year Google upped the stakes. In the new version of their Chrome web browser (which has over 55% of all users) they would begin displaying the security status of a website’s connection to the browser in the address bar of pages that have a password entry or credit card details form.
This is the start of Google’s long term plan to alert all visitors to sites being served over HTTP as not secure so that they can be warned that any sensitive or personal information they enter is not being safely transmitted to the server. Consequently, sites with contact forms, or indeed any form of data entry, will display a warning if they aren’t secure. Where Google leads, the other browser makers are sure to follow.
So, to ensure that visitors aren’t scared away from using your website by these warnings, you need to think about when and not if you should make the switch to HTTPS. All our e-commerce sites already use HTTPS and all new projects that we are currently working on at CBJ will include HTTPS as standard. We want to be sure that all sites we build and manage are secure by default.
How do I get HTTPS on my website?
For your site to be served over HTTPS you’ll need an SSL certificate. SSL stands for Secure Sockets Layer. You might also hear it called TLS, short for Transport Layer Security. SSL and TLS are cryptographic protocols which encrypt and secure communications over a computer network. The SSL certificate contains a unique ‘key’ which is placed on your site’s web server. The key is used to verify that any information sent between web browser and server hasn’t been tampered with, and also to encrypt and decrypt it at either end of the communication channel.
At CBJ Digital, when we help our clients to secure their websites we do the following:
- choose the right certificate for your website
- install the certificate on your website
- update the configuration of your site so that it works over HTTPS instead of HTTP
- redirect all requests for your ‘old’ HTTP website to the location of the HTTPS site
- update your web site’s configuration in Google Analytics or advise you of how to do this if we do not manage your analytics
- test and confirm that the conversion was successful
- renew, reinstall and test the certificate each year