The War on Insecure Sites Continues: The Carrot AND the Sticks!September 14, 2017 11:15 am
There are many business reasons to improve the security of your website, including providing better protection of consumer information, improving consumer trust, preserving your business reputation, and preventing certain hacking attempts (i.e. man-in-the-middle attacks). And there are now a few more.
Three years ago, Google announced a “carrot” for those website owners who implemented a type of website security, HTTPS (a more secure version of HTTP) with a Search Engine ranking boost. Whilst this boost was considered to be small (possibly even just an advantage over those without HTTPS), the inclusion of this signal in Google’s ranking algorithm was to reward website owners and encourage them to address the relaxed security measures generally on the web.
It has been widely anticipated in the industry that the importance of this “boost” will increase as the number of sites implementing this security reaches a critical mass and Google provides greater impetus to do so. Even as it stands, it is thought that this ranking signal plays a part (albeit a small one) in the site credibility/validation metrics that are used to determine search engine ranking.
Browser software makers are going to new lengths to warning users about pages that are potentially vulnerable to hacking.
In particular, in January of this year, both Google and Mozilla announced that their browsers (Chrome and Firefox, respectively) will start warning users when websites use insecure HTTP logins (i.e. not HTTPS). So, currently, an insecure/not secure warning appears on any website page that offers a login form over an HTTP connection rather than HTTPS.
THE BIGGER STICK (and more to come)
This has now been taken a step further with Google announcing recently and sending out a notice (via the Google Search Console: formerly Web Master Tools) to inform website owners, that starting in October 2017, the Chrome browser would be showing a “Not Secure” warning when users enter text into ANY webpage form over HTTP and for all pages over HTTP when in Incognito mode. The “Not Secure” message indicates that data is being exchanged on an unencrypted connection.
Whilst at the moment, Chrome will only be applying this warning to website forms, this is seen as a further phase of the long-term plan by Google to mark all pages served over HTTP as ‘Not Secure’. As stated by Google, these warnings are to encourage website owners to make their websites more secure, by using HTTPS pages instead of HTTP:
“We encourage you to adopt HTTPS in order to protect your users’ connection to your website, regardless of the content on the site.”
In other words, (assuming you at least have a contact page form) in order to prevent the “Not Secure” warning notification appearing when Chrome users visit your site, and potentially discouraging them from interacting with your business online, you will need to implement HTTPS.
WHAT IS HTTPS?
HTTPS stands for HyperText Transfer Protocol Secure and is simply an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and your website; simply put it is a more secure version of HTTP.
Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:
encrypts the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing your website, nobody can “listen” to their conversations, track their activities across multiple pages, or steal their information.
2. Data integrity
data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
proves that your users communicate with the intended website. It protects against “man-in-the-middle” attacks, builds user trust, and translates into other business benefits.
It is also recommended that HTTPS sites support HTTP Strict Transport Security (HSTS) which allows web servers to declare that web browsers should only interact using the HTTPS connections for your site. Even if the user enters http in the browser location bar, HSTS tells the browser to request HTTPS pages automatically. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.
As a part of enabling HTTPS for your site, and applying a best practice implementation, you will need a suitable security certificate, a web server that supports HSTS, and possibly, changes to your website hosting.
There are also different levels and types of security certificates, (and options within those), each suited to different business and website needs. Quisk can provide you with the required certificate and set it up for you in the recommended way.
Please call us today to start the process of needs analysis, requirement specification, implementation, and migration from HTTP to HTTPS.
Senior Digital Analyst