(Updated February 2021) Until about 2014, I had never had any websites hacked, however, hacking…
Unfortunately, this is not a simple question to answer so grab a coffee and let’s get explaining.
To some extent there is an element of “scaremongery” occurring around this issue at present in order to try and get more people to adopt it since take up has been quite slow generally to date since it involves some extra work and additional costs and potentially could have an impact on your current search rankings.
This is what I mean by “not secure” displaying (Chrome browser example shown). Other browsers will have a similar, but not necessarily identical, display as they are doing similar to Google Chrome.
Just to clarify, if a site uses http, you don’t generally see the complete URL displayed in your web browser but the full URL in the image above is actually https://www.scalarenterprises.co.uk/contact/. The http part is what we are concerned with.
If you look at a site that uses https, it would look like this:
For the years since the Internet was created, most websites typically have been using http protocol and https has been reserved for sites with web page forms handling sensitive data such as passwords or credit card details or payment gateways like Paypal.
The additional “s” stands for “secure” and this version gives the advantage of encrypting data during transfer between the user’s browser and the server. With http, this data is unencrypted and hence potentially could be read, or perhaps even changed, by anyone with the know how “tapping in” to the connection (called a “man in the middle” attack).
Google are now on a mission trying to encourage all websites in future to use https protocol which in principle is a good thing.
If you click on the “i” symbol in the browser (see below), you can see more information relating to the page you are visiting.
At the beginning of 2017, Google started displaying “not secure” in the address box of their Chrome browser when a page contained a form that requested passwords or credit card details. Other browsers started to follow suit.
Google are progressively changing this and the follow up change was to display “Not secure” when any form fields are completed – like in the image below when the name field was filled in.
The final step in due course will be to label all plain HTTP pages as “Not secure” and in February 2018, Google announced that this will be introduced in Google Chrome from July 2018. Version 68 of the Chrome browser due for release in July 2018, will display “Not secure” as illustrated below:
So what do you need to do ?
In order to use https, you need to add an SSL certificate (actually now superseded by TLS but let’s continue to use SSL for this article) to your server. This needs to be done correctly so the simplest (preferred) way to do this is to get your hosting provider to supply the certificate and do it for you. You can purchase SSL certificates from other reputable providers but quite often you will not be able (allowed) to install it on the server yourself so you would need to get your hosting company to do it anyway (they may charge extra for this too). Adding an SSL certificate will normally incur an additional annual cost on top of your hosting package cost.
Which type of SSL certificate do you need ?
You first need to determine what kind of SSL certificate you need. There are three types of SSL Certificate available currently:
- Domain Validated (DV SSL)
- Organization Validated (OV SSL)
- Extended Validation (EV SSL)
The encryption levels are generally the same for each certificate, what differs is the vetting and verification processes needed to obtain the certificate.
Domain Validated (DV SSL) certificates
The cheapest and most basic option is the DV SSL certificate. In this case, the Certificate Authority (CA) only checks the right of the applicant to use a specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal. These are generally delivered almost straight away (typically within 24 hours).
DV-Certificates are considered a suitable solution for simple websites like blogs and personal websites. You should NOT use a DV-SSL certificate for eCommerce or other applications since they require a higher level of trust.
The browser address bar display with this type of certificate installed looks like this (in the Chrome browser – other browsers will look similar):
Organization Validated (OV SSL) certificates
The mid-priced option is the OV SSL certificate. For this the Certificate Authority (CA) checks the right of the applicant to use a specific domain name plus it conducts some vetting of the organization. Additional vetted company information is displayed to customers when clicking on the Secure Site Seal, giving enhanced visibility as to who is responsible for the site and provides associated enhanced trust. This type of certificate generally takes around a day or two to issue.
OV SSL is the recommended way to secure a business or company website, a forum, or any other website with a login page, that does not transfer payment data. Sensitive information such as customers username and password will then be transferred with end-to-end encryption between the browser and server. Having the organisation’s validation on the certificate also ensures that the domain belongs to your company and not a third party.
The browser address bar display with this type of certificate installed looks the same as for the DV SSL:
Extended Validation (EV SSL) certificates
With an EV SSL certificate, the Certificate Authority (CA) checks the right of the applicant to use a specific domain name plus, it conducts a thorough vetting of the organization. This is the most expensive option and takes some time to process (e.g. a week or more).
If you have an eCommerce website it is recommended that you should use an EV-Certificate. Only the extended verification process can guarantee the real origin of a website and the safety of data such as customer information, credit card numbers and other payment details.
With the EV SSL certificate, the browser address bar displays your company name as well:
Below are some examples of the additional information you can see with these secure connections when you click on the padlock icon (Chrome browser shown).
You can view the certificate details by clicking on the “Valid” link under “Certificate”:
A warranty is generally included with an SSL certificate to cover the unlikely occurrence where a certificate is issued incorrectly and results in harm to the end user. You should be wary of certificates without warranties as it could indicate that the provider is not confident in the certificates they are selling.
Each type of certificate from different providers typically comes with different warranty levels, the warranty value increases with the type.
How many SSL certificates do you need ?
If you have more than one website, you will generally need a separate SSL certificate for each domain name. If you have websites configured on sub-domains on the main domain name, you can make use of a “wildcard” certificate, which works like a certificate for *.yourdomain.co.uk and is more expensive.
The next step
Don’t do anything yet !
The above is just the first step, now you have to add the certificate to your website and do all the other related work to make it all function correctly. If this is not done correctly it can cause a lot of problems but we will leave that for another day.