A Security May Be The Biggest Change In The Web Since Responsive Design
On January 17, 2017 the way you do business on the web may be taking a whole new course...and there are very few people talking about it.
Update (1/20/17): According to Google, the Chrome 56 browser has been delayed until approximately January 31st, 2017.
On that date, if you run a website that has a password field or accepts credit cards and you don't have an SSL Security Encryption Certificate, your customers (that use Google Chrome) will be alerted in their address bar (URL) that your site is "Not secure."
So if you don't use encryption, should you panic and do something drastic? Well, thankfully Google is taking a slow and steady approach to implementing their security strategy.
Step One - A Subtle Alert
Right now, you probably have noticed the addition of the circle and "i" in your address bar when you use Google Chrome (if you're not using an SSL Certificate). If you click on that "i" you'll see a message that says "your connection to this site is not private" and it follows that up with a Details link that will state that the site is not secure. This has been around since this Summer (2016).
Step Two - A Written Alert
The next step will be the "Not secure" message on Google Chrome in January. If your site displays a green lockbox, then you're safely using SSL Encryption through an HTTPS address. However, if you see that "i" on your site, it's possible you are not yet using SSL, although you may have specific pages like a shopping area that are protected.
At this point, it has been said that the "Not secure" notice will only show on pages that specifically have the form fields on them, not on the whole website. This is good for those that are unaware of this change in Google's security consciousness. But in the not too distant future, not using SSL or only partially using it won't be good enough for Chrome.
But if this is just for Google Chrome, will it have a big impact? Well according to SitePoint, Google Chrome makes up over half of the browsers used to navigate the web, so chances are good some of your customers will sense a ding in your reputation due to the "Not secure" notice.
Step Three - A Visual Warning
According to Emily Schechter of the Google Security Team, the next step will be to take any website, not just web page that isn't using SSL and place a much more prominent alert in the address bar.
This is when customers will know 100% if your site is defaulting to using HTTPS or not. The red triangle will make it obvious. And even if you don't take in sensitive information on your site, this may create a negative impression on your company.
And I have to say, I appreciate this step. For years, site owners and web developers have taken a very "I'll think about that when I have to" approach to security. The scary part is that most of us are using some kind of content management system like WordPress or Joomla! and we haven't been encrypting our administrator password fields (just sending our passwords wild and free across the Internet). Anyone that administers a CMS should have an SSL Encryption Certificate to protect their investment. Google's move at this phase is better for the web as a whole. Even WordPress is taking note with thier recent announcement that in 2017, they will be looking at disabling certain features when SSL is not present.
Google's Slow Approach Gives You Time To Comply
Google's slow implementation of this security feature in Chrome shows that they are sensitive to the website owner's need for time to get their act together. But it also shows that security is taken seriously by Google. And while we haven't heard about non-HTTPS sites taking a further hit in search rankings, I wouldn't put that out of the realm of possiblities.
Hannush Web Managed Secure Hosting
At Hannush Web, 2017 will be "The Year of Security." We will be working with our clients and hosting partners to get 100% SSL Encyption adoption and to help implement further security measures like firewalls and server monitoring services to protect your website investment and your customers.
If you have questions about your website's security, give us a call at (864) 485-9327 and ask for Drew.