Imagine if people trying to visit your website got an alert saying that your website is not secure. Do you think it would deter them? Hell, yes it would! That’s what’s going to start happening in July on websites that have HTTP when people visit using the latest version of Chrome browser (Chrome 68) visit.
Chrome is the most popular browser used worldwide with about 50% penetration. So if your site doesn’t have encryption with an SSL/TLS certificate and HTTPS set up this affects you.
HTTPS stands for Hypertext Transfer Protocol Secure and works as a layer of security between the client (visitor) and the site when a connection is established. Data that usually moves from the site to the client and vice versa in plain text is encrypted securely by the browser when a TLS certificate is in place. That means eavesdroppers won’t be able to read important information from your users, like passwords and credit card numbers, in plain text.
Up until now this alert only appeared on form pages (i.e. contact forms) but moving forward it’s going to show up on all pages that aren’t secured.
What to expect for non HTTPS sites? In July you can expect to see a drop in traffic to your site, conversions will likely fall too. You may also see a drop in your page rank – where you show up in Google search. Google started lowering the rank of non encrypted sites three years ago.
What Should You Do
First check to make sure you don’t already have HTTPS set up.
Then decide on an SSL certificate. They vary in prices from free to the most expensive we’ve seen which was over one hundred dollars. There is a newer free way to get TLS certificates through an initiative called Let’s Encrypt. Certificates created this way expire every three months, but most hosts have an automated solution to renew the certificate before it expires, so you don’t have to do anything once it’s set up.
More expensive purchased certificates often come with additional insurance for online transactions, which might be desired if you are running an online store. Purchased certificates expire less frequently than free ones provided by Let’s Encrypt, lasting as long as 3 years.
Once you’ve made the switch, there’s still a little work to do if you use Google Analytics or AdWords. You can find out more about that on our previous post about website security.
WordPress websites also need to be updated to ensure your pages don’t show up with a “mixed content” warning, which means that some materials (often images) are being embedded on the page using an unencrypted connection (i.e. https:// instead of https://, note the s).
If you need us to do this for you, please don’t hesitate to reach out.