During 2014, Google announced on its Chromium Projects website that:
"We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015."
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
To me, this signals the end of the line for non-secure HTTP websites. In my view, Google will lead the way and start displaying browser warning messages during web page sessions that interrupt the flow of a visitor. Potentially, users could be driven from a site because in fear of security issues. In addition, Google and other search engines could penalize what they see as non-secure sites and drop them down the search results pages. If Google initiates this move, the other main browser providers such as Microsoft Internet Explorer and Edge, Apple Safari, Mozilla Firefox and others will be forced to follow.
What You Need To Do To Prepare
First you need to understand the problem with the HTTP protocol. The main problem is all data (including sensitive information like usernames, passwords, and credit card information) is sent over the Internet (between the web server and webpage) in a plain text format. This means that a malicious party, that could gain from having such information, could easily intercept this information to commit fraud and profit from it.
In short you need to implement HTTPS on all website properties you own.
What is HTTPS?
HTTPS is a secure protocol that can be used for communications over the Internet (between web servers and webpages) that uses a bi-directional encryption system to ensure the content of a communication cannot be intercepted and read by malicious third parties. Encryption methods include TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer). Currently TLS is the recommended format to use.
Site Hosting SSL or TLS?
Many website hosting companies are currently in transition. In past years the majority would have implemented SSL on their servers however, it will soon to be a requirement of the Payment Card Industry (PCI) Data Security Standard, that by June 2016 the encryption method used must be TLS. Therefore, all of the quality web hosting companies are switching to the TLS encryption method. If you are unsure which method is used on your website (SSL or TLS) you should contact your web hosting company.
How to Implement TLS Encryption
First of all, as mentioned above, you must check with your hosting provider to ensure they offer TLS encryption. Also bear in mind your hosting provider might be in transition and have both systems running on different servers. So make sure your website is on a server that uses TLS.
Then you must purchase an SSL certificate and have it loaded on the web server and associated with your domain name.
There are three levels of domain validation that need to be considered when selecting an SSL certificate:
Standard - Domain Validated SSL Certificates: provide the lowest level of validation available from commercial certificate authorities.
Premium - Organization Validation SSL Certificates: OV certificates include full business and company validation from a certificate authority using currently established and accepted manual vetting processes.
Extra Validation - Extended Validation SSL Certificates: provide the highest levels of encryption, security and trust to your customers, and improve conversion rates. EV certificates reassure visitors that it is safe to conduct digital transactions on a website by turning the address bar green on popular browsers.
I would recommend EV certificates in almost every case.
What You Need to Do On Your Website
Depending on the method used to build your website, certain activities will need to be carried out to make your website SSL/TLS compliant. This needs to be taken up with your web development company.
How to Test Your Website For Compliance
For an initial test there are many free online testing tools available such as High-Tech Bridge. Using a tool like this is fine for a quick test, but for absolute certainty, a proper test carried out by a certified PCI accredited partner should be done. Once compliance has been established, regular periodic tests should be carried out to ensure ongoing compliance.
Other Things You Need to Know
I mentioned in the opening of this article that search engines may penalize sites that are deemed non-secure. To help protect search engine positions the following list needs to be checked and implemented on your website:
- Implement HTTP Strict Transport Security response header
- Canonical tags should point to HTTPS
- Hard coded links need to be checked and repointed to HTTPS
- Set 301 redirects from HTTP to HTTPS
- Update sitemaps to use HTTPS and resubmit to Google and Bing Webmaster Tools
I do believe that implementing TLS is an absolute must for every web property owner. Take action now before your online performance suffers due to security fears!