Has anyone asked you yet why your website is “not secure”? If not, you’ll probably get that question before long.
The reason: Google has changed the way websites are displayed in Chrome, and other companies are following Google’s lead.
Here is a simple explanation of a technical issue:
For most of the time there has been an internet, nearly all website addresses have begun with “http://” and the browser address bar at the top of your screen displayed a tiny icon of a blank page, similar to the image shown here.
Banks, email service providers and corporations moving confidential data were the only companies that used “https://” (note the “s” — which signifies an encrypted connection to a web page). Web browsers displayed a padlock in the address bar to confirm an encrypted connection.
Google developers first proposed in late 2014 that ALL web pages should be encrypted. Since then, Google’s Chrome and other browsers (Firefox, Safari, etc.) have made changes that identify all non-encrypted websites as “not secure.”
The “info” icon in the browser bar now links to specific information in a drop-down menu, as shown below, and clearly identifies all http:// web pages with this (or a similar) warning in red: “Connection is Not Secure.”
A pop-out notice offers information that your site’s visitors may consider even more concerning:
“Your connection to this site is not private. Information you submit could be viewed by others (like passwords, messages, credit cards, etc.).”
If your website is not secured with an https connection, here is an example of what your web visitors now see:
Why is Google pushing encrypted connections?
• Unencrypted websites are no longer considered secure enough. “The rationale is that on every website served over HTTP the data exchanged between the site’s server and the user is in the clear, meaning anyone with the ability to snoop on the connection, be it a hacker at a coffee shop or a repressive government, could steal passwords, private messages, or other sensitive information,” Motherboard explains.
• An encrypted connection is now needed to protect your visitors AND your website. “But HTTPS doesn’t just protect user data, it also ensures that the user is really connecting to the right site and not an imposter one. This is important because setting up a fake version of a website users normally trust is a favorite tactic of hackers and malicious actors. HTTPS also ensures that a malicious third party can’t hijack the connection and insert malware or censor information,” Motherboard reports.
• It’s easier than ever to hack any website. “Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots,” according to Snopes.com. “But a free program called Firesheep has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited.”
For these and many other reasons, Mozilla (developers of the Firefox web browser) and Apple are now on Google’s https bandwagon, moving toward https encryption for every web page, with warnings attached to all pages that are not encrypted.
For churches considering a change to an encrypted website, here are a few FAQs:
What do we really get if we encrypt our website?
Safety, security and peace of mind for everyone who visits your website (including you and/or everyone who maintains it). An encrypted website provides a secure connection between your website and each visitor, making it much more difficult for hackers to steal information such as email addresses and passwords.
You’re also protecting your online reputation. Google, Mozilla and other search engine providers are now displaying non-encrypted websites with warnings that tell your website’s visitors that their credit card information and passwords can be stolen because their connection to your website is not secure. They see these warnings even if they are not entering credit card information or passwords on your website.
But how likely is it that anyone is trying to compromise our website or steal information belonging to our visitors?
Very likely. Here is a screen shot showing thousands of attempts to compromise church websites in one small network. Most hacking attempts (8,852) originated in China. There also were 6,121 attacks from France, 5,005 from Germany, etc. This report is for just one small network, for just 7 days.
Our website directs visitors to secure connections for donations and email newsletter sign-up, and we don’t sell anything, so we really don’t need this, correct?
Google and other search providers have decided that you do, so they’re warning your website’s visitors that their connection to your site is not secure.
“Onliners are more sophisticated than they used to be – and more informed. They now know to look for the telltale signs that a website is secured,” according to GoDaddy in a blog post titled ‘Do you need SSL encryption if you don’t sell anything on your website? Short answer: Yes.’
“Having an SSL certificate installed on your website not only encrypts your customer’s data transmission on your site, your SSL certificate also confirms you are the legitimate and verified owner of your website.
“With identity fraud now a realistic concern, installing an SSL certificate reflects that protecting your site visitors’ and customers’ data transfer is important to you.”
“Earn trust, earn trust, earn trust. Then you can worry about the rest.” ~ Seth Godin
Question: If we don’t have this in our budget, how can we pay for it?
All of our clients have access to six months of interest-free financing through PayPal Credit.
Question: What else do we need to know?
Websites that do not yet have Google Analytics installed will have that installed free as part of the migration/encryption process. Installation and a year of monthly reports usually costs $149, so this is a nice freebie we are offering. Analytics provides reports on your website’s traffic, including number of visitors, referring websites, most-visited pages, and more.
Websites with older designs can be upgraded at the same time, also for half price. See one of the newest designs here: http://unityofvero.org.
How do we get https for our website?
By adding a security certificate to your website, we can meet Google’s requirements for an https (encrypted) connection, and all browsers will display a green padlock and a “secure connection” notice to all pages on your website.
If you would like an estimate for a site with encrypted pages, please contact us.
P.S. For those who want to delve into more technical information about this issue, read the following articles, or just search Google for “What is https and why does it matter?”
- Do you need SSL encryption if you don’t sell anything on your website? Short answer: Yes
- Do I Need An SSL Certificate For My Website?
- HTTPS (Wikipedia article)
- Google Will Soon Shame All Websites That Are Unencrypted
- Does HTTPS matter? Yes. Here’s Why.
- HTTP vs. HTTPS for SEO: What You Need to Know to Stay in Google’s Good Graces
- http vs. https (Snopes.com)
- How to Switch from HTTP to HTTPS
- Half the Web Is Now Encrypted. That Makes Everyone Safer