Is Your Website Scaring People?

Has anyone asked you yet why your website is “not secure”?

If your website has not been encrypted, it won’t be long before you’re trying to explain that to people who visit your church’s website.

The reason: Web browsers (Google, Chrome, et al.) have started posted warnings about all websites that do not load with a secure (encrypted) connection.

Here is what you need to know about website encryption:

For most of the time there has been an internet, nearly all website addresses have begun with “http://” and the browser address bar at the top of your screen displayed a tiny icon of a blank page, similar to the image shown here.

Banks, email service providers and corporations moving confidential data were the only companies that used “https://” (note the “s” — which signifies a secure encrypted connection to a web page). Web browsers displayed a padlock in the address bar to confirm an encrypted connection.

Google developers first proposed in late 2014 that ALL web pages should be encrypted. Since then, Google’s Chrome and other browsers (Firefox, Safari, etc.) have made changes that identify all non-encrypted websites as “not secure.”

The “info” icon in the browser bar now links to specific information in a drop-down menu, as shown below, and clearly identifies all http:// web pages with this (or a similar) warning in red: “Connection is Not Secure.”

A pop-out notice offers information that your site’s visitors may consider even more concerning. For example:

“Your connection to this site is not private. Information you submit could be viewed by others (like passwords, messages, credit cards, etc.).”

 

Why are Google and other big companies pushing encrypted connections?

• Unencrypted websites are no longer considered secure enough. “The rationale is that on every website served over HTTP the data exchanged between the site’s server and the user is in the clear, meaning anyone with the ability to snoop on the connection, be it a hacker at a coffee shop or a repressive government, could steal passwords, private messages, or other sensitive information,” Motherboard explains.

• An encrypted connection is now needed to protect your visitors AND your website. “But HTTPS doesn’t just protect user data, it also ensures that the user is really connecting to the right site and not an imposter one. This is important because setting up a fake version of a website users normally trust is a favorite tactic of hackers and malicious actors. HTTPS also ensures that a malicious third party can’t hijack the connection and insert malware or censor information,” Motherboard reports.

• It’s easier than ever to hack any website. “Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots,” according to Snopes.com. “But a free program called Firesheep has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited.”

For these and many other reasons, Mozilla (developers of the Firefox web browser) and Apple are now on Google’s https bandwagon, moving toward https encryption for every web page, with warnings attached to all pages that are not encrypted.

For churches considering a change to an encrypted website, here are a few FAQs:

What do we really get if we encrypt our website?

1. Safety, security and peace of mind for everyone who visits your website (including you and/or everyone who maintains it).
2. Reputation protection. Your encrypted website reassures web visitors that you are a responsible website owner who cares about their privacy and security.
3. Another level of security that can make it more difficult for hackers to compromise your website.
   

But how likely is it that anyone is trying to compromise our website or steal information belonging to our visitors?

Very likely. Here is a screen shot showing thousands of attempts to compromise church websites in one small network of Unity church websites.

Most hacking attempts (8,852) originated in China. There also were 6,121 attacks from France, 5,005 from Germany, etc.

This report covers just one small network, for just 7 days.

Our website directs visitors to secure connections for donations and email newsletter sign-up, and we don’t sell anything, so we really don’t need this, correct?

Google and other search providers have decided that you do. That’s why they’re warning your website’s visitors that their connection to your site is not secure.

And it’s likely that your web visitors will notice.

“Onliners are more sophisticated than they used to be – and more informed. They now know to look for the telltale signs that a website is secured,” according to GoDaddy in a blog post titled ‘Do you need SSL encryption if you don’t sell anything on your website? Short answer: Yes.’

“Having an SSL certificate installed on your website not only encrypts your customer’s data transmission on your site, your SSL certificate also confirms you are the legitimate and verified owner of your website.

“With identity fraud now a realistic concern, installing an SSL certificate reflects that protecting your site visitors’ and customers’ data transfer is important to you.”