catRootSlug: articles-guides
catArray: articles-guidesseowebsite-managementdesign

Website "Not Secure"? What is HTTPS? Do I Need an SSL Certificate?


Website

If you're reading this it's likely that you've noticed a change in how your (and other) website urls are being displayed in your browser address bar.

Perhaps you've seen sites displayed thus:

undefined

...and you're wondering why your site appears like this instead:

undefined

The Skinny?

Google wants you to install an SSL certificate for your website and they're going to penalise you if you don't. To be clear, an SSL certificate isn't about protecting your website - it is for the safety and benefit of those browsing your website. It's the way of the future.

Contact us for SSL certificate pricing and installation. Our CMS subscription plans now all include a free SSL certificate.

The Long Answer

An SSL certificate a necessary part of enabling HTTPS for your website. HTTPS isn't new - it's been around since 1994 - and the first SSL certificates were issued shortly thereafter.

But we're getting ahead of ourselves.

What is HTTP and HTTPS?

HTTP stands for Hypertext Transfer Protocol. It is a communication system (set of rules) governing the transfer of information between a user's device and a website. Up until relatively recently HTTP was accepted as standard for websites that didn't facilitate the collection of sensitive data, e.g. payment details.

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP. It provides a secure connection between a user's device and a website and encrypts all information transferred between them.

Toward a More Secure Web

Since 2014 Google has been gradually bringing its will to bear on all website owners worldwide to "encourage" them to use HTTPS. Initially, websites served over HTTPS were given a small Google Search ranking advantage.

In late 2016, Google began to take a more overt approach. Chrome (Google's browser) began marking individual pages collecting sensitive information over HTTP with an information symbol (ⓘ). In early 2017, Google added the message "Not Secure".

Over the course of 2017, Google expanded the subset of targeted pages until all sites using HTTP were marked with the information symbol:

undefined

Other internet browsers followed suit.

In July 2018, the "Not Secure" message was added to all sites using HTTP:

undefined

Eventually, Google Chrome will mark all sites served over HTTP with a red triangle exclamation symbol and the words "Not Secure":

undefined

Google's Treatment of HTTPS Pages

Initially, Google seemed to be offering a choice of carrot or stick. While HTTP website have been penalised with an increasingly alarming message, sites served over HTTPS have been treated with a green padlock symbol, "Secure" message and highlighted https:

undefined

However, Google's goal has been to make HTTPS the new standard and it has been largely successful in doing so. As such, it Chrome will be gradually removing security indicators.

The green highlight, "Secure" and https will be removed in September, 2018:

undefined

...followed by the removal of the padlock symbol altogether:

undefined

So, Do I Need an SSL Certificate or Not?

It depends.

If you're selling products online - probably. If your website collects credit card information directly (i.e. users are not sent to a third party provider like Payment Express, PayPal, Stripe, etc to make the payment) then you definitely need an SSL certificate. Be aware that SSL certificates are domain-specific and depending on how your website is set up, your payment page may already be using HTTPS.

If your website offers membership accounts - probably. Your users will be entering (at very least) their name, email address and password, and you should consider it likely that some may have recycled a password they have used elsewhere. (We've all done it.) It's important that this information is secured via HTTPS.

If your website visitors submit personal information via forms - perhaps. Is the data sensitive? If it's just a simple contact form (name and email address), maybe not. The more information collected the more sensitive it becomes. Phone number, date of birth, etc; it starts to build up a bit of profile.

If your website is simply an online brochure or blog - probably (technically) not. No sensitive information is being exchanged. There is very little risk to your users. That aside, the question then becomes: are you ok with Google Chrome (and other browsers) marking your website as "Not Secure"? If you're not, then installing an SSL certificate is the way to go. You'll be adhering to internet best practice and your users will be (and feel) secure.

Want your website to be secure for your users? Contact us for SSL certificate pricing and installation. Our CMS subscription plans now all include a free SSL certificate.

Tags: google, http, https, security, ssl certificate