Google has set a precedence in website security by updating its Chrome browser to start revealing sites not using SSL. Customers see a ‘Not Secure’ message on your website if they are using Google Chrome. In this article, we’ll tell you how to stop Chrome doing this and what type of certificate you need for the website you are running.
What is SSL?
SSL is actually an antique term, the real term is actually called TLS. Unfortunately, everyone who runs websites is still more familiar with the term SSL. TLS is a protocol that allows you to encrypt connections using a TLS certificate. The certificate is a cryptographic key pair that has to be signed by your server as well as a trusted third party (known as a Certificate Authority). This Certificate Authority is what is trusted by web browsers when connecting to your website and this is how the green lock icon is displayed and the connection encrypted.
TLS servers also run on an alternative port, allowing you to run both non-TLS and TLS on the same server. You can use standard HTTP for non-encrypted connections and HTTPS for your encrypted ones with a signed certificate. HTTPS is the connection you want to get all of your users onto to provide the safest connection.
Why do we have to use SSL?
Normally it’s not a requirement, but now with Google’s changes to Chrome, they are slowly making this a requirement. Chrome now shows a warning to users who are logging in or making payments over HTTP. This is a good thing because logins and payments should not be happening over HTTP because it is not encrypted. If someone was on the same network (maybe a public wifi like in a coffee shop or hotel), they could sniff traffic between your computer (or any other device) and the website in order to steal your login or payment details. HTTPS stops this by encrypting the connection.
Chrome now shows a warning to users that looks like this:
This warning alongside the address bar shows in the current version of Chrome for any login or payment pages, alerting the user to the fact of the connection not being encrypted. Users at this point would most likely run away from your website as fast as they can. Losing you a potential sale or future customer.
What about other browsers?
At present, other browsers aren’t showing this. However, if Chrome has started doing this, there is no reason why FireFox or Microsoft Edge won’t follow suit. They have followed in Chrome’s wake before for many different changes.
How do I setup a HTTPS connection?
To set up a HTTPS connection, you first need a certificate that has been signed by a Certificate Authority. This should be linked to your domain name that you want the connection to be on. There are different types of TLS certificate you can apply for, there are free ones as well as paid ones depending on what you need. Most sites will only need a free certificate.
What are the different kinds of certificate?
OK, let’s have a look at what different types you can get.
Let’s Encrypt Certificate
A Let’s Encrypt certificate is a FREE certificate for any website owner, it takes minutes to get a certificate and must be renewed every 3 months (most hosts automate this so you don’t have to worry about it). To get one, it is a complicated technical process of using command-line tools.
However, if you’re on one of our Shared Hosting packages, you will find the Let’s Encrypt icon listed in your cPanel:
This icon automates all this for you. Just pick the domain linked to your cPanel account and click on ‘Issue’, this will present you a screen asking you to confirm by just clicking ‘Issue’ again. This will automatically install a free-forever Let’s Encrypt certificate (signed by Let’s Encrypt and trusted by all browsers) onto your website. This will give you the green lock icon and cPanel will automatically renew this every 3 months for you.
The Let’s Encrypt certificate gives you a basic level of encryption and is generally not suited for payments. Let’s Encrypt is suitable for login forms and other form data.
Standard SSL (Domain Validation)
Domain Validation certificates also offer a basic level of encryption. This certificate is slightly better than Let’s Encrypt since it’s from a more trusted Certificate Authority and can be used for accepting payments. Domain Validation certificates provide the green lock as well.
You can order Domain Validation certificates from us here
Organisation Validation certificates are the next step up from Domain Validation. They provide a higher level of encryption and list your company details as a part of the certificate, adding to the trust for your customers. These certificates are ideal for business websites that customers log in to and are perfect for taking payments.
You can order Organisation Validation certificates from us here
Extended Validation certificates are the highest-tier certificates we offer, this will show your company name alongside the green lock icon in the browser affirming the trust to your customers. These certificates are mostly used by banks and financial institutions as they offer the highest level of encryption. You can use these on any website however, these are ideal for e-commerce.
With your company name in the address bar, this will really let your customers know the extra security precautions you take to protect their information.
You can order Extended Validation certificates from us here
Wildcard SSL allows you to secure an unlimited number of subdomains on a single certificate. It’s a great solution for anyone who hosts or manages multiple sites or pages that exist on the same domain. The one-time cost of the certificate covers you for additional subdomains you may add in the future.
Unlike a standard SSL Certificate that is issued to a single Fully Qualified Domain Name only, e.g. www.yourdomain.com, which means it can only be used to secure the exact domain to which it has been issued, a Wildcard SSL Certificate is issued to *.yourdomain.com, where the asterisk represents all possible subdomains.
Wildcard SSL is an option available for DV and OV SSL Certificates.
How do I make sure my SSL setup is working properly?
You need to make sure that you see the green lock icon in the top left corner of your address bar, if you don’t see it then some links on your website are not pointing to their SSL equivalents. If you are using WordPress, make sure you go to Settings -> General and set your WordPress and Home URLs to use https:// instead of http://.
If you need some further help with your setup, please comment on this article with your website URL and we’ll check it for you and reply back.