A jargon-free guide to HTTPS and security cerficates

I go to a really good business networking group here in Sheffield, Platform Networking, and at every meeting one member does a skill share. A couple of weeks ago it was my turn so I thought I’d demystify some of jargon that you come across once you start talking about website security.

There is a lot of talk at the moment about https and security (or SSL) certificates, prompted by a change to how the browser Chrome works. This is relevant for everyone who owns a website. Here’s the announcement from Chrome:

“Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.”

By the end of this blog post my aim is for you to understand what this means and what it means for you.

What does https mean?

Starting with some basics, when you visit a website in your browser, whether that’s Chrome, Internet Explorer, Firefox, Safari, you type in a website address and the browser contacts the server at that address and gets the information to show you the web page.

The browser might also send information back to the server, for example if you enter a username and password, personal details like your address or even credit card or bank details.

There are two ways to connect the browser to the server – http or https, and you often see those in the address bar of the browser. The s stands for secure. It means that the link between your browser and the server is encrypted and also the browser has confirmed that it really is ‘talking to’ the site it thinks it’s talking to – it’s like it’s checking the id of the computer that it’s connected to.

So remember, If you are going to put personal details into a site you should make sure it is encrypted.

What does this mean for my website?

Let’s go back to that statement from Chrome:

“Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.”

So it’s saying that from January, if you go to a website in Chrome that asks for a login or credit card details and you are not on an https connection Chrome will explicitly warn you.

And going forward they are going to broaden this out to all sites, even ones that do not ask you to submit information.

They are taking more responsibility for the online security of users.

As a user this is great – they’re protecting you. As a business with a website, you need to make sure that you’ve got the right things in place.

In order for your website to use https rather than http you need to have an SSL certificate. At some point, if you don’t have an SSL certificate, users will be warned that your site is not secure.

How can you tell whether you’ve got an SSL certificate?

If you have an ecommerce site then you probably do have an SSL certificate because the big ecommerce providers either manage it for you or require you to have one.

If you don’t sell things directly from your site then then the chances are you don’t have one because in the past they were fairly expensive and a bit of a faff to get.

The easiest way to check is to explicitly try to view your site over a secure connection. So go to your browser of choice and type in https followed by the colon and slashes and then your web address.

Firefox warning when you try to view a site via https that has no SSL certificate

This example is from Firefox but all browsers will show something similar. They use a combination of signals:

  • the padlock symbol;
  • the colours green (good) or red (bad);
  • warning text.

So, if you don’t have a security certificate at the moment, you will need to get one at some point. If you take credit cards or people login to your site then it’s a priority.

How do you get an SSL certificate?

It used to be that you had to pay for them but now there are free options, e.g. Let’s Encrypt.

Speak to whoever manages your website or, if you manage your own site, speak to your hosting company. If your hosting company aren’t helpful, move. Hosting is very competitive and there are plenty of good hosts you can move to who will manage the move for you.

I am a big fan of the hosting company Siteground who include a free SSL certificate with all of their hosting packages, plus they make it super easy to make the switch (one click!).

If you are getting a new website, make sure it has an SSL certificate right from the start.

The benefits of having an SSL certificate

Things are forever changing in the world of websites and you may be feeling that this yet another thing that is being forced on you.  But don’t despair – there are other benefits of getting an SSL certificate beyond avoiding your site being flagged as ‘not secure’.

Google have said in the past that security is one of the many factors then use when ranking websites so there might be SEO benefits.  Plus in some cases it might make your site faster.

The industry as a whole is moving towards improving security: WordPress are talking about making some features SSL-only in the future and there will be more and more things like this.

Once you’ve got an SSL certificate you’re ready 🙂

Pin It on Pinterest