Google has Started Cracking Down on Unsecured Websites

Try this. Yes, now. Look up at the address bar. Yes, you. Look to the right of the refresh button. You will see a green lock with the word ‘Secure’ (or just a green lock if you’re using Firefox, or a lock in the address bar on Safari). This simple addition makes a world of difference to Google and internet users.

The green lock, or ‘Secure’, is only displayed on websites that have SSL certificates behind them (websites and URLs beginning with ‘https’). Not only does an SSL certificate secure your website’s connection, it will also boost your organic search rankings. Eventually (very soon), all websites will need to be marked ‘Secure’ in order to rank.

Rewind.

Ok... before we go any further, let’s work out what an SSL certificate is, and why it’s important. An SSL certificate secures browser to server communication, allowing information captured by a website (typically via a form) to be transmitted safely from server to browser and browser to server without being tampered with or removed. SSL certificates basically secure credit card transactions, data transfers and logins. Without an SSL certificate, personal information including credit card details, usernames, and passwords can be more easily stolen by hackers.

Google’s main focus is keeping consumers safe online – so, it’s no surprise they are cracking down on SSL certificates. Information collected through online shopping has made website security a topic of conversation for years (remember when your parents were too scared to shop online?). Today, consumers are sharing their personal information more and more freely, with the expectation that the website they are using is capturing their data securely. I don’t know about you, but I certainly expect my credit card details to be secure when I’m making an online purchase. Or, my passport number when I’m booking an International flight. Online security is a necessity, not a “nice to have”.

What has Google done so far?

Secure, Not Secure

Last year, Chrome started marking HTTP websites with password or credit card fields as “NOT SECURE” in the address bar. This then extended to websites that had forms where users were asked to share any information (including email addresses, phone numbers, and names).

Google will mark all HTTP sites as "not secure" and will soon (July 2018) start serving full-page warnings to visitors of websites without a logged certificate.

How do I check if my website is affected?

1. Type in your website’s URL in Chrome and check if ‘Secure’ appears to the left of the address bar.
2. If it does – you’re in the clear. But, maybe not completely. You should probably read the next section.
3. If it doesn’t, you need to secure your site with HTTPS as soon as possible.

Distrust of Symantec certificate authority

Google then announced its plan to disfavour Chrome’s trust in the Symantec certificate authority with an aim to sustain the security and privacy of users when browsing the web.

Now, Google has announced that all remaining Symantec SSL/TLS certificates will stop working with the release of Chrome 70 later this year. If your website is using a Symantec SSL/TLS certificate that was issued before 1 June 2016, this means you may need to update your HTTPS certificate to avoid having your site labelled as unsafe and being broken in upcoming versions of major browsers.

How do I check if my website is or will be affected?

What are the benefits of having a secure site?

Even if you don’t collect any information on your website, you should definitely take steps to ensure it’s secure. Here’s why:

1. Improved SEO rankings – websites that aren’t secure will get penalised and outranked.
2. Security – HTTPS protects your website and your users’ information from hackers. Setting up a secure HTTPS site is the minimum precaution you should take.
3. Updated browser labels – Your website users will feel safe when they see your site marked ‘Secure’, and in turn more confident to use your website.
4. Increased conversions – Research shows that over 80% of respondents would abandon a purchase on a non-secure site. Customers are much more likely to make a purchase if they know your site is secure. There is also evidence that having a secure site can improve lead generation.

Ok so SSL Certificates are important and I don't have one, so how do I install an SSL Certificate? Well, it depends on how your website was set up and generally we recommend a webmaster to implement an SSL/TLS Certificate as it's not worth the hassle if not done correctly. That being said if you're confident in your ability to it yourself here are instructions on how to install an SSL Certificate:

For any major changes to a website, the first step is to always make a backup of your site.

Install SSL on Wordpress:

Implementing an SSL is super easy on Wordpress. Using the Really Simple SSL plugin.

1. To install the plugin, log in to the WordPress administration dashboard and go to Plugins > Add New. Search for Really Simple SSL, then click Install Now.
2. You should be prompted with “Almost ready to migrate to SSL”. Click Go ahead, activate SSL to start the process.
3. It will automatically make the changes to the domain if the SSL is detected on your site. You’ll be logged out of WordPress in this process.
4. Success! The SSL should now be enabled on your site, log back into WordPress to check.

For CPanel and Apache things be more complicated now, don’t worry we’ll guide you through.

What You’ll Need:

• Your server certificate

This is the personal certificate you’ll receive from the Certificate Authority (CA) for your domain. You would have been sent an email after buying. If it hasn’t arrived you can always download it by visiting your Account Dashboard from the CA you’ve purchased from.

• Immediate certificates

These files allow the domains connecting to your server to identify the issuing CA. If your personal certificate came in a ZIP, it should contain the Intermediate certificate, sometimes called a “CA Bundle”.

• Your private key

This key should be on your server, it will be generated during the installation process for CPanel.  For Apache you will have to generate it through a Certificate Signing Request (CSR).

Install SSL Certificate cPanel 11:

1. Login to your cPanel, this can typically be accessed by going to http://domain.com:2083
2. Navigate to SSL/TLS Manager by scrolling to the Security section
3. SSL/TLS Manager will show and let you manage anything SSL/TLS related. Click on Generate, view, upload or delete SSL Certificate in the Generate section.
4. In the Upload, a New Certificate click on the Browse button, find your new SSL Server Certificate file usually named "your_Domain_Name.crt"
5. Click the Upload button.
6. Click on Go Back to return to SSL/TLS Manager.
7. Click on Manage SSL sites in the "Install and Manage SSL for your site (HTTPS)" sections. In the Domain dropdown menu select the domain the new SSL Certificate is for. The system will attempt to fetch the new SSL Certificate and corresponding Private Key.
8. When you have your domain picked, copy and paste your personal certificate files into the text boxes shown below:

Certificate (CRT) – This is your server certificate that was issued to your domain(s)

Private Key (KEY) – This is your private key that was created during the generation process.

Certificate Authority Bundle (CABundle) – This is the intermediate certificates that allow browsers and devices to recognise who issued your trusted certificate.

Click on Install Certificate. Congratulations! You should receive a message that the certificate was successfully installed. Visit your website in your browser to check if it’s working properly, a restart may be necessary.

Apache SSL Installation Instructions:

• Copy your certificate into the shell text editor and name the file “mydomain.crt”.

Copy the contents of the certificate from (and including) the -----BEGIN CERTIFICATE---- line to the ---END CERTIFICATE--- line.

• Copy your certificate to the Apache Server Directory where you want to store the certificate.

Default directory: /usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/

• Open the Apache Configuration file in a text editor. Usually found in /etc/httpd, and named httpd.conf.
• Locate the SSL VirtualHost associated with your certificate.  Check that you have the following files in the correct directories within the virtual host. Add them if they are not there.

SSLCertificateFile /usr/local/apache/conf/ssl.crt/domainname.crt (or server.crt)

SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key (or server.key)

• Save changes and exit the shell editor, restart your Apache server.

Hoorray! Your domain is now running an SSL. Test your SSL certificate by using a browser to connect to your server making sure to use the https protocol directive.

And there you have it, you’re now running a safe and secure website.

Google has made its position on SSL clear – HTTPS will be the norm, not the exception. So, what are you waiting for? If you’re not sure where to start, we can help. SSL certificates are implemented as part of our SEO campaigns. Just reach out and we’ll work with you to get your site ready for this imminent change.