These days, we do our banking, socializing, shopping, taxes and so much more online. It’s convenient, but every time we login to a site or type in a credit card number, we expose sensitive personal and financial information to risk. If you’re like me, each time you enter a credit card number in an online store or sign into your bank’s website, you may wonder vaguely “is this safe?” You try to be careful, by using reputable merchants and not clicking on phishing email messages, but still… you wonder.
One way to know whether a Web page is insecure is to look at the full URL. Consider this address: https://www.hopstudios.com. The “s” in the “http” element means the page is being served securely. But some browsers hide “http” in the address bar (mostly because it’s kind of ugly to look at); meanwhile others offer warnings or show icons when a site isn’t served securely. It can be difficult to be sure if a site is or isn’t secure.
Recently, Google started notifying sites that they might trigger security “warnings” in the latest version of Chrome. The notification says: “Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as ‘Not Secure’ unless the pages are served over HTTPS.”
What does this mean? It means, Google’s Chrome browser has changed both the style with which it displays the https security notice, and the rules by which it decides what to display. Now, when a page that includes a field for a password or a credit card, you’ll see specifically that it is “insecure” (ie. http) with a quick glance at the Chrome address bar. Compare:
An insecure site
A secure site
This new look and rule for displaying it are part of a long-term plan to mark any pages served over the non-encrypted HTTP protocol as “Not Secure,” even if those pages don’t contain password or credit card fields.
I commend Chrome for doing a better job of letting users know when a site is or isn’t secure on pages that collect sensitive information. But I’m less keen about Chrome’s plans to move toward a universal “Not Secure” warning for all http sites, regardless of what actual risk is present.
The move is almost certainly intended to serve the general Web audience by encouraging use of SSL certificates on all websites. While this is probably good for the overall safety and health of the Internet, I am concerned that applying these warnings to sites where security isn’t really a factor will actually create more confusion among Web users rather than less. I’m not sure the average Internet user understands the distinction between a site that is labeled “Not Secure” and doesn’t pose security risks, and one that does. The risk level of giving a non-secure site your credit card number is relatively high; the risk of browsing a non-secure site that doesn’t collect any personal data at all is fairly low. Of course, there are certainly factors other than having password and credit card fields that represent security risks. (There’s an excellent breakdown of this here.) But, labeling all http sites with the same warning weakens that warning when it actually represents trouble.
Aside from my Chrome qualms, however, it is true that any website publisher who takes credit card numbers or has user accounts should absolutely be serving pages securely. If this is you, read on…
Let’s unpack what “securely” means. At base, a secure https site is one with an valid SSL certificate from a valid certificate authority, installed and set up correctly. Security certificates provide two layers of protection. First, the certificate validates the identity of the site (i.e. that you are actually accessing the hopstudios.com website). Second, it ensures that the data exchanged between your computer and the server is encrypted during transfer, when it is most vulnerable. When a company serves their site securely, it’s a good sign that they are taking security concerns seriously, although it doesn’t mean your data is protected from all types of security breaches.
SSL certificates typically run from $150 to $300 per year, depending on your site’s needs and size—though there are several projects attempting to make SSL certificates available for free. You can expect a Web developer to need a couple hours to set up and test the certificate. Once the certificate is set up and working properly, you shouldn’t need to do much to maintain it beyond renewing the certificate annually.
As always, if you have questions or need help with SSL certificates, Hop Studios is here to help!