What Google’s New SSL Policies Mean and Why Agencies Should Pay Attention
Since July 2018, Google expanded its scope of unencrypted site warnings to include grey “Not Secure” tags in the URL of ANY non-SSL secured sites accessed by version 68 or later of its Chrome web browser. In contrast, SSL sites accessed by Chrome show up with a padlock icon, the word “secured” or “unsecured.” Upon clicking the icon and word, viewers are given more details on the security of the website. This minor difference may seem like nothing to some, but for Google, this change is just one part of its plan to help secure the World Wide Web.
So what does it mean to have your site encrypted with SSL (Secure Sockets Layer)? According to Google, it indicates three main security properties:
1. Identity: Since HTTPS sites must acquire a certificate proving their authenticity, users can be confident this is the real site they intended to visit, not an imposter.
2. Confidentiality: All data passed between the browser and server remains confidential between them. No third party can intercept the data.
3. Integrity: The browser and server guarantee that the data sent is exactly what the other receives. Third parties cannot tamper with the information.
Google and other browsers like Firefox, Safari and Internet Explorer have been cracking down on unsecured (HTTP) sites and encouraging site owners to adopt SSL (indicated by HTTPS), since 2016. And that little ‘S’ is starting to make a world of difference.
As the Internet becomes more powerful (think geolocation services, online bill pay, banking and access to medical records), Google plans to make HTTPS the minimum in security expectations across the web. In pursuit of that goal, it is not only preventing unencrypted sites from accessing more sensitive web features, but now flagging any unencrypted site, no matter the content. In Google’s words,
“HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP.”
This change also comes for a good reason: it’s protecting our information. Information shared on an unencrypted website (HTTP) can be compromised by hackers. In extreme cases, hackers have also positioned faux sites that resemble destination sites. Once users are on the unencrypted website, any shared confidential information is up for grabs. Even the biggest, most secure websites aren’t immune to security breaches–remember last year’s Equifax breach or the recent Facebook breach? By means of encryption, your organization and website users experience an additional layer of security that can make a big difference.
So how does this affect your organization?
If your website is one of the roughly 30 percent or so web pages that have not yet adopted an HTTPS site, it could mean that your audience may be dissuaded from clicking through to your site and you may not be able to add useful features (like online bill pay and geolocation) to your organization’s site. For those at government organizations, your residents often need to provide sensitive information such as home addresses and social security numbers on your website. As such, they have a high standard of privacy and safety that they expect your website to meet. And as more and more users begin to associate SSL with online security, not having the feature could affect your audience’s opinion and use of your site.
In order to assure users that your website is authentic and that their data is safe, there are a few steps to go through, including getting a certificate to denote the authenticity of your site from a site like SSL Mate or Let’s Encrypt. Both options offer inexpensive or free SSL certificates. To help users through the process of securing their site, Google recommends using their Lighthouse tool, an auditing tool that will assess your site, alert you to security needs and offer recommendations and tools for how to implement them.
Tripepi Smith also offers encryption services for sites hosted with us, and we have been actively working with clients to advise them to migrate to SSL implementations over the last two years. With clients in the medical, financial and governmental fields who depend on the confidentiality of their information, Tripepi Smith is working to ensure the privacy of information being passed through our clients sites remains just that: private.
The good news is that securing your site is not nearly as difficult or costly as it was in years past. By taking action now, your organization can still be on the forefront of the new, secure web space.
Tripepi Smith stands ready to help you take the first step into a safer age of the Internet.