Switching to HTTPS Before It’s Too Late

  • July 26, 2018

Google, Mozilla, and other web authorities are pushing for website owners to adopt HTTPS. Soon, Google Chrome will start flagging sites by displaying a warning that the site is “Not secure“.

Treatment of HTTP pages in Chrome
Treatment of HTTP pages in Chrome

Chrome 68 is already in Beta. Before long, everyone will be able to update their browsers to Chrome 68 and see “Not Secure” warnings on websites without SSL.

Reasons Behind the HTTPS Movement

It is a fact that websites with HTTPS are ranked higher in the Google search results. Marketers involved in search engine optimization should know this. Websites that are not secure have no place in the top SERPs (search engine results pages). This is Google’s way of incentivizing good security practices, but they don’t just reward good behavior – they punish the ones that aren’t taking necessary precautions.

My colleague, Cesar, wrote last year about Google blacklisting sites without HTTPS. If a site contains credit card forms or password input fields but does not have an SSL certificate, this puts the visitor at risk. It makes sense that the visitor should be warned before typing in their personal information. If your website has any of these, avoiding a security warning from search engines is another incentive to start using HTTPS as soon as possible.

Deciding to Wait Can Damage Businesses.

Visitors might not want to stay on a website when they see a warning in their Chrome browser but Firefox and other browsers will follow their lead. This is especially true for e-commerce websites since they could suffer the most. Users would not be willing to purchase from a website when there is an insecure warning even if the checkout page is secure.

SSL doesn’t just protect dynamic content such as e-commerce, user logins, and sensitive form data. Some people might argue that their website is static – no login forms or sensitive data – so perhaps there is no reason for them to use HTTPS. This myth is incorrect. Not only do browsers and search engines favor sites using HTTPS, but SSL also prevents pages from being tampered with while in transit. In the security world, this is known as a man-in-the-middle attack.

I predict that soon, visitors will see warnings on HTTP sites regardless of what browser they are using.

Here are some statistics from Google:

  • Over 68% of Chrome traffic on both Android and Windows is now protected.
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected.
  • 81 of the top 100 sites on the web use HTTPS by default.

Mixed Content Warnings – Not Secure

It is also important to set up SSL correctly without mixed content that may compromise security. Mixed content happens when resources on the page (such as images) are not coded and pulled over HTTPS. This can cause information leakage.

Fixing mixed content can be a tricky process, and is often why websites with valid SSL certificates have errors next to their padlock icon. We have written an article that explains how you can fix mixed content warnings.

If you still have trouble determining which content is causing the mixed content warnings, you can try using this tool: https://www.whynopadlock.com/

Free SSL and the Sucuri Firewall

If your host does not support HTTPS, the Sucuri Firewall will provide partial (client-side) SSL support. This allows us to encrypt the communication between the visitor and our edge servers. The certificate does not sit between Sucuri and the original host server. Not the ideal configuration, but it’s a good first step to improving the data security chain if your host doesn’t support HTTPS.

We also have a guide on how to install an SSL certificate. Customers of our Enterprise plans can leverage our team for SSL management and support.

Conclusion

There is no good reason for your website not to be using HTTPS. There are still rumors floating around that HTTPS is taxing on the server processors and network speeds. However, this is not the case today. Any performance issues have long been resolved. You also no longer have to pay for an SSL certificate. Let’s Encrypt will provide you with one for free.

If you are interested in learning more about SSL certificates and website security, watch our webinar: Is SSL Enough to Secure Your Website?

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags
Related Categories
You May Also Like