I had a client ask me recently, “Why is my site http:// but all new sites are https://? Does this leave me at risk?”
A lot of people, when they’re surfing the web, may not pay much attention to what precedes the URL in the address bar of their web browser although most people do at least know to look for that little green lock icon (which is synonymous with a secure, https:// page) when they’re inputting credit card details on a website.
But this particular client is a business coach (and a fantastic one at that) – let’s call her Rhonda (because that’s actually her name, and if you are also a coach looking to grow your coaching business, you should absolutely follow her at Prosperous Coach Blog). Anyhow, she looks at a lot of websites, especially websites belonging to her clients who are getting the hang of this whole having a website thing, and she very astutely picked up on this little nuance – that she was seeing https:// on all of these new sites, but not all of her own sites had it.
First things first – what is the difference between http:// and https://?
When you have an SSL certificate installed on your website, that’s what gives you the https:// in front of your website address as opposed to just plain old http://.
An SSL certificate is essentially some extra bits of data that sits on your website and encrypts the information flowing between your site visitor’s computer and your website so that nefarious beings can’t intercept it and read the data.
It’s a little bit like when your grandma used to send you a $5 bill in the mail. She would tuck your crisp bill inside a greeting card so the mailman couldn’t tell there was money in the envelope (and because you’re really not supposed to be sending cash through the mail).
An SSL certificate gives you that extra layer of protection around your website so that the bad people can’t see what’s being transmitted and try to steal it.
And why on earth do I need one if I don’t have an eCommerce site?
It used to be that you really only needed an SSL certificate if you were running some kind of eCommerce website and needed to ensure that a customer could safely and securely enter their payment information on your site.
But something has shifted over the past year – Google got serious and, in a big brotherly way (that wasn’t entirely misdirected), decided to ”strongly encourage” everyone to use SSL certificates on their site, mainly as a means of making the web a safer place in general.
Where they’re really super serious about it (and actually exerting more than a little pressure) is if you have any kind of web form on your site – not just payment forms – meaning there’s some place for a visitor to actively engage with your site beyond just reading and clicking links.
Google, like your grandma, wants to make sure no one except the intended recipient of that data gets to see it, so they’re now letting folks know that pages where you might enter that kind of information are not secure if there’s no SSL certificate present. This is what it looks like in the address bar on a page that doesn’t have an SSL certificate but does ask for that kind of input:
The other thing to be aware of is that Google is factoring SSL certificates into their search engine rankings, so sites that have an SSL certificate are possibly showing up higher in search results than sites without. If search engine optimization is your thing, you’ll care about this one for sure.
Ack! So the whole world knows I’m not secure now? I feel naked!
Don’t panic. (Google’s sweeping decisions about what they deem best for the world wide web do tend to cause panic in the tech community, but it’s rarely as dire as most people make it out to be. Not saying it’s not important – just saying it’s not panic-worthy at this point.)
First, like I mentioned above, it’s a minor notification in the address bar and it is only showing up on pages that have something like a login form where there’s a username and password to be entered.
Secondly, the visible stuff in the address bar about a page being Not Secure is mostly confined to Google Chrome. Firefox shows a little lock with a line through it. But Safari and Microsoft Edge (aka Internet Explorer) are sure to follow suit at some point.
So what’s a responsible website owner to do?
If you’re building a brand new site, chances are extremely high that it will be built as an https:// site. I’m finding that almost all the web hosts I work with are making these available on new hosting accounts by default, so no worries there.
If your site has been around for a while and you weren’t selling things on it previously, in all likelihood you need to look into getting that certificate added to your site because Google cares (and when Google cares, we all care).
Fortunately, about the time Google made this big sweeping decision about how they wanted the internet to be, along came an awesome little company that said “Secure websites should be for everyone and shouldn’t cost anything. We’re going to make it easy and free! So you get an SSL certificate! And you get an SSL certificate. Everyone gets an SSL certificate!” And lots of web hosts are making this free version of the SSL certificate available to all their clients – current and new.
I will say that at the time of this post going live, GoDaddy, of all companies – one of the biggest shared web hosting companies out there – was still charging people for SSL certificates, so no love there (although it is worth the $60ish per year it will cost you to have one on GoDaddy, so I do recommend it anyhow, if that’s who you’re hosted with).
You should know there’s a happy ending to this story. We were able to easily add the new SSL certificates to all of Rhonda’s websites (you’ll notice if you follow the link to her https://prosperouscoachblog.com), and she is safe and secure once more.
If there’s something I can help you with here, please don’t hesitate to reach out to me.