06 Jun Why Is My Website Not Secure?
“How dare you say my website is not secure Google — you don’t even know me!”
With nearly 60% of the browser market share, Chrome is no longer the new kid on the block, it’s popping off!
And whether we like it or not, Google seems to know what’s best for us and the web as a whole.
That’s why they have made it a priority this year to mark non-secure pages containing password and credit card input fields as Not Secure in the URL bar.
Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields.
Update 7/6/2018: Google Chrome is taking it one step further and will be marking all non-https websites as “Not Secure”, not just websites collecting sensitive information. This change will take place with the release of Chrome 68.
So how can you fix this problem on your website now? After all, you have customers to serve and cannot run the risk of scaring them away.
Ultimately, the reason why your website is showing as Not Secure will depend. But there are a couple questions and handy resources that you can take advantage of to get to the root of the problem.
Do you have an SSL Certificate Installed?
SSL, short for Secure Sockets Layer, is a standard network security protocol for establishing encrypted links between a web server and a browser in an online communication. The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted.
An SSL certificate is used to enable a secure connection to protect your website, and your customers that use your website, even if it doesn’t handle sensitive information like credit cards. It helps provide the privacy, critical security and data integrity for both your websites and your users’ personal information.
Today, many web hosting providers provide SSL Certificates. The costs are either separate or built into pricing. On average, standard SSL certificates, start at around $50-70 annually for a single domain. These costs can vary depending on the type of certificate you need.
Want to check if an SSL Certificate is installed on your website? A quick search will show a number of different free “SSL Checkers”. A personal preference of mine is Qualys SSL Labs, which will give you a detailed report.
See the below screenshot of one of our client’s secure websites:
If you do not have a SSL Certificate installed, then you will receive the following error message:
Did you force HTTPS?
Even if you have an SSL Certificate installed, you may still receive warning messages.
This mainly happens when web users access old indexed URLs that are still using HTTP.
Forcing visitors to use SSL can be accomplished through your .htaccess file using mod_rewrite. Modifications can be made through a File Editor program and a FTP client like FileZilla, but it’s important that they are done carefully. Improper modifications to your .htaccess file can break your website causing more issues and result in potentially lost business.
Is there mixed content on your website?
If you have installed a SSL certificate and forced HTTPS through your .htaccess file, then it is likely that your website is showing mixed content.
Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.*
Working backwards through your files to scan for old HTTP links can be tedious, especially if you have a complex website. Fortunately, there are tools built within your browser and on the web that can help.
If using Chrome, go to Settings > More Tools > Developer Tools > Javascript Console. Mixed content warnings will be shown like the image below:
If the above steps seem a little overwhelming or clunky to you, a secondary option would be to check out Why No Padlock, a simple tool that will tell you about any insecure items on your SSL page.
Once you have identified where the mixed content is, you have to update HTTP to HTTPS.
Make your website secure
The world of the web is changing. It happens fast and often without real notice. Staying on top of browser and search updates is not just a good business practice, it’s essential to staying competitive in a sensitive, digital world.
Our professional HTTP to HTTPS migrations eliminate browser warnings, improve SEO, and build credibility and trust without any downtime.
An HTTP to HTTPS migration should be easy and affordable without any hiccups. Now it is. Let our team at GOGET SECURE help you make a seamless switch.
*What Is Mixed Content? | Web | Google Developers. (n.d.). Retrieved June 06, 2017, from https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content