If you needed that extra push to switch your websites over to HTTPS, Google has once again stepped up to the plate. On approximately January 31st, the latest version of the Chrome web browser (version 56) will introduce a significant change in the way it displays non-HTTPS websites. Any website that is not configured to display pages over HTTPS will have a message appear in the address bar that says “Not Secure” on any page that collects login credentials or credit card information.
This is the first step in a staged rollout to encourage website owners to discontinue serving pages over plain HTTP. The final stage will be that Chrome will label all non-HTTPS pages as “Not Secure.” If you have been on the fence about whether or not to serve your websites over HTTPS, now is the time to jump on board and help make the web a safer place for everyone.
So what should you do next if your websites are not using HTTPS?
First, you should consult your hosting provider’s official documentation to learn how to set up SSL in their environment. Whether your sites are hosted in a shared environment or VPS/dedicated solution with root access, setting up SSL is a relatively painless process. If you feel unsure, you should consult your system administrator or webmaster for assistance. 25Penn Marketing can also assist you in setting up SSL for your websites.
Many hosting providers offer a free and easy solution for setting up SSL utilizing Let’s Encrypt. Some of which offer a simple one-click installation method via cPanel for installing Let’s Encrypt certificates. Let’s Encrypt is a free, automated, and open certificate authority provided by the Internet Security Research Group (ISRG).
Once your website has been configured to display content over HTTPS, you may want to consider implementing HSTS (HTTP Strict Transport Security), which is an opt-in security enhancement specified through the use of a special response header. What this does is prevents all incoming/outgoing requests from being sent over HTTP and instead communicates exclusively over HTTPS. We will go into greater detail in a future blog post and discuss the steps you should take to implement HSTS, and how to submit your site to the HSTS preload list. Stay tuned!