Website not encrypted? Google soon will start turning customers away. Here's how to get ahead of the problem.

May 3, 2018

6 Min Read
HTTPS

By Joe Dysart

Use of Transport Layer Security, the encryption protocol that underpins HTTPS, is a best practice. And come July, it will become a business necessity because Google Chrome will start warning people away from any website that lacks HTTPS by branding it “Not Secure” in the browser address bar.

“Google is rolling [that warning] out to all versions of Chrome this summer,” says Peter Boyd, founder of web design firm PaperStreet. Given consumers’ and business users’ well-advised hesitancy to visit any site that seems risky in any way, Google’s move is expected to have a major impact on telecommunications and other firms that miss the deadline and are still operating unencrypted in July.

Essentially, users attempting to visit these sites will be less likely to trust the content, according to Patrick R. Donahue, security engineering product lead with Cloudflare, an internet services provider. There’s good reason for that given the growing use by attackers of “drive by malware” that can infect a computer simply because a user visited a website that’ss running malicious code.

“HTTPS is considered by most security professionals to be a bare minimum level of security for any website that requires data from the end user as part of its core functionality,” says Tyler Kee, cloud solutions architect at master agent PlanetOne Communications. “Given the amount of websites that currently require some sort of user data – usernames, passwords, geographic location, credit card information – use of HTTPS should be considered a basic best practice for any website.”

3NotSecure.jpgMoreover, with Google firmly committed to the July deadline, Donahue says other major browsers – Mozilla Firefox, Microsoft Edge and Apple Sarfari – will follow suit shortly thereafter with their own Not Secure alert programs. Pat Harper, chief technology officer with conferencing and collaboration software provider PGi, applauds the major browser-makers’ decision to indicate security level in simple, user-friendly terms.

“Most of the internet community has embraced HTTPS encryption for web services,” says Harper. “This act will further accelerate the adoption of modern security practices across the entire internet community.”

He’s likely correct, given that those browsers together service more than 78 percent of all the people surfing the Web, according to Netmarketshare.

For partners, the net result could be a stampede of businesses desperately looking for encryption come July.

Look for the Green Label

To determine if your or a customer’s business will be impacted, simply type the web address into the Google Chrome browser. If the site is lacking encryption, you’ll find a subtle alert. For now, the warning appears as an exclamation point in the address bar, which you need to click on to retrieve Google’s admonition that the site is not secure.

Come July, the search giant has decided that its warning will be stark and dramatic: Visit any website that’s not encrypted, and that site will be …

… branded with the words “Not Secure” right in the Goggle Chrome address bar — no clicking necessary.

52b5a4285b9540028c84c2474e0dea23.jpg

Versa Networks’ Rob McBride

“Awareness is absolutely critical,” says Robert McBride, director of marketing, Versa Networks, another staunch supporter of Google’s ‘Not Secure” campaign. “This approach helps to ensure that users are aware of the potential risks of doing business across the World Wide Web.”

As most telecom industry players know, encrypted websites run on the Hypertext Transfer Protocol Secure standard, HTTPS, and often feature a green lock or other emblem in the browser address bar indicating that the site is encrypted and operates at a higher level of security. Standard websites that run on the less secure Hypertext Transfer Protocol – or HTTP – are not encrypted and feature no such emblem.

Compounding the anticipated pandemonium over Not Secure branding is a related decision by Google to “remove trust” from any website certified as encrypted by Symantec prior to June 1, 2016. The reason: Google has repeatedly expressed skepticism regarding the veracity of Symantec’s certification process prior to that date, and has simply decided to invalidate such certifications for users of its Chrome browser. The decision – which goes into effect no later than July – will be a major blow to website operators in its own right, given that Symantec is one of the largest purveyors of encryption certifications on the Web.

Hardest hit by the dual decisions will be operators of non-e-commerce websites that require no passwords for entry and don’t accept credit cards or other forms of digital payment. For years, such sites were not favorite targets of attackers, given that no monetary transactions took place. But more recently, malicious hackers have been launching drive-by attacks from these unencrypted sites by inserting code into their pages that enables them to download malware to someone visiting that website, or code that directs a visitor to a phony webpage asking for credit-card or other personal information.

4LetsEncrypt.jpgThe good news for businesses looking for encryption is that many web hosting companies have decided to offer basic encryption as a free, value-added service. Many of those hosters work with Let’s Encrypt, a nonprofit organization whose mission it is to offer free, basic encryption to any website owner who needs it.

If you’re looking to go the free route with Let’s Encrypt for your or a customers’ site, the best move is to talk with your web hosting company and verify that it has a tool on your site control panel that enables you to easily add a Let’s Encrypt certification. Many web hosts without such a tool do enable you to install Let’s Encrypt certification, but that manual process is tedious, and it’s often easier under such a circumstance to simply switch to a web host that features a Let’s Encrypt tool.

Other organizations offering free encryption include Comodo and Cloudflare.

Either way, this is an opportunity for partners with a web designer or the coding skills to …

… help customers transform their sites to encrypted status and to ensure that all the coding on the website reflects that change.

An alternative for customers with very small sites, sporting only a few pages, is simply to purge the old website, re-establish it as an encrypted site from the get-go and then rebuild the pages from scratch.

Of course, there are also any number of web hosts and security providers more than happy to work with partners to encrypt customer sites. But the bottom line is that all businesses need to get their encryption done one way or another before July. Already Google is penalizing the SEO of HTTP sites. Adding encryption sooner rather than later will ensure your or a customer’s site is not branded as Not Secure. Experts expect that come July, encryption-for-a-fee providers will be expensive and busy as companies become desperate for that service.

“It’s important that internet users understand the extent to which security is addressed in the services they use, from websites to IoT devices,” says Chris Richter, vice president, global security services, CenturyLink. As a trusted adviser, this is a prime opportunity to get your customers ahead of “Google-mageddon.”

Joe Dysart is an internet speaker and business consultant based in Manhattan. Reach him at [email protected] or on his HTTPS-enabled website.

Read more about:

Agents
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like