INCO digital
03330 124 907

Blog

Catch up with the very latest news and useful articles on how your business can improve its marketing and digital presence.

Google SSL Security Changes

blog ssl website security

One of the first things you learn about “Internet security” is not to enter credit card details on an insecure website – to “look for the padlock” to ensure the website is “secure”.

Whilst that is somewhat of a misnomer and “the padlock” does not guarantee security, it does indicate that the connection between your computer and the server that it is talking to is encrypted so that other people (e.g. on an open WiFi hotspot, at a café or a hotel) can't “listen in” and steal your credit card details. There are certain situations where this is not completely safe, but it is in 95%+ of situations.

Over recent years, there has been a push to make all website traffic “secure”. This movement began for a mixture of reasons, some practical and some political.

Google are now leading this push and have announced that from January 2017 their Chrome browser will mark certain types of pages, in addition to credit card entry pages, as “Not Secure” unless they are covered with an SSL certificate. In the first instance, these will include login forms. [1]

However, in the longer term, they have stated that their intention is to mark all pages as non-secure unless the whole website is covered with an SSL certificate. Google have also started using SSL as a minor, for now, consideration for SEO ranking. [2]

One of the things that prevented all website traffic from using SSL in the past was the increased load on the servers. Under SSL all traffic to and from the servers is encrypted which increases the cost of the servers and therefore the cost of hosting services. Server performance increased to the point where it is now viable.

Other, more significant, costs with SSL were the cost of IP addresses (1 per website) and the cost of the SSL certificates themselves. These used to cost several hundred pounds per year per website.

Given the costs, SSL was only deployed where necessary, e.g. on the pages/sites where people entered credit card details, or on Government websites.

However, situations change…

Recent developments mean that the securing websites with basic Domain Validated (DV) SSL certificates is now viable without additional annual charges for SSL security. [4]

There are limitations with this, for example computers running the obsolete Windows XP are not compatible.

Some changes are required to the way that some content is added to websites however. This is not due to our systems, but due to how web browsers handle embedded content. The most common example is if you embed Google maps in your website, or if you embed 3rd party links via iframes. All such links need to be linked to SSL, i.e. “https:” pages rather than “http:” pages, as a web browser will not show embedded content from a “http:” site within a page on a “https:” site.

INCO can assist you both with checking for these situations and adjusting your content to work with SSL. We enable SSL on your site without making it mandatory. This gives you the ability to check all your pages and update any affected content before SSL is made default.

INCO provides both DDoS protection and SSL security for all new websites by default. For our existing clients on our current generation CMS packages, we provide implementation of DDoS protection and SSL security at no charge. [3]

For clients on our previous generation CMS packages, we include both DDoS and SSL security as part of the process of upgrading to our current generation CMS packages.

If you wish to talk to us about upgrading, or enabling SSL on your website, please contact us at support@inco-digital.com or 03330 124 907.

 

References / Notes:

[1] Moving towards a more secure web : https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

[2] HTTPS as a ranking signal - https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

[3] Upgrades are available from our previous CMS systems.

[4] Upgrades to OV (Organization Validated) and EV (Extended Validation) certificates are available as chargeable options. The standard DV (Domain Validated) certificates are free.

[5] INCO reserves the right to withdraw this offer at any time if the 3rd party certificate suppliers impose additional charges.

 
 
Get in Touch