Some Security Layer
Beginning in October 2017, the Google Chrome browser began showing “Your connection to this site is not secure” warnings on almost all sites loaded over the http://, not https://, protocol. At the same time, Google dropped a boatload of money into Let’s Encrypt, a service that provides free SSL certificates (the thing you need to be able to serve a page as https), making it easier than ever to display the coveted little SSL green padlock in Chrome next to your URL, signifying your security compliance.
But even though the barriers to delivering a secure site might never be lower than they are now, there are still a lot of people struggling to “get to padlock.” We take a look at why it’s so important to be secure – even if you don’t think your website collects sensitive information – and offer some tips on how to get there.
Look up in your URL bar as you’re reading this page. See the little green padlock next to our address? (OK, it’s white if you’re using Microsoft Edge and gray in Safari, but whatever.) That indicates Technical Penguins is serving its pages to you using https://, or Hypertext Transfer Protocol Secure. And what that means is, if we were to directly collect any information from you, you’d know it would be passed across the nebulous internet, from your browser to our database, in an encrypted format.
We don’t collect credit-card information directly. We pass subscription payments over to Paypal, which has long been secure. So why do we care about whether we can show you that nice SSL green padlock or not? Well, there’s a really long answer to that, but the short answer is: We care because nothing is more important to us than our clients knowing we are legit.
Want to really scare yourself? Spend a day reading the Google Security Blog. If it makes sense at all – and we’ll be honest, some of that doesn’t even make a ton of sense to us, and this is the kind of work we do all day, every day – mostly it’s just a good way to get terrified about all the ways there are for people to take your information and use it inappropriately.
And that’s why you’ve probably noticed that browsers like Google Chrome, Mozilla Firefox and a bunch of others have, as of Fall 2017, started flagging content not delivered over https:// as “insecure.”
Google probably doesn’t think your particular content website with no input fields except a search box is especially worrisome, by itself.
But Google knows that its users care, and it wants to make sure that anything it surfaces for them via search results or direct URL type-ins either meets a minimum standard (ideal) or, if it doesn’t, includes a “let the user beware” disclaimer.
So what does this mean for you, as a website owner?
So, fundamentally, you’re probably reading this guide because you (and/or many of your users) access your website in Chrome, Firefox or another major browser that clearly indicates your status, and you don’t want to scare them off with a warning about insecurity.
The short answer is, your SSL green padlock matters because it will help your users – both the tech-savvy ones and the “I don’t really know what this link does so I probably should totally just click it and enter my Social Security Number anyway” ones.
You’ll be able to show that you’re committed to protecting any information they do share with you – whether that includes their credit-card number for a purchase or their email address for a newsletter signup or simply the terms they type into your search box.
The long answer is, these restrictions are only going to get more strict in the coming months and years. Google has been giving a minor SEO boost to https:// sites since 2014, but didn’t stop there. They began supporting a free SSL service in 2016, started flagging insecure content prominently this year, and now are moving on to create a list of sites that will be “preloaded” as https://-compliant.
I don’t think you need to be psychic to see where this is going, right? Doesn’t it sound like that list is the type of thing, much like Accelerated Mobile Pages, that will eventually get a premium placement in search results?
So you’re doing your users a favor. You’re doing your business a favor. Seems obvious that you want that shiny SSL green padlock, right? Unfortunately, we’ve worked with a lot of clients who started the process, got overwhelmed or confused, and threw in the towel – and some who didn’t even know where to start.
Keep reading for some tips to point you in the right direction if you’re going the do-it-yourself route, and some suggestions of what to make sure is done correctly if you work with a professional, whether us or anyone else.
Honestly, if you're just finding out about the importance of SSL by reading this, you really need to contact us like, yesterday. If you're just having issues with your own site's SSL certificate, we can help with that, too!
So where do you start working on your SSL green padlock?
We cannot state this more clearly: No one should be charging you money for the security certificate itself.
No one should be charging you money for the security certificate itself.
No one should be charging you money for the security certificate itself.
I heard in a couple of Facebook groups about people charging $100 or more above the cost of their setup time to get clients going on SSL. Maybe we’re just bad at the whole making-money thing, but … no. Don’t let someone do that. There are a number of free security-certificate-issuing authorities, and you or your developer should be working with them.
We recommend using Let’s Encrypt, which conveniently works with many hosting companies to make setup fairly simple. The important thing here is to talk to your host. In many cases, you can work with them at low or no cost to get the certificate and keys installed.
And if your host doesn’t support Let’s Encrypt or another free SSL service automatically, you may want to work with a web development and support firm (like, I don’t know, some Penguins, maybe Technical ones) to help you get set up manually, which is a little more complicated and usually requires SSH or shell access. Bonus tip: If you’ve never used SSH before, this isn’t the project to start with; ask your host to reconsider or hire professional help.
Once you’ve loaded the certificate, you may be able to see the https:// in front of your pages. But there’s still more to do. Next is setting your base URL. In WordPress, this is done under Settings -> General. You want both “WordPress Address (URL)” and “Site Address (URL)” to be your domain, with https:// in front of it. (For example, https://technicalpenguins.com). If you need help finding the equivalent of this in another service, you can Google “(service name) set base URL” or work with the service or host.
So, great, if you go to your website, you see https://mysiteiswonderful.com. We’re getting there. But what about all those people on Pinterest or other sites who are clicking links to http://mysiteiswonderful.com? For this, you need to set up redirects. In WordPress, this is done using an .htaccess modification. Once again, you can Google and get 30 versions of what to try; speaking from personal experience, be careful with these. Some hosts require using one particular method, and if you have other .htaccess mods, the order is important to get them all to keep working properly. We recommend Interserver (affiliate link) to our clients, and if you use them, you should be able to include the following under your first RewriteEngine On:
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomainhere.com/$1 [R,L]
There’s a pretty solid chance you’ve done all this and are still showing the dreaded i in a circle instead of your SSL green padlock. That’s because one of the requirements for security is calling in secure resources as well, also known as avoiding mixed content. So if any of your images in your theme, your fonts, your links to other websites, etc., are coded in as http://, you’ll still see an error. The easiest way to check for this? Use Why No Padlock, a great – and free – site that will point out exactly what your remaining issues are.
You can resolve these in a couple of different ways. You can try addressing particular issues individually – for instance, updating a Javascript call in your header or something similar. But in most cases, your best bet is to attempt to replace most instances of http:// in your content database with https://. You can do a dry run to make sure you’re replacing exactly what you want, and you can choose to do it only on targeted sections of the database or the whole ball of wax. And, of course, if you’re looking at this and thinking “This sounds like a good way to accidentally replace all my content with links to my favorite cat GIFs,” we can help.
By this point, you’re probably showing your SSL green padlock on the home page. Yay, you! But you want to be sure to check a few different things.
These are a few of the types of spot-tests that we run for clients when we handle an SSL migration, so if you pass all these, you’re off to a pretty solid start toward being fully SSL-compliant.
Even if you don’t collect payment information or other obviously sensitive data, you’re going to lose users if your site continues to give insecure warnings. Get secure now – because the browser industry (Google and beyond) is only going to crack down harder in this area in the future, and you want to be ahead of the curve.