I’ve blogged before about the importance of making sure you’re serving your content over HTTPS. Not only is Chrome now marketing sites not served over HTTPS as “non secure” in the browser, they are giving increased weight to HTTPS sites in search results. It’s never been easier to serve your sites securely, but the actual secure certificate is only part of the equation here. We need to talk about protocols like SSL and TLS as well.

Server software like Apache and Nginx would previously serve secure content over the SSL (secure sockets layer) protocol. This is the case for the web as well as email. SSL was succeeded by TLS (transport layer security). The problem is that the various SSL protocols have been found to be insecure. A few years ago SSL 3.0 was found to be attackable thanks to the POODLE attack. At this point, it’s best to have moved your servers off SSL and been using the TLS protocols.

Run Some Tests!

If that’s greek to you (and most of it is to me as well), don’t worry. If you have server or IT admins that take care of your servers, chances are they’re on it and have been on TLS for several years now.

Highedwebtech.com SSL Test results

You can use Qualys’ SSL Server Test site to what protocols your server is using and make sure you’re up to do date with everything. You can see my report here. I use Let’s Encrypt for my certificate. Take a second and check out that A+. Feels good.

The SSL Server Test will also tell you what TLS and SSL protocols you’re running. You shouldn’t be running any SSL ones, because you will see the test dock you very heavily. Here’s an example:

 

You should be serving your website content over TLS 1.2 at this point. Why? Here’s more detail from GlobalSign:

As a best practice, you should configure your servers to support the latest protocol versions to ensure you are using only the strongest algorithms and ciphers, but equally as important is to disable the older versions. Continuing to support old versions of the protocols can leave you vulnerable to downgrade attacks, where hackers force connections to your server to use older versions of the protocols that have known exploits.  This can leave your encrypted connections (whether between a site visitor and your web server, machine to machine, etc.) open to man-in-the-middle and other types of attacks.

Earlier this summer, TLS 1.3 was ratified and released. If you are able to upgrade to it, you should. If you don’t want to run a full SSL test, you can run just a check of what TLS protocols you are serving. Here’s a TLS Test from CDN77. Here’s my results below. This site is coming to you over TLS 1.3. Again, feels good!

TLS Test Results

The Chrome browser has started showing that a site being over SSL and HTTPS more visible to users in its recent versions. Instead of showing just a green padlock, Google has added the word secure to that area.

The bar now looks like this:

SSL site in Chrome

For non-secure, regular sites, there will continue to be an icon that shows the user they can get more info about that site.

Non-SSL site in Chrome

If users click on that site, they see this text:

What users see on non-SSL site

This small change is just the beginning. At the end of January, Google and Chrome will start listing sites served over non-secure HTTP will be marked specifically as non-secure. WordFence shows in this image how Chrome will show all sites that aren’t served securely:

Non-secure site in Chrome

WordFence released a good blog post on these changes here.

This is a good thing, as serving of SSL and HTTPS not only is better protection for your data, you can, if you want, get some serving speed increases via HTTP/2.

On the downside, it may drive your campus or freelance clients to ask why their sites aren’t showing up as secure.

It will also drive users to think that something is wrong with their site or their information has been compromised. We will need to communicate to those users as well.

It will be a good opportunity for us as web developers to have a conversation about basic security and why technologies like SSL are important.

Luckily, installing SSL certificates is much easier now thanks to groups like Let’s Encrypt. They’ve taken the headache out of issuing and maintaining SSL certificates. The majority of the sites I host and support serve certificates from Let’s Encrypt, including this site.

With the pain removed, for the most part, there are fewer and fewer excuses not to serve your site over HTTPS/SSL.

The challenge here remains that not enough shared web  hosting providers are offering easy and affordable SSL. Kudos to Dreamhost for being one of the largest hosts to offer free, no-configure SSL to their hosting clients. Let’s hope more and more companies join in.

I’m writing a longer post about this, but on the side, I have a web development and support company. We do hosting for many sites, and have we are making (at least) free SSL the default for all the sites we begin hosting in 2017. We’re also retrofitting all the sites we’ve previously launched. It’s just a click of the mouse for us, so there’s no excuse not to. Add in automatic renewal of the certificates, and it’s dead easy for developers and host companies to support.

If you’re a higher ed blogger, agency, freelancer, small business or non-profit, and want inexpensive web hosting with security like free Let’s Encrypt certificates included, contact me. I can help.