SSL Certificates, Your Business Website, and Chrome 68

Information has always been an important commodity of day to day life. Knowing how to perform complicated tasks like plumbing, running electrical lines, and hanging drywall is so prized that whole trades revolve around them.

Information also plays a critical role in identification. Details as simple as your name, address, and phone number say a lot about how to find you or your company. Others like your Social Security Number help the government identify who you are for everything from renewing a driver’s license to filing your taxes.

In today’s day and age, we are deluged, surrounded, and spoiled by the sheer amount of information we take in every day. We don’t differentiate between the importance of a life skill and a medical record nearly as much as we should because each is just a part of the ocean of 1s and 0s we expose ourselves to and take in every single time we pull out our smartphone or sit down at the computer.

As a result, we’ve become dangerously desensitized to the idea of giving out our personal information. The secrets we guarded with the utmost care even 20 years ago, from credit cards to contact details, are handed out today without so much as a second thought.

Our collective apathy regarding what information we type into a website has represented a gold mine for those who seek to find and exploit personal data. Bots, hackers, and scripts are able to lift data that isn’t encrypted with ease, and it only takes one instance of misplaced trust before you’re harassed by ads, phone calls, fraud, or even identity theft.

As awful as this problem sounds, the good news is that it is almost always extremely easy to avoid. You may have even noticed that most websites that take credit cards nowadays have “https” in their address bars instead of “http.” That extra letter represents a secure connection made possible by an installed SSL certificate – a security addition for websites that is designed to encrypt sensitive information you submit online. This protection makes your data unusable to hackers and their bots/malicious scripts, and can often be added to a website in a matter of minutes.

While most companies take this basic security step very seriously, Google alongside many other browser developers, companies, and online interests decided a few years ago that “most” wasn’t an acceptable percentage for the general public. They began to take steps toward making this protection a feature for all websites a few years ago, with the initiative being known by most as HTTPS Everywhere.

Not to be confused with the browser extension of the same name for Firefox, Chrome, and Opera, this initiative has made a lot of progress in a relatively short time. Mozilla and Apple have encouraged users to embrace secure browsing habits over the last few years. Most other browsers display some sort of warning in the address bar when visiting unsecured websites. Let’s Encrypt has become a reputable Certificate Authority (CA) that provides free 90 day SSL certificates for anyone to use.

Despite all of these names (among others) believing that any information submitted through a website should be protected, I singled Google out earlier because their commitment to helping us treat data of all types with the care it deserves stands above and beyond the others.

This began through gentle nudges, such as labeling any unsecured login, password, or contact field without https as “Not Secure” and giving an SEO boost to secured websites. In July of 2018, they stepped this encouragement up to the much stronger push we’ll be discussing here. If you have a business website that doesn’t use an SSL certificate, I encourage you to get comfortable with a beverage of your choice – because you need to read this.

Why? Because since July of 2018, Chrome, the browser created and maintained by Google, began labeling all websites that use http (in short, those that don’t add the “s” at the end with an SSL certificate) as “Not Secure.”

Every. Single. One. Right in the address bar for all to see.

If you run an informational website for your business that does not feature commerce or contact forms, I’m sure you’re wondering what functional difference this makes to you. On the surface, it won’t make any. Your website will still come up and operate the same way it always has at this time.

There are short and long term implications that are at play below these seemingly still waters though. Before elaborating on them, we’d like to clarify something.

From here, we are speaking hypothetically

If you’re looking for just the facts of the here and now, and have made it to this point, you’ve got them. If you want to avoid this now public shaming of an unsecured website, you can browse our SSL certificate selection.

The theories we will be discussing from this point are strictly our opinion. While they make logical sense as steps to expect for the future, nothing concrete has come of them to date.

We’re continuing because we feel these trains of thought have merit to you and your business – especially if you are still uncertain about whether you are going to get an SSL certificate due to price or a perceived lack of value for your business.

The short term implications of Chrome 68

Let’s say you’re a contractor who has a website without an SSL certificate. A prospective customer who needs to remodel their kitchen and knows nothing about websites opens Chrome and finds you when searching local companies on Google. They click on the link to your website, and when the URL switches in their browser, the first thing they see is that “Not Secure” warning staring them squarely in the eye.

How trustworthy is going to make you look on a first impression?

Frankly put, not very. A lot of people use Chrome as their browser of choice – around 60% according to statistical data (depending on who you ask), but maybe you’re thinking you’ll be able to ride this change out since the other 40% of people use Internet Explorer, Edge, Firefox, and Safari too.

If you’re thinking along these lines, I’m going to tell you this won’t last.

Mozilla, who maintains Firefox, supports HTTPS Everywhere, and has a tendency to follow suit with a lot of the changes Google makes. They already have an icon that shows when a password form is insecure on their address bar, and an alert system that comes up when typing in most unsecured fields. It would not be out of character for them to boldly mark unprotected websites as Google has now that the waters have been tested.

Firefox and Chrome play integral roles in a significant percentage of the Internet’s traffic. If these two titans stand together on this change, there is a reasonable chance that Apple and Microsoft will follow suit with Safari, Edge, and the limited versions of Internet Explorer that still receive support. Apple has already pushed for this on iOS apps; this type of move would give them the incentive to push further.

The long term implications of Chrome 68

Google has been playing the long game one step at a time since 2014. With that in mind, the question you should be asking yourself if you don’t have an SSL certificate on your website is “What are the next logical steps for Google to take in order to force my hand on this issue?” There are two we can think of that would make sense.

The first has to do with Search Engine Optimization (SEO). Google announced that having an SSL certificate on your website would be good for an SEO boost back in 2014. What do you suppose happens if they elect to penalize sites that don’t have one? Google has no real peers today when it comes to search engines, so a change like this would be extremely significant for any unsecured website.

The second has to do with website accessibility. When browsing the internet, I’m sure you’ve stumbled across a site or two that gives you a big error page alerting you to the fact that an SSL certificate has been configured incorrectly or that the site ahead contains malware and you are proceeding at your own risk.

Now imagine if these warnings came up on literally every http website, regardless of whether the site was safe to use or not.

Some of you might not have to imagine. Extensions and browser settings have existed for the last few years that do exactly that, and you may have even had this accidentally activated at one point or another in Chrome. In a world that already has a short attention span, that extra click or two would drive away most prospective clients if it were to be implemented universally.

This move would be a calculated gamble, as a lot of people would be upset by feeling forced to spend time and money on configuring an SSL certificate for their website, but as we stated earlier, Google really doesn’t have any peers in their industry. What would you be able to do about it if they decided to do this tomorrow?

Realistically, the answer is not much. You could personally switch to another browser, but as we mentioned earlier, the majority of people use Chrome as their first choice already. Among them, many will continue to use it despite such a radical change because they like the security, familiarity, and/or features it brings to the table.

As a result, it’s far more likely you’ll have to adapt and set up an SSL certificate for your website than the majority of people giving up on Chrome as their browser of choice. The alternative is losing a sizable percentage of new clients, and I can’t think of a small business that would voluntarily make that choice.

Yes, the idea that one company wields this much influence over the Internet is scary. A move like this is absolutely a power play. It’s also a very real possibility.

Looking to get ahead of the game?

We offer a selection of Standard SSLs and Premium SSLs for websites you’d like to secure on Linux and Windows hosting plans. We also include standard SSLs with any website we design – call 319-229-5225 to learn how you can get started online with a new, secure business website today!