You may have noticed that your browser now marks certain websites as “not secure”. Why? Are those sites dangerous? Are they compromised? Should you stay off of them? Maybe you’re wondering why your own website is showing the “Not Secure” message. Why does a website say “Not Secure”? The reason is actually pretty straight forward. Still, it can be hard to find simple explanations of why certain sites display that message. The goal of this article is to explain that to you in the easiest way possible.
Google wants people to know they are on a non-encrypted site
In late 2017, Google decided that its Chrome browser was going to mark non HTTPS sites as “not secure” if they had any use input areas. The change rolled out last summer. This means any site that has a comment area, password field, or even a simple contact form. The reason for this change was to alert users that they were submitting information over an unsecured connection. Chrome’s eventual goal is to mark all HTTP sites “Not Secure”, regardless of if there are user input fields.
I know what you’re thinking: “Anna, you said you were going to describe this simply.” So here’s the best analogy I can give to explain encryption.
HTTP and HTTPS are like passing notes in school
Remember being a kid passing notes in school? If the teacher caught you, she might snatch it right up and read it to the whole class, right? Imagine all of your secrets broadcast to the whole class like that! Well, that would be easy to do. Unless…you and your friend had invented a secret code for writing notes in class. If the teacher took a coded note, your secrets would be safe from the rest of the class.
You and your friend’s code is essentially the same as data encryption.
HTTP stands for Hyper Text Transfer Protocol. And HTTPS is the secured version of that protocol. HTTPS is a means of protecting data while it is transmitted. Secure Sockets Layer (SSL) is the type of encryption that SSL certificates use.
SSL certificates require two keys. A website visitor will use a public key to talk to the website, or server. The server will then use its own private key to decode that data once it makes its way to the server.
Back to our note example. Let’s say the data passing between the website visitor and the server gets intercepted. The data is worthless if it’s encrypted. Basically, the teacher doesn’t have the key to the note you and your friend are passing. To the teacher, it looks like gibberish. SSL certificates add another layer of security to websites. They protect the data of website users.
Chrome and the other major browsers use the “not secure” notice to let people know they are passing a note that is “not written in code”. If the teacher catches it, she’ll be able to read it without problems.
Try it for yourself
Did you know that the Internet Assigned Numbers Authority, or IANA, has reserved special domains for teaching purposes?
Example.com is one of those domains. And you’ll notice that it can be access over HTTP or HTTPS.
If you visit http://example.com your browser should display its own version of the “Not Secure” message.
If you visit https://example.com your browser should show a padlock or similar “secure” message.
Why start marking sites as “Not Secure”?
In the early years of SSL, it was mostly thought that only sites passing sensitive information needed encryption. Things like credit card numbers and social security numbers. In more recent years, people have started to become weary about other types of data. If you think about it, you don’t want your phone number or email address passing across the internet either. The awful truth is that the more popular the internet becomes, the more bad guys will try to take advantage of that.
Good news on security trends
According to Google, since they started calling attention to HTTP connections, security has greatly improved. For example, 83 of the top 100 sites on the web use HTTPS by default, up from 37. The eventual goal is to have 100% of websites secured over HTTPS. The good news is it’s getting easier to install and manage SSL certificates on websites.
HTTPS is easier and more affordable than ever
A few years ago, I remember seeing the cost of SSL certificates up into the triple digits for just a year. Luckily, now that SSL is being embraced as something needed for all websites, they are becoming much easier to purchase and configure.
Several hosts now offer inexpensive SSL certificates that they will help install. Some even have partnered with Let’s Encrypt. Let’s Encrypt is a free, open source provider of security certificates. The service is legit too. If you poke around on their website, you’ll notice that some of the largest names in internet security are sponsors of the movement. Several web hosts, including our favorite, SiteGround, even offer one click set up for Let’s Encrypt certificates. These certificates auto renew, taking one more step out of managing your site. They are essentially a “set it and forget it” security measure.
Still have questions on HTTPS?
We recommend installing an SSL certificate to all of our customers. We expect Google and the other browsers to become even more strict on HTTPS and HTTP connections. If you want more details or have further questions, feel free to post them in the comments section. You can also reach out to us directly.