GlobalSign Blog

16 Feb 2016

The Rise of the Encrypted Web

If you haven't already made the switch from HTTP to HTTPS, now is a great time to add security to your site.

How Do Browsers Promote Encryption?

Google has been promoting the use of encrypted websites for some time now. It was first discussed at Google I/O 2014 in a talk by Ilya Gregorik (Web Performance Engineer) and Pierre Far (Product Manager), called 'HTTPS Everywhere'. In the video they explain the need for encryption and call for all websites to start using it. They also announced that Google will start to consider this a ranking factor.

Mozilla and Apple have also both indicated a move towards promoting online encryption.

The US government has followed suit by giving all government websites until the end of 2016 to make their public websites encrypted and more secure. The announcement came from the White House on 8th June, 2015.

Recent announcements about Google shaming HTTP websites with a red padlock are in fact rumors. Google engineer Chris Palmer proposed some UI changes in order to make it more evident that someone is browsing a non-secure website. At this stage, they were simply discussing UI changes and nothing more. What we do know is that Google is promoting the use of encryption and wants to raise awareness and educate users on this issue. Whether or not a big red cross will be on non-secure websites in the future is unknown.

Three Levels of Digital Certificates

There are three levels of assurance and identity that SSL/TLS Certificates provide.

A business owner should encrypt their data to protect their customers and personal data and a customer will want to see the identity of the business owner so they can make an educated trust decision. A business owner therefore must also consider how they want their business to be perceived by their potential customers and how much trust they believes they need from them in order to supply their personal information. This will vary depending on brand and industry.

Extended validation (EV)

On the highest assurance level there is an EV SSL Certificate. For an eCommerce or financial website, an EV SSL Certificate is good best practice. EV SSL Certificates provide the highest level of identity verification, which enables the familiar "green bar" in the browser that displays your company's name.  This allows website visitors to immediately view the identity of the website owner, which conveys immediate trust. You can find out more about different types of certificates here.

EV Green Bar

Organization validated (OV)

OV SSL Certificates contain the company's name and location, which enables website visitors to make an educated decision about the site they are visiting. A Certificate Authority (CA) will ensure that the person purchasing a certificate owns the domain, that the business is a registered business and that the individual is authorized to request a certificate for that organization. If your business needs to provide its identity to external communications or website visitors, this option of certificate fits well.

Domain validated (DV)

If you only want to provide encryption, but do not want to provide identity to your customers, a DV SSL Certificate is enough. This can be ordered via a fully automated process in minutes using a number of different domain validation methods. While the level of encryption offered is the same with each SSL Certificate type as the name implies, DV SSL Certificates are only domain validated. No identity assurance is provided with these certificates. Because of this, website visitors do not know who they are communicating with.

Which certificate is best for me?

At the moment Google and other major browsers and companies are working to get all websites encrypted, but not a lot is being done to push companies to get a higher level of certificate. Because DV SSL Certificate only involves proving you own a domain, it is a lot cheaper and quicker to purchase. This makes it the prime choice for companies who want a quick fix to their website security.

As mentioned above, the choice is less a matter of how quickly you want to purchase, or how cheaply you want to buy a certificate for, but more about how security will impact your brand, its value of identity and trust with your customers and prospects. Depending on your website and target audience, you should select the certificate that best meets your needs.

Other Reasons Your Website Visitors Will Get a Degraded UI

Simply having an SSL Certificate is not always enough to remove any degraded UI, like a warning message. Here are a few other things that might make your website visitors suspicious about your site:

  • Mixed content - if your page has secure and insecure content, a user may still see a warning message.
  • SHA-1 - if your site still uses a certificate signed with SHA-1, you will receive just a standard HTTP UI in most browsers.
  • If the communication is secured with a weak cipher algorithm, or an outdated version of SSL (SSL versions 1.0, 2.0 and 3.0, and now TLS 1.0 is also being depreciated), you will see a degraded UI.
  • If the certificate you are using isn't configured for your site. For example, if the name on the certificate is different to the name on your website you will receive a warning sign like you do when you click the link above.

How Does HTTPS Impact Search Rankings?

In a recent Mozcast, HTTPS results accounted for 25.9% of the top search results and this figure continues to rise.

With the increased number of phishing and man-in-the-middle attacks, it has become more evident that online identities need to be proven and trusted to allow people to have safer experiences online. A big part of this is in educating end users and Google also knows that by influencing search rankings they can bring attention to this matter to business owners and website administrators as well.

How Do I Know If I Need to Upgrade My Encryption?

Generally speaking, all websites should have some level of encryption on them. When you take information from your website visitors like name, address, card details, etc., you are in a position where you are responsible for managing that data and should therefore be responsible for encrypting your website and the data received through it.

You can also input your website into the SSL Server Test. This tool will tell you exactly what you need to do in order to get an A score for encryption.

SSL Server Test

Another way to check if your SSL Certificate is out of date is by using your browser's developer tools. Google announced a new a new security panel in Chrome Developer Tools to check the status of a website's SSL Certificate, connection information and whether or not the site contains mixed HTTP and HTTPS content. This was introduced in Chrome 48.

It is in this DevTools Security Panel where you can check the status of a website's SSL Certificate, the TLS connection and whether or not the site has mixed HTTP and HTTPS content.

Follow the Suit of Google

So in summary, if your website isn't already encrypted you should contact a CA immediately in order to get it encrypted with an appropriate SSL Certificate. If you are encrypted, then you should think about upgrading your certificate in order to comply with best practice and to make your customers feel safe about transacting with you on the internet.

GlobalSign has been a trusted certificate authority for 20 years. You can get in touch with us today and we will help you find the right encryption solutions for your business.

Share this Post

Subscribe to our Blog