SSL is no longer optional for your website.

Your website should most likely be labelled with “Not Secure”. What does it mean, and how do you get it fixed?



Background

Nearly two years ago, Google announced that Chrome would eventually start marking all sites that are not encrypted with HTTPS as ‘Not Secure’ as an attempt to motivate site owners to improve the security of their websites.

On July 24th 2018, Google officially launched Chrome 68 and with it rolled out the warning labels on all websites.

Chrome is a widely used browser accounting to about 80% based on statistics by W3Schools, where their website receives 50 million visitors a month.

What do these labels mean?

As seen above, there are three (3) types of labels.

i) Not Secure

This means that you do not have an SSL certificate installed on your website. I’ll explain what that is, and how it helps in a bit.

ii) Secure

This means that everything is good – and you don’t need to do anything more.

iii) Notice

This usually means that while the site itself is secured, there may be some content that has been loaded on the website which is not secure. If you’re getting this, your website developer or webmaster will need to fix it. The most common things that cause these are external links using http:// instead of https:// or preferred simply as // to support both.

Some examples include:

  • External images shown on your website.
  • External links to javascript files such as jQuery.
  • External links to CSS files such as Bootstrap.
  • Embedding of Google Fonts, Analytics and pretty much any other services.

Note that, using https:// on any of these require the external service/server to have a valid SSL installed on their end too!

What does Secure mean?

Any communication over the internet could either be secured, or not. A secured communication means that the data that is received or transmitted is encrypted which prevents prying eyes from looking at it.

Let’s say – you’ve typed in your username and password on a website. If that information, when sent over the internet is not secure – then anyone between your computer — and the server/service — could potentially “see” that data. However, if the website is secured, then the same information is encrypted making it extremely difficult for someone to see it.

Should I care if my website doesn’t have any login forms?

Yes, you should. Login forms are just one example. Maybe, you have a contact form where you ask your website visitors to fill in a message to reach you. The information that they type in there would be transmitted insecurely which could allow someone to see it.

SSL is no longer optional. Add SSL to your website today to avoid losing visitor confidence and sales. Plus, with SSL you get all these benefits too:The other benefits of having your website secure include:

  • More secure user experience
  • Protect user privacy
  • Increased conversions
  • Boost search rankings
  • Increased user trust
  • Show you care about users’ data

How do I secure my website?

You’ll need to get an SSL certificate installed for your website. This could be done by yourself, your webmaster, website developer or your web host.

What is an SSL certificate?

SSL is short for “Secure Sockets Layer”. It was introduced in the mid 90’s as a protocol to secure traffic. While SSL itself is depreciated, the newer versions of SSL protocols are actually known as “Transport Layer Security” (TLS). The certificates however are still commonly referred to as SSL certificates.

An SSL certificate is used by the browsers such as Chrome, Firefox, Safari or Edge to establish trust, validate that it is valid with a Certificate Authority (CA) and use it to encrypt the communication between you — and the server/service that you are communicating with.

These certificates are issued by Certificate Authorities (CA) who vet and issue the certificates. There are a few types of SSL certificates:

  • Domain Validation (DV) SSL Certificate
    Domain Validation SSL certificates are the cheapest provided by well known SSL brands. They are also freely available through Let’s Encrypt, a free – automated – and open certificate authority sponsored by big names in the internet industry.Free SSL certificates are also included in some hosting plans offered by web hosting companies like Extreme Web Technologies. They are ideal for basic security for websites and blogs, and are usually issued in minutes.
  • Organisation Validation (OV) SSL Certificate
    Organisation Validation certificates are slightly expensive as have some documentation processes required such as verifying your organisation legal information. The certificate authorities usually ask for your business incorporation documents, as well as physical address and sometimes identities of website/business owners. These are always purchased separately — and are a must have for serious businesses. These could take about a week to be issued, sometimes a bit more.
  • Extended Validation (EV)

    Extended Validation certificates are the most expensive certificates available. They could cost unto $2000 per year and go through extended validation processes including credit checks. These certificates also include a special feature supported across browsers which makes the address bar green showing your company name. These certificates are a must have for internet banking portals, as well as other applications to ensure user trust in the service. These certificates take the longest time to be issued, generally between 2-4 weeks.

I have a certificate, but my website still shows Not Secure when accessed.

When website visitors type in your website link on the address bar, they end up on the non-secure version of your site. You may need to consult your website developer or hosting company to assist you with this. 

How to fix Not Secure on WordPress.

If your website is built on WordPress, then the simplest way to make the switch is by going to your WordPress Admin (wp-admin), under the Settings > General screen, update your WordPress Address (URL) and Site Address (URL) to include https://.

How to fix Not Secure on my website which is NOT built on WordPress.

This will work on pretty much any basic website on cPanel hosting, such as the hosting plans offered by Extreme Web Technologies.

Log into your cPanel, find the File Manager, under public_html folder, look for a file named .htaccess and edit it. If it doesn’t exist, you can create it and paste the following snippet.

Make sure to update your domain name in it:

# BEGIN SSL
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.co\.tz [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.co.tz/$1 [L,R=301]
</IfModule>
# END SSL 

I’m stuck and need someone to do this for me.
Please contact our customer happiness team at Extreme Web Technologies to assist you get your website secured.

This blog post was written by Mohsin Sumar (@mohsinsumar) who is the Founder and CEO of Extreme Web Technologies. Mohsin with his Customer Happiness team constantly strive to deliver top notch quality web hosting in Tanzania.

Image credits: Creativeart – Freepik.com

PHP / MySQL eCards tutorial

In 2003, I wrote a tutorial on how to build your own eCards service using PHP/MySQL. It was written and published on Flash-dB Forum. If you have any queries, please direct them to Flash dB – Flash eCards Forum.

The bad news is that the tutorial went off-air and I am unable to find it. If you happen to have a copy, please email it to me and if I do manage to find it, I will make a point to update this post.

However, the good news is that I have the zip archive with the scripts. Click on the link below to download.

Download PHP / MySQL eCards Tutorial