Effective this month, Chrome will begin to clearly label sites without a secure connection on pages that ask for password and credit card inputs. Their long term goal is to start flagging all sites that are non-secure, regardless of the page.

What does it mean to have a Secure Site?

A securely connected site has an associated Secure Sockets Layer (SSL) certificate, which signifies to the browser and to the web user that your site is secure and safe to enter login information and make payments on. For an in-depth explanation of SSL, please refer to our SiteWrench Support website.

When your site is secure, it is reachable at the "https://" URL, and a little green lock symbol appears in the browser. Historically, this is how it appeared prior to Chrome’s change.

Now with this change in Chrome, that green lock is reinforced by a “Secure” lock message as well.

Google Chrome’s Change for Non-Secure Sites

The change is a small one, and mostly impacts the little message at the top of your browser bar. On a secure site, you'll now see the work “Secure” next to the green lock symbol. On a non-secure site that is pulling in HTTP, Chrome will display “Not Secure” at the top. Right now, this will only occur on pages that ask for secure information like passwords and credit cards. This message will not display on all pages.

Source

While right now the change only affects pages where secure information is required, in the future Chrome will eventually change the browser bar so that all sites that are not secure will show this message on every page. Google says they will roll this out in phases.

Source

Why is Google Chrome doing this?

Google has several reasons for encouraging website owners to purchase SSL certificates for their sites. From a security standpoint, the web is safer when sites are verified and secure. Indicating clearly that a site is secure or not should help users avoid scams, and give them that extra measure of protection when they do use their personal information for online purchases and logins.

In addition, Google Chrome has unveiled new features that are not usable with HTTP, like the geolocation API that our Locator Page Part relies on to auto-fill in the user’s zip code. Without HTTPS, you could not use this very important tool.

What does this mean for my site?

As a SiteWrench client, your site is secure by default, with the current exception of the Admin side of your site. It is not required by us to have a dedicated SSL, as your site will automatically use SiteWrench’s wildcard SSL certificate if a page needs to be secure for donations and payments. This means that Chrome’s changes this month will not directly affect you, as your browser will not display “Not Secure.”

A wildcard SSL certificate is a super SSL certificate that protects any subdomain. In this case, the wildcard SSL certificate is *.sitewrench.com, so anything that comes before .sitewrench.com is protected. All SiteWrench sites exist at the .sitewrench.com side of this domain and are therefore secured.

However, if you rely on our wildcard SSL, it means that your site will flip from http://www.yourdomain.com to https://yourdomain.sitewrench.com, as this is the secure version of your site. While this default option keeps your web customers and users safe and is better than not having an SSL at all, it is not optimal for your site in the long term. You will lose out on key analytics data, you will not be able to use Chrome’s HTTPS specific tools, and search engines will rank you lower than your competitors who have dedicated SSL certificates.

In addition, if you forever rely on our wildcard SSL and opt not to obtain a dedicated SSL for your site, these future changes that Chrome intends to make will directly affect you. The only way to avoid Chrome’s flag for a non-secure site in the future is for us to force HTTPS across your site. Without a dedicated SSL, your site will forever pull in at https://yourdomain.sitewrench.com. This is not optimal for your marketing or Search Engine Optimization needs.

In addition to being flagged in regards to ranking and search, having a site with a red warning to your site's visitors will have a major impact on user experience. The user to your site may feel that they are at risk for malware or other online danger, which may prevent them from engaging and ultimately converting to a customer.

If a web user tries to navigate to your dedicated URL using https:// when no SSL certificate is applied to the site, it would trigger a warning message to the web user and show a strikethrough https:// in red. Without a dedicated SSL, your site is only protected using our wildcard SSL at https://yourdomain.sitewrench.com. This warning can be avoided if you obtain a dedicated SSL certificate for your domain for https://www.yourdomain.com.

Our recommendation is that you obtain a dedicated SSL for your site sooner rather than later, as Google Chrome’s changes will directly affect you in the future.

It’s not only Google Chrome that is enforcing more obvious warnings surrounding SSLs. Mozilla Firefox has already announced its new feature to display a warning when a login page does not have a secure connection. Similarly, the whole web is moving in this direction.

How can I obtain a dedicated SSL for my site?

We are happy to assist you with your SSL certificate. Our team can completely manage your SSL certificate and apply it to your site. Our process and pricing includes the purchase of the certificate, applying the certificate to our servers, testing the certificate, and configuring it on your SiteWrench site. The turnaround time is typically 48 hours.

The cost can vary depending on your SSL needs:

• In most cases, you will need to protect a single primary domain. The yearly $200 cost includes the single certificate, as well as our time implementing it and managing it.
• In some cases, you might need a multi-certificate for up to 5 subdomains. The yearly $300 cost includes the multi certificate, as well as our time implementing it and managing it.
• In few very cases, some sites require their own wildcard certificate to protect all subdomains. The yearly $450 cost includes the wildcard certificate, as well as our time implementing it and managing it.

If you are a new Speak client and you already own an SSL certificate, please reach out to our team to discuss options for implementation, or make sure you mention this during the launch preparation process for your site. It is imperative that we continue to protect your newly launched SiteWrench site, as Google and other search engines have cached your existing site as secure.

It is possible in some cases to use an existing SSL certificate you own already. This will depend on your SSL provider, which server the SSL is set up on, and who manages it. If it is possible to use this existing SSL, the only charge you will incur is the hourly fee for implementing this SSL on our servers. With this option, your team maintains the SSL as well as the process of yearly renewal.

For more detailed information on how the SSL setup process works, please contact our Sitewrench Community Manager by submitting a ticket through your site or email support@sitewrench.com.

Additional Resources about SSL recommended by our team:

• https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
• https://www.google.com/transparencyreport/https/grid/
• https://www.troyhunt.com/ssl-is-not-about-encryption/
• https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn
• https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https
• https://www.mozilla.org/en-US/firefox/51.0/releasenotes/
• https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox