by Charles Groce, CEO of Pearl Street Consulting
Google announced a few weeks ago that the Chrome web browser would start marking sites that don’t support HTTPS as “insecure”, leveraging its web browser market share to improve web security standards. Soon after, Mozilla jumped on board and indicated it would do the same with the Firefox browser.
What does this mean for print and for you? Go to your computer, open your favorite web browser, and try entering in HTTPS:// in front of your company website URL instead of the standard HTTP:// If you get a message about an Insecure Connection, then your site is not secured by what’s called an SSL (Secure Sockets Layer) certificate. The same goes if it’s blocked and won’t load at all.
Without going too much into the technicalities, think of an SSL certificate as a letter from a close business associate endorsing you and your business as authentic. This is what an SSL certificate issuer does for your website. They verify it is where you say it is, that you own it, and then when a potential customer visits your site, tells them that your website is authentic and your web server isn’t trying to steal information. All of this goes on under the hood of your web browser without you having to do anything as a business owner…except have the certificate. Pretty neat huh?
So why didn’t this come up before? Back in the early web, most data online was public text and images. HTTP actually stands for Hyper Text Transfer Protocol, and for the early web this was fine. However as eCommerce began to evolve, and people began to understand how the internet could be used in business transactions, attempts to steal information and defraud users became more sophisticated.
The most classic of these is the so called “man in the middle attack”. Without a way to verify a website resides at a particular server, there’s nothing to stop a third party from pretending to host your website and get information submitted to it by users. Moreover, information intercepted in by an attacker can be sent on to your site in such a way that you think it originated from the legitimate user. Thus neither you nor your customer would know there was a “man in the middle”, passing information back and forth completely undetected.
The solution to this is the SSL certificate, which allows encrypted traffic in the form of the encrypted version of HTTP, HTTPS (HTTPS Secure or HTTP over SSL), and introduces a third party certifier into your internet transactions. Prior to this week, HTTPS was considered optional and really only a necessity for those sites accepting credit card payments over the internet or offering browser-based email access (also known as webmail). As of the end of January, however, SSL has more or less become a practical requirement.
If your site doesn’t have an SSL certificate installed, your customers will start seeing “INSECURE SITE” notifications in their Chrome and Firefox browsers, and may think twice about sending work your way, especially if the data being sent is sensitive and has any liability attached to it. Be smart: reach out to your IT vendor and get this going today.
As far as the costs, that’s mostly for you and your IT vendor to work out. SSL certificates typically cost $50 to $100 dollars and have to be renewed annually. GoDaddy can set you up. However there’s also a free service called Let’s Encrypt which issues SSL certificates, but you may need to have the proper environment for this to be practical.
It’s best to stay ahead of these changes. Google already announced last year that it would begin degrading websites that don’t support HTTPS in their search results. With this latest announcement, they’re changing the web, and making it more secure. When you think about it, this is a historic moment in the life of the internet.
About the author: Charles Groce is the CEO of Pearl Street Consulting, a Michigan-based IT, web, and software consultancy. Charles is also the founder of osforprint.com, an open source technology solutions provider for the printing industry.