Is your website secure?

Door partly open with keys in lock

Would you put your bank account information on a postcard and drop it in the nearest mailbox? For that card to wind its way though local and regional sorting and handling to be delivered to the intended recipient on the other end of the country. Of course not. We all know that postal workers are not supposed to read mail or divulge anything they may see. But common sense tells you that putting sensitive information out there for anyone to see (and possibly copy or steal) is not a good idea.

Yet, that’s pretty much how regular websites work. Content going from the server to your browser and from your browser to the server travels unencrypted. That means anyone so inclined can peek in at that stream of data and see what is being sent. While that may not be a big deal for regular content on a web page that is already intended to be public information, what about when you submit a message on an online form? Or submit a password to log in somewhere? Or do online banking?

You’ll probably say that banks already use secure websites with encrypted communication and you’d be right. But today we send so much more information back and forth across the internet. And there are more attempts to steal that information than ever

That’s why having a secure connection from your browser to the far away web server is more important than ever. And not just when you do online banking. When I wrote the ebook “7 Deadly Website Mistakes” last winter, I put having a non-secure website as the #1 mistake. Almost nothing you do will drive away customers faster.

Chrome web browser displaying "not secure" warningGoogle agrees. Currently if you go to a regular, non-secure website using the Chrome browser and click on the info button in front of the URL in the address bar, you’ll see this warning about this being a “not secure” connection. Contrast that with how Chrome handles a secure connection. The Google wants you to get the difference.Chrome browser secure site

The stakes are getting higher. Google has told us for a while that whether a website is secure or not plays into its ranking in searches. (Along with a boatload of other things.) Now they are about to make that clear as day, by showing a “NOT SECURE” warning if you try to enter anything into a form on an HTTP page. If you use their Incognito mode, ALL HTTP pages will get “NOT SECURE” warnings. Will that scare away your visitors? You bet.

Wait a minute! What is a secure web page and what is a not secure page?

If you look at at full web address (URL), it will look like this: http://yourgreatsite.com HTTP stands for Hypertext Transfer Protocol. It’s the foundation of data communication on the web. And it does its work in the open. So it’s easy to snoop or even interrupt the data flow. You may have heard of man-in-the-middle attacks. That’s when someone jumps into the communication between browser and server and diverts the traffic to another server to steal information or to make you think that you are connected to the intended server, but you are really giving all your information to somebody else. (Think of it as placing a call to your local Girl Scouts to order some cookies and instead it’s the Russian Mafia answering, but in their sweetest voice, so you don’t suspect a thing.)

To fix that problem, a secure protocol was developed: HTTPS. If you look at a full web address, it would be https://yourgreatsite.com. This protocol encrypts the traffic from your browser to the server and keeps prying eyes out. Instead of sending all your communication in big letters on postcards, you’re using thick envelopes that can’t be seen through.

SSL certificateIt definitely means getting a SSL Certificate (Secure Sockets Layer). This is the bit of magic that creates the encrypted connection from browser to server and establishes trust. Depending on where you get the SLL certificate it could be free or cost $30-$100 for a basic SSL certificate. All SSL certificates have an expiration date and must either be renewed manually (including payment) or be auto-renewing. If the SSL certificate is expired or invalid, the connection from browser to server is not encrypted.

For a website owner, changing from using HTTP to using HTTPS may mean needing to upgrade the hosting package:

Shared hosting
Many bloggers, small business and nonprofit websites use shared hosting, which is the cheapest form of hosting. Take one server and cram 1000s of websites on it (which is why it’s so cheap) and you have shared hosting. But just like stuffing 24 college kids into a VW Beetle may be possible, it’s not a good idea nor will the car actually drive (or at least drive safely).

Shared hosting means every website on that server shares the processor and memory of that server. If one site all of a sudden has a ton of visitors, or runs a process that uses more resources, there’s less for the other sites and service may crash. So it’s not a very robust system. The hosting company counts on most sites not having that much traffic!

Many hosting providers also either don’t provide the option to change your site on shared hosting to HTTPS without going to a more expensive plan or they sell you one type of SSL certificate only. Either way, you’re stuck with lower performance.

Your own VPS (Virtual Private Server)
VPS is the next step up. Instead of a thin slice of the pie that can get thinner at a moment’s notice, you get a designated portion of the resources of the server box. For instance, if the physical server has 8 processor cores and 400GB of disk space, you can get a VPS that uses 2 cores and 100GB of disk space and that will all be yours. A VPS costs more than shared hosting, but your site loads faster and the service is more reliable. Plus tech support should be much more responsive.

Most VPSs allow you to use Let’s Encrypt to secure your website. Let’s Encrypt was created by companies in the tech arena to bring free SSL certificates to folks like you and me, so that the web will be a safer place. Instead of paying extra $$ for a SSL certificate that has to be renewed, you can get a free, auto-renewing Let’s Encrypt SSL certificate on your website with a few clicks.

Depending on the size and resources allocated to a VPS, it can safely run from 10 to 100 websites.

Buy space on your web designer’s VPS
For the small business or non-profit that only has one website, the resources of a VPS may be overkill. (Like getting a brand new computer with the latest graphics card just to do some email and word processing.) Maybe you really don’t need all that power and would be a good candidate for getting a portion of a VPS.

Like many other web designers and developers, I sell hosting on my VPS to my clients. You get all the benefits of a VPS (faster server, dedicated resources, safer environment, free SSL) at a fraction of the cost of your own VPS. I provide that option when you subscribe to Website Minder, my ongoing website monitoring and maintenance package.

The internet is ever changing. A year from now, we’ll probably wonder why anyone was ever silly enough to have their website send all information in the clear.

But as I write this, we’re in the middle of a transition. If you care about your website and your website visitors, you’ll get it moved over to use HTTPS for safer browsing. Sooner, rather than later.

Your website visitors may or may not verbally thank you, but more importantly, they will trust you when your site shows up with a padlock in their browser. And that, as the commercials go, is priceless.

Share on FacebookShare on LinkedInTweet about this on TwitterEmail this to someone

Leave a Reply

Your email address will not be published. Required fields are marked *