Have you noticed a lot more websites displaying “Not Secure” in the browser address bar?
This spring, websites I’ve visited for years, have started showing up as “Not Secure” in my browser. It’s not because anything changed on those websites. It’s exactly because nothing changed.
Our major web browsers have started “outing” websites that are still not encrypting the communication from your browser to the server.
Websites that do encrypt that connection display a padlock in the browser address window. And may also spell out “HTTPS”, the secure communications protocol used.
That’s what you should see for every website you visit online now.
The website to server connection
When you use your computer, tablet or mobile phone to visit a website, the web browser on your device communicates with the server where the actual website files reside.
That could be nearby, in another part of the country or on the other side of the globe. Wherever the files are, your web browser has to connect with that server to get the data to display the website on your computer. But it’s not a direct connection. Rather it goes through a number of intermediate hubs on the way.
In this communication between your web browser and the server, data flows both ways. And some of it can be quite personal.
It used to be all that data was sent in the clear. Like writing a letter on a postcard. While it’s on the way to the recipient, anyone who sees it, can read the content. Or even steal that postcard and replace it with another one, that you will think is the real one, but that has different content.
Yes, that’s not a pretty picture. But that’s what a web browser to server connection looks like when it’s not secured. Anyone, snoopers in the coffee shop, hackers, your Internet Service Provider or a not-so-friendly government, can easily find out what info is going back and forth between your computer and that distant server housing the website you’re visiting.
For security reasons, we’ve long used encrypted connections from web browser to server when it comes to banking. Because you really don’t want your information stolen.
Over the last few years, there’s been a lot of emphasis on increasing security online. Google (and other search engines) now look at if the connection is secure when they rank websites. And browsers started flagging websites as “Not Secure” if they contained a form and didn’t encrypt the communication with the server.
The benefit of encrypted communication browser to server
Maybe this whole thing mattered less back when we surfed the web from a desktop computer at home or at the office. All the data went through actual wires. There were also fewer people out there snooping for information they could steal.
But now, with over 60% of web browsing happening on mobile devices and even computers at home connecting to the internet wirelessly, it’s become much easier to intercept some of that data traffic. Just think who all might be listening in when you go online using the wi-fi at a coffee shop or in another public space.
So of course we want data from our browser to and from a website we visit to be private. Encrypted.
Flagging HTTP connections as “Not Secure”
Securing the connection from web browser to server gets technical, so many website owners have ignored it, figuring that there’s nothing much worth stealing in that communication anyway.
But now we’re seeing websites labeled as “Not Secure” as soon as you go to them, simply because they’re using the old HTTP protocol and not the encrypted HTTPS protocol that makes use of SSL certificates to protect information going from your web browser to the website’s server.
Once upon a time, it was rather complicated (and costly) to set a website up to use HTTPS and SSL. Not so anymore. It can even be totally free. But the website needs to be set up properly so that all traffic is directed to use the secure connection.
In 2019 there is therefore absolutely no reason for why any website, no matter how small, should still use HTTP to connect to the server, leaving your data exposed. The issue just can’t be ignored.
If your website is “Not Secure”
If you own a website, it must be properly configured to always use encrypted connections (HTTPS and SSL). Because you really, really want site visitors to trust you. Your hosting company can help you get HTTPS set up. If they can’t or won’t, it’s time to find another hosting company.
Thanks to the Internet Security Research Group, that SSL certificate can be totally free. And automated, so you don’t have to think about it. It will just work. For most websites, that’s a perfect solution.
One more thing: You must make sure that if someone tries to visit your site via HTTP, they are always redirected to the secure HTTPS connection.
Again, all the setup is a one-time deal. So worth spending a bit of effort on, knowing that your visitors won’t be scared away by warnings about your website being “Not Secure” ever again.
If you visit someone else’s website that is “Not Secure”
First off, most certainly don’t send any personal information or buy anything on a website that isn’t using a secure connection.
In the past, many websites displayed their products on pages that were not secure and only when it came time to check out, did you get taken to a secure connection to enter payment information. But you may already have entered a bunch of personal information (name, address, email, phone) before getting to the actual checkout. So that wasn’t a great idea back then and definitely isn’t up to standard today.
Demand that any website you make a purchase on use HTTPS connections throughout the entire shopping process.
If a website you visit displays “Not Secure”, do use their contact form to let them know that this is 2019 and they’re losing visitors because their website isn’t using HTTPS at all or not on all its pages.
Most website owners do care about people visiting their websites and will pay attention if they hear from visitors that their site is showing up as “Not Secure”. If not, do you really want to do business with them?
For the website visitor, it’s a matter of trust: If the website I’m visiting encrypts the communication, I infer that I can trust them. If they don’t do that simple thing, then how can I trust them with other things?
For the website owner, it’s about making sure your website uses encryption (HTTPS and SSL). It’s the new normal. Not optional. At least not if we want visitors to trust us.
Plus Google and other search engines, along with the browser makers, have all decided that HTTP sites are less trustworthy. It shows up in rankings and how websites are displayed in browsers and search results. We all want to look good there. So using HTTPS and SSL is a no-brainer in 2019.
Even the simplest one page website now really must use HTTPS and SSL.
You want your website to stand out. Just don’t make it stand out for the wrong reason. Like being labeled “Not Secure.”
Want more? Here’s another article about HTTPS and encrypting communication from browser to server: Is Google marking your website “Not Secure”?