Need help? Chat now!

Hostwinds Blog

Search results for:

Secure Your Site With HTTPS Now Before Google Chrome Users Get NOT SECURE Warnings Featured Image

Secure Your Site With HTTPS Now Before Google Chrome Users Get NOT SECURE Warnings

by: Hostwinds Team  /  June 30, 2018

Is your site secure? This weekend, Google Chrome users are likely going to see a glaring NOT SECURE notice when visiting any site that hasn't implemented HTTPS. So if you haven't made the move to HTTPS, this could lead to many problems, since Chrome is the most widely used browser.

Thankfully though, if you're a Hostwinds client, we've most likely got you covered.

Of course you have several options for securing your site on dedicated servers, cloud hosting or a VPS. With the amount of control you have with these plans, that's pretty much a given.

But even if you're on shared hosting and don't take the time to install an SSL certificate, you also automatically have basic SSL covered thanks to AutoSSL. AutoSSL is a built-in cPanel feature that automatically creates a free SSL and applies it to your site.

Unfortunately, many hosting companies don't offer this even if they're using cPanel.

We make this available to all clients using our Shared, Business or Reseller hosting. We understand the importance of security and the reputation risks, so we ensure that every single client has access to easy SSL… regardless of the hosting plan used, budget or technical know-how.

And by the way, another security-related benefit our shared hosting clients enjoy is a free dedicated IP. Many hosting companies use SNI (Server Name Indication), which lets users install an SSL without needing a dedicated IP. But this can lead to problems with visitors still getting warnings on the site.

What Exactly Is HTTPS and All this SSL Stuff?

SSL or Secure Socket Layer, creates a secure and encrypted connection. When you visit a site that's not secured with a SSL Certificate, (In other words, using plain HTTP), your browser looks for the IP that's assigned to that domain name and connects to it. There's no guarantee that you're actually visiting the correct site, though. Your browser just assumes that it's the right one since it connected to that site's IP.

In reality, that network could be compromised and you could be visiting a site that's pretending to be the site you wanted to visit (also known as spoofing). And with HTTP, any and all data is in plain clear text so any bad actor who might be peeking into the network can see it.

They could see what pages you visit, as well as any data that you might enter while on those pages. This is why you should never enter important data like credit card numbers, bank account info or passwords if the site isn't encrypted with an SSL Certificate. You can tell a site is secured by looking the URL in the address bar. A site with an SSL Certificate will have HTTPS:// as opposed to HTTP://.

When you visit sites that use HTTPS, you know you're actually connected to the right site and that any data on that site will be encrypted. It's backed by a reputable SSL Certificate (Secure Socket Layer Certificate). The certificate authority (the company who issued them their SSL certificate) has already verified who they are so you don't have to.

Why Is Google Doing This?

Google has been focusing on HTTPS and telling site owners to make the change for quite a while now. It provides for a better and safer experience for your readers and customers and helps protect you and your business from cyber attacks. Not to mention data breaches.

Of course, nothing is ever 100% safe. But moving your site over to HTTPS will drastically decrease the odds putting your customers and users at risk of falling prey to a Phishing attack.

And starting this month, Google is going to clearly tell visitors to your site that your site isn't secure. They didn't give an exact date, so this could begin July 1st everywhere or it could start being rolled out gradually. All they say is this will begin in July with the release of Chrome 68.

How Will My Site Not Being Secure Really Affect Me?

Not only will this blatant insecure warning be a bad thing in and of itself, it also sends the message that you as the owner don't really care about keeping your customers and their information safe.

Definitely not something you want. Especially if your business relies on your site in any way, shape or form. And even if it doesn't or if you simply run a hobby-based blog, it's going to send a very bad signal to your visitors and negatively impact your reputation.

How Can I Secure My Site With HTTPS?

AutoSSL is a feature that comes with cPanel (Starting with cPanel version 58). It's a Domain Validated SSL that will automatically install and even renew when needed. As a shared hosting client*, there's nothing you need to do in order to activate it. Just visit your site using https:// instead of http:// and it should already be working.

As mentioned earlier though, some hosting companies will unfortunately disable this. It's understandable wanting to protect revenue streams, but we believe protecting and serving our clients should always come first.

Let's Encrypt
Another option available is Let's Encrypt, which is also a free Domain Validated SSL. However it's not automatically installed. You'll have to set it up. You can do this yourself if you're using Dedicated, VPS or Cloud through Shell access. Here's a guide to installing Let's Encrypt if this is the SSL you prefer to use.

If you want to enable Let's Encrypt for your Cloud, Dedicated or VPS server and you're using cPanel/WHM, you can simply choose it from the AutoSSL settings as seen below:

Premium SSL Certificate

So with the above free SSL options available, why would you want to pay for an SSL certificate?

AutoSSL and Let's Encrypt will give you only the minimum needed to not have your site showing as insecure. You can't apply wildcard sub-domains and there are several other restrictions, which you can see here in our AutoSSL overview.

It looks nice and provides very basic security, but it doesn't give you any type of real warranty or guarantee. And they're versatile so you can apply them to your email, load balancers, firewalls, etc. If you need more than what a basic, free SSL can provide, you can order our our premium SSL here (and we'll install it for free so you don't have to go through the headache of doing it).

Which one is best?

Which route you choose to take depends on the level of security you need and of course, your budget. But can you really put a price on your reputation? Could you really afford a data breach?

No matter which one you choose, it's all about earning and building trust with your customers and visitors. Whether you're collecting email addresses for your newsletter, submitting their payment information on your ecommerce site or simply asking for any personal information… You're letting your customers and website visitors know you care about their personal data and building trust with them by encrypting data with an SSL Certificate.

Our goal is to always go the extra mile, ensuring our clients are successful, secure and satisfied!

*Some legacy services will not be eligible for AutoSSL

Written by Hostwinds Team  /  June 30, 2018