As website owners. we often forget that security is an ongoing task. That the web is continuously evolving and that each evolution brings with it a certain different set of challenges.
Such is the case of Google’s ongoing attempt to force webmasters and website owners to take steps and ensure that visitors using their website or web portal are better protected.
According to one of our partners Sucuri, Google may have been marking websites with “https” as “Deceptive” even when the sites are clean and without external resources that may trigger the warning.
They came to the conclusion after observing that the warnings are removed, once SSL is enabled on the website.
Visitors to a website are normally shown the Deceptive Content warning when Google detects attempts by is dangerous or deceptive to trick users into revealing private or sensitive information. Deceptive sites (also known as “phishing” or “social engineering” sites) try to trick you into doing something dangerous online, such as revealing passwords or personal information, usually through a fake website.
One of the best ways to ensure that malicious users do not gain access to such information is by encrypting the flow of traffic between the server and the browser.
SSL Certificates are typically used for this. They protect sensitive information such as credit card information, usernames, passwords, etc that you and your visitors typed in by providing secure, encrypted tunnel and shutting out all the bad guys.
Without SSL, an HTTP site can only transfer information “in the clear” meaning malicious actors can snoop on network traffic and steal your customers login credentials and credit card numbers.
When a certificate is successfully installed on your server, the application protocol (also known as HTTP) will change to HTTPs, where the ‘S’ stands for ‘secure’. Depending on the type of certificate you purchase and what browser you are surfing the internet with, it will show a padlock or green bar in the browser when you visit a website that has an SSL Certificate enabled.
Google considers this a best practice of running a website and has even made SSL a requirement for websites that want to rank higher in search engine results. Websites with SSL has seen as much as a 7% increase in search visibility compared to sites using only HTTP.
Also, referrer data is always preserved and much improved over HTTPS. This allows for greater keyword analytics and analysis for where a site’s traffic is coming from.
Google also started adding a “Not Secure” label in Chrome earlier this year whenever a non-HTTP website handles credit cards or passwords and made it clear that they will eventually apply the label to all HTTP pages in Chrome.
If you haven’t been seeing this warning on your Chrome browser, you can configure Chrome to show it.
and set the:
[code]Mark non-secure origins as non-secure[/code]
[code]Display a verbose state when password or credit card fields are detected on an HTTP page[/code] and relaunch your browser.
While this label is presently is to ensure that all forms containing: [code][/code] elements and any inputs detected as credit card fields are present only on secure origins.
Chrome will eventually show a “Not Secure warning” for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.
It is also worth noting that Chrome v50 and beyond no longer support obtaining a user’s location on HTTP sites.
So, if you as a website owner wants to help your visitors geo-locate, you need to install an SSL certificate on their domain.
Moreover, HTTP/2, the first major revision of the web’s HTTP protocol since 1997 and recently ratified by the Internet Engineering Task Force (IETF) can only be served over HTTPS.
At the moment, HTTP/2 represents around 18% of global traffic and one of its main benefit of HTTP/2 is faster load times – between 20-30%.
As an website owner of website that handles any sensitive information of any kind, not only does having an encrypted connection a wise investment, but it also helps you builds and enhance your customer’s trust.
But it doesn’t stop there.
Making security a focal point before, during and after any web development is considered one of its best practices. SSL doesn’t keep your website safe from hackers, rather it protects your visitor’s data.
Implementing SSL on your website is easier and cheaper than you ever thought and the cost of ignoring the benefits that it brings, is indeed very high.
For an example, as a web hosting company, we have made it super-easy to deploy SSL on your website with one click of a button.
In fact, we have offer our customers 2 distinctive ways of getting their website to run on HTTPS.
Right from your cPanel or Plesk control panel, customers we have deployed a unique technology designed to streamline the SSL process and make our customers lives easier.
With automatic SSL, customers can generate the CSR, validate the domain, download and install the certificate, and verify the installation automatically. We took away virtually all of the time-consuming manual labor typically associated with SSL deployment.
Our SSL certificates are easily-affordable and we even offer a FREE SSL certificate for every web hosting account on our server.
You can also use HTTP Content-Security-Policy (CSP) to block-all-mixed-content directive and prevent loading any assets using HTTP when the page is loaded using HTTPS.
All mixed content resource requests are blocked including both active and passive mixed content. This also applies to [code]
You can use CSP Mitigator from Chrome Web Store to apply a custom CSP policy to your application/website and understand the consequences of enabling whatever CSP policy you want to apply, identify parts of your application or website that is incompatible with your policy, and guides you to make any necessary changes before deployment.
If your website is erroneously marked as dangerous or deceptive by Google after deploying an SSL certificate and/or adding Content-Security-Policy , Google offers you a way to correct this:
If you own a site marked as dangerous or deceptive, you can change your website’s classification by requesting a review.
If you’re a software publisher and your downloads are flagged by Chrome, you can follow this URL to resolve malware issues with your downloads.