Menu

The SSL Apocalypse

A change in Google’s policies could show your site as insecure to customers and clients

Before I continue,  let me concede that referring to this as an “apocalypse” is a bit of a hyperbole and possibly a bit “click-baity” as a title. However, I did this because I felt it necessary to ensure you read this and understand the gravity of the situation. With the launch of the latest version of Google Chrome (scheduled to be pushed out in October 2017) users will soon see a warning message indicating the site they’re on is insecure if they begin to fill out any form on a site which is not hosted behind a SSL. If that last sentence made no sense to you, don’t worry. To explain this further, let’s first break down a few things: what an SSL is, how will this affect your site, and what you need to do. If you’re already familiar with the technical bits (or really don’t care), jump to the “What You Need to Do” or “Can WhirlWind Just Handle This For Me” headings below.

What is SSL?

So first, SSL is an acronym for Secure Socket Layer, which is the technology which allows information between the browser (your computer) and a web server (the computer storing the data for site you’re visiting) to be encrypted. This encryption process ensures the the data you submit to a website won’t get picked up by other computers in your network. This gets increasingly important when you use things like public/free wifi which is offered by countless restaurants, coffee shops, hotels, and business parks. Technically, a person with the right amount “know-how” can basically see everything you’re typing into any insecure page/site you’re on. Scary, right?

 

Sites which have SSL enabled are issued a SSL certificate which also authenticates the connection to the server. When a SSL certificate is issued, part of the certification process requires the server to provide a unique identifier which authorizes a specific domain be pulled from a specific server. Once issued and installed, every time the site loads, the SSL certificate verifies that the site you’re visiting is pulling from the server it’s supposed to be.

 

These two primary functions (encryption and authentication) are the reason Google has changed it’s policies to force sites to adopt this security feature. To protect its clients (which is a majority of internet users), they want to make sure your information is kept private and secure.

How (and Why) Will This Affect Your Site?

Does your website have a contact form on it? How about a form to sign up for your company newsletter? What about just a simple search box? If you answered yes to any of those and don’t have a SSL certificate active on your site, you will be affected. Considering most all sites these days have at least one of those types of forms, on at least on page of their site, this policy change affects countless sites across the internet.

 

Once Google pushes out the latest version of it’s Google Chrome browser, any web user on the latest version who goes to a site without an active SSL connection, will see something like this:

 

While the initial change is somewhat subtle, for visitors who notice the change in their address bar, it can certainly come off as alarming. More concerning is that this subtle change will eventually be replaced by something more blatant and jarring:

Just like you, if your customers see something like this on your site, there’s a good chance they’re going to leave; potentially for good.

What You Need to Do

So what can you do to make sure your site isn’t affected by this change? The answer, which at this point may be obvious, is to make sure your server has SSL set up and enabled for your site. Depending if you do or you don’t have SSL active, this is either going to be a one step, or three step process.

How To Check Your Site

Checking your site is a simple one-step process. SImply open up a tab in your browser and type “https://” followed by the your domain name. If your site pulls up, and you see a green “Secure” and “https://” n the address bar (if you’re using something other than Google Chrome you may see something slightly different), you’re all set! Congratulations! If you’re site does not come up right away, you may see a warning screen indicating your connection is not private/secure. If that’s what you’re seeing, you’ll need to get an SSL set up.

Install a SSL Certificate on Your Server

The process for installing a SSL certificate on a server varies drastically between hosting providers (sometimes even having different methods for different kinds of plans). Additionally, some hosting providers can allow you to take advantage of free SSL licensing methods which only require a little technical know-how and some time. With all the hosting providers available, there’s really no way to provide one set of instructions for everyone. However, you can generally work with your hosting company’s customer support team to walk you through the process, or you can contact our office and we’ll be glad to point you in the right direction.

The Certificates Installed. Now What?

Once the certificate is installed and you’ve verified your “https://” address works properly, the last step is making sure your clients are accessing your site securely. Even though you have the SSL set up, it doesn’t mean the all the traffic which goes to your site is going to be redirected to your secure URL. To accomplish this, you’ll need to add/modify some code on your server which routes visitors away from the insecure address and to the secure one you just set up. I’ve included the code below, for those who are comfortable diving into server scripts, but if you would like our support, please call our office for further consultation.

 

IMPORTANT: DO NOT ATTEMPT TO MODIFY THIS CODE IF YOU DON’T KNOW WHAT YOU’RE DOING. INCORRECTLY MODIFYING THE FILES REFERENCED BELOW CAN (AND WILL) PREVENT YOUR SITE FROM LOADING. ANY CHANGES YOU MAKE ARE BEING MADE AT YOUR OWN RISK.

If You’re Hosted on a Linux Server:

  1. Connect to your server via FTP and locate a file called .htaccess which should be in the root directory of your site. If one doesn’t exist, create a new file on your computer and name it .htaccess.
  2. Download the file onto your computer and make a backup copy in case something goes wrong.
  3. Open up the .htaccess file (not your backup) in any code editor (even Notepad or TextEdit will work).
  4. Insert the following code:

    RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  1. NOTE: if your existing htaccess file already has RewriteEngine On in the existing code, DO NOT DUPLICATE the command. Instead, simple include the 2 additional lines immediately after as shown above.
  2. Save the file, then upload and replace the current .htaccess file on your server.
  3. Open your browser and type in your URL (without the https://) and you should get redirected automatically to the secure URL

If You’re Hosted on a Windows Server:

  1. Connect to your server via FTP and locate a file called web.config which should be in the root directory of your site. If you don’t have one, just create a new file on your computer with the same name.
  2. Download the file onto your computer and make a backup copy in case something goes wrong.
  3. Open up the web.config file (not your backup) in any code editor (even Notepad or TextEdit will work).
  4. Insert the following code:

    <configuration>

<system.webServer>

<rewrite>

   <rules>

<rule name=”HTTP to HTTPS redirect” stopProcessing=”true”>

<match url=”(.*)” />

<conditions>

<add input=”{HTTPS}” pattern=”off” ignoreCase=”true” />

</conditions>

<action type=”Redirect” redirectType=”Permanent” url=”https://{HTTP_HOST}/{R:1}” />

</rule>   

   </rules>

</rewrite>

</system.webServer>

</configuration>

  1. NOTE: if your existing web.config file already exists, simply make sure the sections referenced above are included. DO NOT replace all existing content with just the above.
  2. Save the file, then upload and replace the current .htaccess file on your server.
  3. Open your browser and type in your URL (without the https://) and you should get redirected automatically to the secure URL

If You don’t know what kind of server you’re on:

I’ll put this as gently as I can. Stop. Just… no. If you don’t know what kind of server you’re running, the steps above are probably ill advised to take. If you’re a real risk taker (and possibly a glutton for punishment), you should be able to pull this information from your hosting account, or by contacting your hosting company directly.

Can WhirlWind Just Handle This For Me?

The short answer is, yes. If you’d like us to review your current hosting provider and make sure your site is SSL enabled, contact us today for a free consultation. We want to make sure your company’s website stays competitive and secure!