First impressions are lasting ones. That’s why you want to make sure that there’s nothing standing between your visitors and a seamless entry to your website. Browsers and domain owners have a pretty good working relationship -- browsers inherently want to keep website users safe and website owners want to keep their customers secure to avoid getting a reputation for security breaches, which would drive visitors to a competitor with better security. One way browsers protect Internet users is to indicate whether or not a website uses encryption technology to secure customer data – like user names and passwords, credit card information and, for Google, any information that would be put into a form and sent to a company’s server. That’s why browsers, especially Google, throw up bold warnings indicating to users when a website is not secured by HTTPS. Websites use SSL to avoid greeting visitors with warnings like these.
Have you ever noticed the padlock in your web browser’s address bar? SSL/TLS is the technology that creates a locked padlock indicating that any data transmitted on that website will be encrypted. Let’s look at how to use SSL to avoid browser warnings:
“S” is for Secure
SSL/TLS certificates put the “S” in HTTPS leaving websites without the “s” for secure increasingly in the dust when it comes to giving users confidence to visit a website. This trend progressed throughout 2017 when a post on the Google Security Blog alerted domain experts that as of “January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.” The need for SSL/TLS increased when the Chromium Blog let us know that any website that used any forms that collect data would be subject to the same user warning, “[I]n October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.” Here’s why using HTTPS is important for websites, using an EV certificate protected and a “bad SSL” website as examples.
Secure Website in Google Chrome
(Our website is encrypted and trusted – the addition of the organization name in our EV certificate is a strong indicator that ours is not a phishing website. Used in this way, SSL prevents browser warnings.)
Not Secure in Google Chrome
(Websites that have forms, but do not employ SSL/TLS security show this warning to visitors using Google Chrome.)
Trusted Certificates Make for a Secure Website
Google’s Plan to Distrust Symantec Certificates in their entirety means that websites that are using distrusted Symantec-issued SSL/TLS certificates will ultimately show a warning message (see image 1) whenever visitors approach the website. Domain owners should use trusted SSL to avoid this scenario. Trusted SSL certificates will be issued from a certification authority (CA) that is universally trusted by all browsers. Here is the warning Chrome shows to users when a website is secured by a CA whose roots are not trusted by Google:
(Image 1 – Notice the strong indicators in the web address bar underscoring that this website is not secure including the words “not secure” because of the untrusted issuing root, the red triangle and
Expired SSL/TLS Certificates
To keep the SSL/TLS certificate population fresh and avoid bad certificates from lingering on the web, industry standard groups allow a maximum validity period of 825-days for SSL/TLS certificates. Visitors to a website with an expired SSL certificate will get this warning message in Google Chrome.
SSL/TLS Improperly Configured
Properly installed SSL/TLS certificates secure data transmissions at the endpoints – for example the servers where the data will be processed or stored. Testing your SSL server configuration is as easy as entering your domain here. This quick test grades your server configuration and reports back any security weaknesses for remedy. If your certificates are misconfigured, your website will get this type of warning in Chrome:
To summarize: what message are you broadcasting to visitors who come to your website? There’s nothing more unwelcoming than a browser warning telling them that your website is not secure. Use SSL/TLS (and use it correctly) to protect your customers and avoid browser warnings so you can maximize confidence in users to transact on your website.