In 2017 we’ll be setting up SSL certificates for all of our premium* web hosting customers’ sites and changing things over so they use encrypted https connections

What does that mean?

Short answer

People visiting these websites will see https and a padlock or ‘secure’ message in the address bar of their browser.

Longer answer

Websites without an SSL certificate will likely have issues in the not-too-distant future.

This is because browser makers are getting more strict about about what they consider secure. The way web browsers communicate with web servers is something like this: when you visit a website your web browser and the web server hosting the site talk to each other and exchange information.

Browser: Hello. I’m checking out your page. Nice, I like it. Can I have the logo please?
Server: Certainly, here you go.
Browser: Thanks. I’d like to log in now please.
Server (slightly suspiciously): OK, what’s your username and password?
Browser: Here you go.
Server: OK, just let me check… Great, that’s correct. Here’s the private page you asked for.
… and so on.

Over a standard (also called non-encrypted or http) connection there’s a chance this communication could be intercepted and if so anything sent – like that password for example – could be stolen. Over a secure (encrypted or https or SSL) connection the browser asks for the server’s SSL certificate, makes sure it checks out and then uses the certificate’s key to set up a private communication channel with the server. All information passed back and forth between the browser and the server is then encrypted at one end and decrypted at the other. Even if someone could read the information they’ll just get gobbledegook without the key. 

OK. Why are we only doing this now?

It’s getting easier

In the past it was technically complex to run websites over https connections using SSL. It was generally only websites dealing in sensitive information, like online stores and large corporate networks, that bothered with the hassle. (Even today less than a third of the internet uses encrypted connections).

However, over the past few years most of the larger players online – Google, Facebook, Twitter, Dropbox, Reddit – have switched their services over to secure connections and lent their support to campaigns like Encrypt All The Things, which argue that every website should do the same.

It’s getting cheaper

Traditionally SSL certificates were also expensive. Now an initiative called Let’s Encrypt is offering free SSL certificates to everyone, and they’re working hard to make the process of setting these up and renewing them easier. We’re been testing Let’s Encrypt certificates for several months now and love the service. (We’re not alone – over the course of 2016 the amount of active Let’s Encrypt SSL certificates jumped from 240,000 to over 20,000,000).

Websites not running secure connections are being penalised

Google Chrome, the world’s most popular web browser, has started showing a ‘Not Secure’ message when people visit login pages that aren’t encrypted, and soon they’ll be showing this ‘Not Secure’ message for all unencrypted pages. (The other major browsers will almost certainly follow suit).

Insecure browser without SSL certificate

How Google Chrome shows some (and will soon show all) standard, non-encrypted pages

Secure browser with SSL certificate

How Chrome shows encrypted pages

Google is pushing for a totally encrypted web. As well as making the changes to Chrome they have also said they’ll be penalising sites that that don’t use SSL in search rankings, meaning non-SSL sites will come up lower in results when people do a search.

Please contact us if you’d like to find out more.

(*Non-premium hosting accounts will remain using standard connections).

Jan 15, 2017 ·, ,