Starting July 24, 2018, if a website does not use HTTPS encryption, the Chrome browser began displaying a “Not Secure” warning next to the website’s address. This change has persisted, with other major browsers adopting similar practices. If you are reading this article, you might be wondering, “What does a ‘Not Secure’ website mean?” Let’s explore what this means for website owners and marketers in Canada.
What is the “Not Secure” Warning?
Seeing a “Not Secure” warning before your domain name might cause concern about your website’s safety. However, the reality may not be as alarming as it seems.
For example, imagine Xiao Ming, the owner of a clothing store, who created a website to showcase and sell his products. One day, he noticed that his website was marked as “Not Secure.” Initially worried that his site had been hacked, he later discovered that the warning appeared because his website did not use a secure connection (HTTPS).
If you encounter a “Not Secure” error, it likely means your website lacks an SSL certificate and does not use the HTTPS protocol. This notification does not indicate that your website is under threat or unable to function properly.
What is SSL?
SSL stands for Secure Sockets Layer, a protocol used to encrypt, protect, and verify communication over the internet. Although SSL has been replaced by an updated protocol called TLS (Transport Layer Security), the term “SSL” is still commonly used to refer to this technology.
The primary purpose of SSL/TLS is to ensure secure communication between clients and servers. It also secures emails, VoIP, and other unsecured network communications.
How Does SSL/TLS Work?
Understanding how SSL/TLS operates involves grasping the following key principles:
- Secure Communication Initiation: Security begins with the TLS handshake, where both parties establish a secure connection and exchange public keys.
- Session Key Generation: During the handshake, both parties generate a session key that encrypts and decrypts all subsequent communication.
- Unique Session Keys: Each new session uses a different session key for encryption.
- Server Authentication: TLS ensures that the server or website interacting with the user is genuinely who it claims to be.
- Data Integrity: TLS ensures that data is not tampered with during transmission by including a Message Authentication Code (MAC).
With TLS, the HTTP data sent from users to the website (through clicks, form submissions, etc.) and the data sent from the website to users are encrypted. The encrypted data must be decrypted by the recipient using the appropriate key.
What is an SSL Certificate?
An SSL certificate is a file installed on a website’s source server. It contains the public key, the website owner’s identity, and other information. Without an SSL certificate, a website’s traffic cannot be encrypted using TLS.
Technically, any website owner can create their own SSL certificate, known as a self-signed certificate. However, browsers consider self-signed certificates less trustworthy compared to those issued by Certificate Authorities (CAs).
What is the Difference Between HTTP and HTTPS?
The “S” in HTTPS stands for “Secure.” HTTPS is simply HTTP with SSL/TLS. Websites with HTTPS addresses have valid SSL certificates issued by CAs, and all traffic to and from these websites is encrypted and verified using the SSL/TLS protocol.
For analogy, HTTP is like walking naked on the street, where anyone can see your every move. In contrast, HTTPS is like wearing an invisibility cloak, protecting your privacy by hiding your activities.
To encourage a safer internet, many web browsers have started marking HTTP websites as “Not Secure.” Therefore, HTTPS is not only crucial for ensuring user safety and data protection but also for building trust with users.
Frequently Asked Questions About “Not Secure” Warnings
Is SSL Only for E-commerce Websites?
In the past, only websites handling payments needed SSL. However, SSL encryption now protects all information transmitted between the browser and the server, including usernames, passwords, and even website management credentials.
With the “Not Secure” warning, whether or not your site receives data becomes irrelevant. All websites should use SSL encryption to ensure secure transmission of information, regardless of its sensitivity. This is not just a matter of cybersecurity but also of maintaining your website’s reputation. If customers see a prominent red warning when visiting your site, it may raise doubts and negatively impact your business image.
Just as we expect our credit card and personal information to be protected when shopping in stores, websites of all sizes should provide a secure browsing experience for users.
Can I Use a Free SSL Certificate?
Yes, as long as your hosting provider allows you to install it.
Is This Requirement Only for Chrome, or Do Firefox and Other Browsers Also Enforce It?
This requirement applies to all major browsers. Whether you use Chrome, Firefox, Safari, or Edge, websites that do not use HTTPS will display a “Not Secure” warning.
I Have Multiple Websites and Can’t Afford Multiple SSL Certificates. What Can I Do?
Customers with multiple websites can consider multi-domain SSL certificates, also known as SAN (Subject Alternative Names) SSL certificates. These certificates allow you to protect multiple websites with a single SSL purchase, saving both money and time. You manage one SSL certificate for all your websites instead of handling multiple certificates.
It’s similar to having a master pass that grants access to multiple locations without needing a separate pass for each place. With a multi-domain SSL certificate, you can efficiently manage the security of multiple websites and enhance your workflow.
Conclusion
Website security is essential and should not be overlooked. Whether you run a personal or commercial website, implementing necessary security measures allows users to browse and transact with confidence. HTTPS encryption and SSL certificates are the first steps in building a secure website.
Only by ensuring that users trust your website can you establish long-term relationships with them. Therefore, website operators and business owners should prioritize website security, promptly upgrading HTTP sites to HTTPS to eliminate “Not Secure” warnings.
Alstra provides website hosting services for businesses in Canada and the Toronto area. We prioritize cybersecurity. Choose our enterprise website maintenance packages to keep your online business in optimal condition with high security standards, access exclusive industry insights, and enjoy complimentary access to the Alstra AI content creation platform. For more details, please refer to our Enterprise Website Maintenance Packages.