Some of you may have seen a message from Google similar to this one in the latest weeks or days:
Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The new warning is part of a long term plan to mark all pages served over HTTP as “not secure”.
Here’s how to fix this problem:
Migrate to HTTPS
To prevent the “Not Secure” notification from appearing when Chrome users visit your site, only collect user input data on pages served using HTTPS.
How does that affect you?
Before answering this question, it would probably be useful to explain what HTTPS is.
HTTPS is the secure version of HTTP, the protocol that manages the transmission of data between your computer and the website you are visiting. With HTTPS, data transmitted between your computer and the website is encrypted. This secure protocol is usually used to protect confidential data during banking transactions and online purchases, which is refered to as "sensitive" information.
In the case of a secure connection, most browsers display the site address preceded by https and a lock icon indicating that a secure connection is in progress.
To manage this type of secure communication, the website in question must be equipped with a certificate to "tell" your browser that it is indeed an encrypted communication and establishing the secret parameters of this communication.
But my website does not include transactions, why would I need a certificate and HTTPS protocol?
First, because the notion of "sensitive" information is no longer confined to the strict framework of financial transactions. In an increasingly hyperconnected world, we interact constantly and increasingly with the web. Our relationship with the Internet is intensifying and the risks associated with privacy and security accompany this growth.
All communications sent over regular HTTP connections are in plain text and could be read by a third party who would be able to intercept the connection between your browser and the website. This presents a clear danger if the communication is on an order form and includes the details of your credit card or your social insurance number.
But we now use online forms for all sorts of purposes: comments left on a site, subscriptions to mailing lists, etc. Any unprotected connection can potentially reveal information about our person or our online behavior, so that the notion of "non-sensitive" interaction or information simply does not exist.
With an HTTPS connection, all communications are encrypted securely. This means that even if someone succeeded in intercepting the connection, it would not be possible to decrypt the data that passes between you and the website.
By always using HTTPS rather than HTTP, designers and users of Web services no longer have to question what is "sensitive" or not. This leaves less room for error. Standards organizations, web browsers, technology companies and Internet communities of practice have understood that HTTPS should now be the norm.
Thus, browsers such as Firefox and Chrome will soon signal HTTP connections as being non-secure. Google has also indicated for several months that unsecured sites would be penalized in terms of research results.
OK, I'm convinced! How do I install a security certificate on my site?
Normally, you must purchase a certificate by first creating a "signing request". For any site hosted by Percumedia, this can easily be done from the CPanel control panel of your account. The cost of a certificate may vary, depending on the options selected and the guarantees offered, from $ 30 to $ 200 per year. This type of certificate is probably advisable for any site where financial transactions are made.
But, good news: Percumedia provides free security certificates on all accounts hosted on its server. Our customers have two options: an "AutoSSL" certificate installed by default on all accounts, or, at your option, a "Let's Encrypt" certificate that you can install yourself from the CPanel control panel.
Your websites are therefore all provided with a free certificate by default! All you have to do is configure your website to display its pages in HTTPS. The developer of your site can easily help you in this regard.
Please be aware that all sites that have been developed by Percumedia will gradually migrate to the HTTPS protocol in the coming weeks. These customers have therefore nothing to do, their site will be automatically secured.
Those who prefer to use a certificate they acquire will be able to do so in peace, any certificate installed by a user will take precedence over the free certificate already provided by Percumédia
Thus, visitors to your websites who have to leave information will see their interactions well protected and will not see on their browser warnings disturbing to the effect that your site is not secure.