Avoiding Chrome's “Not Secure” Warning

21 September 2018 · Website security

Would you trust a company that Google Chrome tells you isn’t secure? It frightens away potential clients and pushes you lower on Google's search results.

History

Ten years ago, encrypting information sent to and from web pages with https was expensive and time-consuming. Now, it’s free and automatic — and your customers expect it. Back in October 2017, Google Chrome started by only warning your visitors that pages weren’t secure when they filled in a form on a site that began with http://. Now, the warning appears for all pages without https.
What are the main causes for these warnings?
  1. You have an encrypted version as well, but you don’t redirect your unenecrypted traffic to it. If you’re in this camp, you’re not alone: even the City of Calgary has this problem right now.
  2. You still haven’t set up encryption on your website.

How do you avoid this?

Not long ago, adding https:// to the beginning of your site meant forking over a few hundred bucks every year to get a basic certificate or around a thousand dollars for an “Extended Validation” certificate that tells savvy consumers that your site actually belongs to your company. You can still do this. However, if you just want to get rid of the “not secure” label and protect your customers’ information from being intercepted, there are some free options now too.

The two easiest options are to send your users to a service that encrypts your site like Cloudflare or to use a free certificate service like Let’s Encrypt.

Cloudflare

After a couple of quick changes with the company that registered your domain, Cloudflare will sit between your website visitors and your website and provides a bunch of great free options like:
  1. Presenting an encrypted page to your visitors even if your web host isn’t encrypted. This will get rid of the “not secure” warning and protect your visitors from having information on your contact form or login page from being incepted at coffee shops. However, traffic between Cloudflare and your web server won’t be encrypted.
  2. Displaying parts of your website to visitors even when your web server goes offline.
  3. Speeding up your website.
  4. Preventing your website from being taken offline if someone launches an attack against it.
  5. Redirecting unencrypted http:// traffic to https://.

https://www.cloudflare.com, change your nameservers with your domain registrar, and make sure that “Always use HTTPS” is set to “On” in the “Crypto” section. If you need extra help, feel free to contact us at https://www.threeshield.ca/contact.

Let’s Encrypt

A bunch of computer companies go together to replace basic certificates with something that automatically renews and costs nothing (other than paying someone to set it up for you, if necessary). You can learn more at https://letsencrypt.org or get your web host or consultant like ThreeShield to set it up for you. While Let’s Encrypt doesn’t work well for very high-traffic websites, most companies can use it very easily. The certificates that Let’s Encrypt issues only last for 90 days. As such, most services that use them include an automatic renewal feature. Many hosts now include the Let’s encrypt service:

Digital Ocean

Digital Ocean will automatically create a Let’s Encrypt certificate for you if you set it up to redirect your unencrypted http:// site to an encrypted https:// site. If you’re already a Digital Ocean customer, see the instructions at https://www.digitalocean.com/docs/networking/load-balancers/how-to/lets-encrypt.
If you aren’t a Digital Ocean customer, use this link to get $10 in credit: https://m.do.co/c/7e9bc56b645c.
(Full disclosure: we’ll get $25 if you use the link and end up spending $25 at Digital Ocean, so we both win)

AWS

Amazon launched a certificate manager in 2016 that works like Let’s Encrypt. It’s free, automatically renews, and provides certificates. Additional information is available at https://aws.amazon.com/certificate-manager.
If you’re using Amazon Linux and Apache, see the instructions for integrating Let’s Encrypt at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html#letsencrypt.

Microsoft Azure

There are a few ways of using Let’s Encryt. This blog post discusses them: https://blogs.msdn.microsoft.com/mihansen/2018/01/25/azure-web-app-with-lets-encrypt-certificate-powershell-automation.

cPanel with 1&1, Bluehost, Liquidweb, HostGator, Site5

cPanel is a very popular platform for lower-end shared hosting sites with lower budgets. That makes Let’s Encrypt a perfect match. cPanel version 58 and newer supports the cPanel plugin. If you are running one of these services, following the instructions at https://documentation.cpanel.net/display/CKB/The+Let%27s+Encrypt+Plugin. Unfortunately, some providers like GoDaddy are also in the business of selling the certificates that Let’s Encrypt replaces won’t install the plugin for you. You can always try to request it, however.

GoDaddy

GoDaddy sells basic certificates that Let’s Encrypt replaces. As such, although GoDaddy uses cPanel, they won’t install the plugin or automatic renewal services. This means that if you use Let’s Encrypt with GoDaddy, you’ll have to manually renew the certificate every 90 days. More information is at https://ca.godaddy.com/help/install-a-lets-encrypt-certificate-on-your-cpanel-hosting-account-28023. We recommend that GoDaddy shared hosting customers use GoDaddy to reduce the impact of server outages/slowdowns, encryption issues, and other problems. Unless you implement a certificate on the GoDaddy server, however, traffic between Cloudflare and GoDaddy won’t be encrypted.