Is your Website Secure for Visitors?
If not, it’s time to think about security.
A long simmering issue online, security for websites, is now completely front burner. Why? The major browsers (Chrome and Firefox, which together have about 2/3 market share [source: https://www.netmarketshare.com
“Secure” web browsing occurs where a website address starts with HTTPS:// rather than HTTP:// (e.g., https://goatcloud.com). That extra “S”, provided it’s implemented correctly, stands for a secure browsing environment.
In the case of Chrome, if a web page is attempting to collect login or credit card information, but is not an HTTPS page, the browser itself provides a “Not secure” alert. Firefox shows a padlock with a red bar through it. See image below.
In contrast, a secure site gets an obvious green (Chrome, Firefox) or white (Microsoft Edge, Apple Safari) padlock icon and (Chrome, Firefox) and in Chrome and Firefox, a “Secure” indication from the browser. See Chrome example below.
Google has reportedly indicated that Chrome will, in the future, indicate the “Not secure” message for any page that is not secured via HTTPS. See https://www.wordfence.com/
What does this mean for website owners? Well, we think it means that in a heavy-handed way you are being forced in the short term to make your entire website secure.
Think of it this way. If a visitor comes to your site and immediately finds a message from their browser that your site is “Not Secure,” will the visitor stick around? When they leave, will they come back? Will they think you’re trying something underhanded? What if your competitor has a secure site? To which site is the visitor likely to return — the secure one or the one their browser says is “Not Secure”? (And also, will a search engine even show your website if it’s not secure?)
The good news is that making a website secure is neither terribly hard to do nor terribly expensive. Which is not to say there is no cost. A security “certificate”, if purchased, can cost less than $100 per year, and a host usually charges a one time fee to install it. And, there are lower cost options available still. (And on the plus side as well, all other factors being equal, HTTPS sites get better results on search engines than HTTP sites.)
We have deployed with success secure websites using *free* services from Cloudflare (cloudflare.com). Cloudflare at root is a content delivery network or CDN. CDNs exist to help speed up websites. They also do a fine job preventing and mitigating attacks against websites. Cloudflare currently has decent free plans for small-website owners. It’s not completely free to set up security of course, as it takes a bit of your time or a vendor’s time to set the services up (and time is money!). Still, it’s not unreasonable.
In addition, some website hosting companies permit the installation of free security certificates from Let’s Encrypt (letsencrypt.org). So it may just be a one-time fee from the host to install the certificate. GoatCloud, unfortunately, cannot currently offer Let’s Encrypt, as our underlying hosting provider does not permit installation of Let’s Encrypt security certificates. For most sites hosted by GoatCloud, however, we can create your own free Cloudflare account for you and install a Cloudflare certificate on the site for a one-time charge. It may be possible to do so on other hosts also.