Archive for December, 2016

Is your website secure? Google says it Better Be SSL protected!

Tuesday, December 6th, 2016

First, let me say that just because you have been told your website is secure, does not mean it is true. I can point out plenty of car dealership websites with credit applications that are identified as secure that really are not secure.  Regardless of whether or not you believe your website is secure, take this very simple test to determine whether or not your website is secure. All you have to do is open any web browser you want and type in the address bar, https://www.VIADA.org and tap or click the Enter key.  Obviously, replace“VIADA.org” with your website URL.  The important part to remember is to add the “s” to make it “https”.  If your website appears as normal, congratulations! It is truly a secure site!  However, if any of the following conditions are true, then your website is not considered, secure, private, nor SSL protected.

  • In Internet Explorer, instead of your home page you see a screen with a red shield with a white X in the left corner followed by, “There is a problem with this website’s security certificate.” After it there is a prompt to close the web page or continue.
  • In Firefox, instead of your site you see a yellow bar across the top of the screen and the main message of the page reads, “Your connection is not secure”. This is followed by a prompt to Go Back or Advanced.
  • In Chrome, you will see a red icon with a white exclamation point next to your address with the “https” part stricken out in red. The body of the page will have a red padlock icon above the words, Your connection is not private”. The page ends with a prompt to go ADVANCED or “Back to safety”.
  • In Safari, instead of your site you see a pop up box that reads, “Safari can’t verify the identity of the website” followed by a prompt to Continue, Cancel, or Show certificate.

 

Those are just examples of what you see when there is absolutely no SSL security on a website. You can be certain you are visiting a secure, safe site when you see a green padlock icon to the left or right of the address bar, depending on what browser you are in. However, there is an “in between” status, that in the end still means the site is not secure. Think of it as Heaven, Hell and Purgatory.  If you visit a site and see a grey padlock with a yellow exclamation point (!), that means the site does have SSL, but parts of the page are calling on external content not protected by an SSL.  If part of the page is not secure, the entire page is not secure.

 

Now that we know how to spot the difference between a website protected by an SSL and one that is not, let’s find out what an SSL is. A Secure Socket Layer is the standard security technology for establishing an encrypted link between a web server and a browser. When you visit a site, data is sent from that site’s server to your browser.  Notice, I did not say directly to your browser.  When you fill out a form and submit it from a website, that data you entered gets posted to the site’s server.  If you are at a site with a green padlock, then you know all the data sent to and from your computer is encrypted, meaning only you and the site’s server will know what was transmitted.  Without that lock, it is possible for someone to eavesdrop, intercept, and even alter the data before it reaches the intended target.

 

Car dealerships are required to protect the personal, private information of their consumers at all cost in order to be compliant with several federal mandates. Leaving your clients’ documents out on your desk for everyone to see has been considered the same as accepting online applications and/or transactions through your website without having an SSL in place. For over a decade now, the Personal Card Industry (PCI) has been requiring all transactions to take place in an SSL environment in order to be in compliance with their Digital Security Standards (DSS).  If your home page does not pass the test I mentioned above (or even if it does) then go to your site’s credit application page and look for the green padlock.  If you do not see it, or if you see a padlock with a yellow exclamation point, call your site provider, immediately.  Likewise, if you have a payment page without a green padlock icon, you are not possibly exposing your consumers’ private information to others, you are also in violation of the PCI DSS and are in danger of losing your merchant account.  Not to mention the liability you are creating by accepting payments over an insecure connection.

 

Whether or not your home page passes the test we started with has never been an issue until now, assuming your home page does not include a credit application or payment form that gets transmitted back to you. Until recently, the only time a page would be encrypted would be when personal, private or sensitive information was being transmitted. That is until Google announced on September 8, 2016 beginning January 2017 they will be  marking some page links as Insecure when those sites are visited in the Google browser known as Chrome.  For now, the insecure icon will only be displayed next to websites that A) do not have SSL encryption available, and B) have at least one form that either requests a user name and password OR facilitates a credit card transaction.  However, the announcement indicates they intend to do two more things over time.  First, they will begin marking all pages as insecure and second, they will change the insecure icon so that it represents a red triangle with a white exclamation point with  the warning “Not secure” next to the site URL in the address bar.

 

If the credit application page or online payment page of your website failed this test, you need to do something, immediately. If your home page failed the test, it is not cause for panic, yet.  SSL encryption has become much easier to obtain.  Adding a SSL 2048-bit key certificate requires you to work with your web provider. An SSL can come in different “shapes and sizes” but in general the cost has decreased in recent years along with the work of obtaining and maintaining them.

 

You want to see your website begin to move towards a completely safe, secure environment on all pages, not just the sensitive ones, for one reason, Google. They have maintained since late 2013 that their algorithm for determining which sites get displayed in each search result will be affected by each site’s security status.  They downplayed how much that affect would be, but even if there was no penalty in search engine rankings, you still have one other factor to consider, your customer.  How do you think they are going to feel if one day they visit your website and get a red triangle warning them your site is insecure?  Will they be more or less inclined to continue on into your site?

 

Remember, Google is the leader of all other search engines (and for that matter Chrome has become the leader in browser usage). The moves they make are often duplicated by their competitors.  You can see that for yourself just by visiting the three largest search engines.  When you go to Google and Yahoo, you will see the green icon, but when you go to Bing you will not see it.  I bet it will not be long before you see them follow suit.