If your website’s default access is still HTTP instead of being secured with an SSL certificate, starting tomorrow Google Chrome browsers – which represent about 60% of the browsers used out there – will start reporting your site as ‘Not Secure’ in the Chrome address bar.
Obviously this will cause many users to not trust your site – even if you don’t conduct financial transactions or store data. Not good.
Google’s motivation for this move was explained in an online memo they released in February. Basically, when accessing sites secured by HTTPS encryption, interactions between the site and the end-user’s browser are fully encrypted. And as a positive benefit, most bots and browsers favor HTTPS sites. This means more traffic and better placing in search results.
If you’re website isn’t fully encrypted, it’s scramble time. In addition to purchasing, configuring, and installing a SSL certificate, you’ll also need to make sure that any plug-ins used on your site are configured to access content securely.
Note that 90-day SSL certificates are available for free but then you’ll need to renew the certificate every 3 months. Certificates are available to purchase for 1 and 2-year terms from most of the Domain Registrars including GoDaddy, Web.com, and Network Solutions. If you have a hosted site, get in touch with your hosting provider – but expect them to be busy.
This week’s news has contained a lot of info about the so-called Heartbleed Bug. Here’s a quick snapshot of what you need to know as an organization and what your users should know.
First, Heartbleed is tied to what’s called ‘OpenSSL’ security implementation on computer systems – primarily Linux systems. Windows systems appear largely unaffected. SSL provides communications security and privacy over the Internet for applications such as web, email, instant messaging, and some virtual private networks.
The implications are pretty serious. In testing by Codenomicon, access was achieved to systems from the outside without leaving a trace and testers were able to gain access to user names and passwords, messages, emails, and business critical documents.
Netcraft has reported that many sites are already deploying new certificates in response to this issue including, Yahoo, Adobe, CloudFlare, DuckDuckGo, GitHub, Reddit , Launchpad, PayPal, Netflix and Amazon’s CloudFront content delivery network.
If your organization has Linux systems you should immediately test them using publicly available tools and if you have a problem, deploy a new, fixed OpenSSL solution ASAP.
What do you do as a user? If you can connect to a site or appliance using HTTPS, and it’s not running on Microsoft Windows, consider it vulnerable until proven otherwise. Look for confirmation from the site that it has tested for the vulnerability and it has either corrected it or verified it isn’t affected. And of course, this would be a good time to change your passwords for any SSL secured sites – just as a precaution.