HTTPS – no longer just for banking and ecommerce sites
Steve Allen

We've long since all become accustomed to seeing certain website addresses starting with HTTPS, rather than the standard HTTP, and the accompanying reassuring sight of the trusty green padlock next to the address bar, indicating that the webpage that you're viewing is secure.

HTTPS signifies that the webpage/site in question is running over a secure connection and that any data sent to or from the webpage will be encrypted in the process and therefore transferred securely.

Traditionally, HTTPS has been implemented and seen mostly on websites that deal with sensitive information and data - such as online banking websites or the checkout section of an ecommerce website for example. Here it is obviously a necessity to ensure that details such as credit card details or banking logins are submitted with confidence.

However, in recent times, the shift towards a more secure web overall now means that there are increasing reasons for ALL websites to move over to HTTPS, with the aim being to ultimately ensure that any data you send/receive on any website is done so securely.

For some time now, Google's search engine has taken into account whether or not a site is secure as part of its ranking factors, adding SEO value to sites that are running fully under HTTPS.

This year, Google's push for a more secure web has also seen it introduce a new feature to the popular Google Chrome browser, used by around 55% of all internet users worldwide. The new feature further highlights to users when they are likely to be submitting data over a non-HTTPS webpage. When Chrome users navigate to any page which has a form on it that looks to be asking for sensitive data, it now adds an additional label to the address bar of the browser stating that the page in question is "Not Secure".

An example of the Not Secure label shown to the left of Google Chrome address bar
An example of the Not Secure label shown to the left of Google Chrome address bar

This occurs on pages that look to be asking for credit card information or for password details, such as on login or registration forms. You'll also see it happening across any pages of a website where a login form is hidden from view by default but is held within the code of the page. Clicking on the "Not Secure" label reveals a further message warning users not to enter sensitive information on the website as it "could be stolen by attackers".

The expanded panel can potentially cause further concern for users
The expanded panel can potentially cause further concern for users

UPDATE: Google has now announced that the "Not Secure" flag will be triggered on ALL form element from October 2017 onwards. This will therefore impact on any page of your website where any kind of data submission occurs, including common forms such as search boxes, contact forms, newsletter signup boxes and similar.

An example of the more reassuring 'Secure' message on websites running under https
An example of the more reassuring 'Secure' message on websites running under https

Now whilst the reality is that the websites/pages in question are no less secure than they were previously, the wording of the label does have the potential to cause concern amongst some users and to potentially deter them from using websites where this is shown. Not all users will be concerned - some probably won't even notice it at all - but it's another very good reason to think about moving your website into SSL.

We've already made the move to HTTPS for a number of our Drupal Support clients recently and will be encouraging other clients to follow suit shortly. The process is as follows:

  • We order the certificate on your behalf from a reputable security certificate provider
  • The certificate is installed on the server and the site then configured to work under HTTPS
  • We then test the website under https to ensure there are no issues with any content/services running under HTTPS. During this time, the website is still available to the public under normal http so there is no disruption to the site during this testing period
  • After successful testing, all traffic on your website is redirected to the https version
  • We'll then automatically renew the security certificate for you as and when required

The whole process can be done with minimal input from the client themselves and should involve no downtime or other disruption to your website while the security certifiable is being implemented. The cost of the certificate and time to configure/test it can either be billed as a one-off piece of work or can be deducted from your contracted support hours for existing Drupal Support clients.

If you have any questions about SSL or would like to discuss making the switch to HTTPS for your website, please contact either your account manager at Adaptive or contact us here.