- 10
- January
Is your website properly SSL-enabled?
Here’s a fun partial spoiler: one of the many, many companies that doesn’t have SSL/HTTPS properly enabled greets visitors to their website with the tagline, “Securing the digital world.”
I mentioned a few days ago that I’m embarking upon an exciting research project. As part of that project, I’ve done a fairly extensive audit of the websites of tech (and tech-related) companies in the Waterloo Region.
One thing I decided to track was whether or not a company’s website has SSL/HTTPS properly enabled.
Here’s a fun partial spoiler: one of the companies that doesn’t have SSL/HTTPS properly enabled greets visitors to their website with the tagline, “Securing the digital world.”
When customers and prospects land on your website, what do you want them to see? A giant warning, a security notification – or a comforting, secure padlock icon?
Huh? SSL? I thought you were a marketing agency…
OK, why should marketers care about SSL? Broadly, there are two major reasons.
Won’t someone think of the Googles!
First, Google announced in 2014 that, in an effort to encourage Internet security practices, their search rankings would favour HTTPS-enabled sites (if you didn’t already know that, then perhaps I grabbed your attention). That’s right – among the myriad factors that impact where your site shows up in Google’s search results is whether or not your site uses HTTPS.
Like all things Google search-related, there’s a certain amount of opacity about the impact; maybe it’s not make-or-break for your company, or maybe it’s the critical factor that pushes you to the oblivion of page 2.
(Oh, also think of your customers)
Second, there’s the overall user experience. Anyone who uses a major web browser has probably run into gigantic warnings that a site isn’t secure, and attackers might be trying to steal your data, and so on. That’s because those sites aren’t SSL-enabled. Is that what you want your customers to see? A giant warning?
Or maybe your configuration doesn’t lead to a giant warning, but just one of those information icons before the URL. The user impact probably isn’t quite as severe, but it’s still negative, and easily avoidable.
When customers and prospects land on your website, what do you want them to see? A giant warning, a security notification – or a comforting, secure padlock icon?
Fun with Data
I manually inspected several hundred websites, and found that roughly one fifth of tech companies based in the Waterloo Region don’t have SSL/HTTPS properly enabled.
Update: As mentioned in the body, below, and explained further in the comment section (see comment from Don Bowman), my “Properly Enabled” designation is somewhat misleading in that my acceptance criteria were extremely low. More like “bare minimum to not be terrible”.
Here’s a handy donut chart, because pictures are fun!
Now, in case you’re thinking, “Well, I know my site is SSL-enabled, so he’s not talking about mine.”, please take note that a pretty good chunk (I didn’t count) of the “Not Properly Enabled” sites actually had some SSL stuff set up, but incompletely, improperly, etc.
To drive that point home, here’s a fun fact: the website one of the companies in the “Not Properly Enabled” category greets you with the tagline, “Securing the digital world.” I don’t want to be that guy, but, ummmm, might wanna fix that.
Also, many, many of the sites still allow HTTP connections – which really shouldn’t be allowed (they should redirect to the HTTPS version, see the comment below from Don Bowman). I was extremely forgiving and manually entered “HTTPS” into more than a few sites that still ended up in the “Properly Enabled” category.
So let me just add this disclaimer: I’ve used really the most liberal, easy-going test parameters.
I really suggest you do a quick check (see below, in this post, or see the comment from Don Bowman for much more detailed and comprehensive information), because whether the issue is that the certificate’s expired, or that the site’s trying to load scripts from an unverified source, or something else, the end impact is the same: no comforting padlock next to the URL.
Whether the issue is that the certificate’s expired, or that the site’s trying to load scripts from an unverified source, or something else, the end impact is the same: no comforting padlock next to the URL.
While I’m here, a special hat-top to the three companies whose respective sites have EV SSL properly enabled:
I salute you!
For those of you interested in wider trends, here’s an image captured today from Google’s Transparency Report – HTTPS encryption on the web.
Clearly the web’s come a long way since 2015 and, if your site isn’t HTTPS-encrypted, then you’re getting left behind.
Clearly the web’s come a long way since 2015 and, if your site isn’t HTTPS-encrypted, then you’re getting left behind.
Test Your Site
Here’s the easiest way to quickly test your website.
- In a modern browser (I use Chrome), open your website
- To the left (by default) of the URL, do you see a padlock? Great, you’re OK!
If you don’t see a padlock, then don’t despair! Look at the URL: does it begin with “http://” or “https://”? If the former, then go into the URL and add that “s” in there, and reload your page.
Is there a padlock now? If so, great!
If not, then you probably either have an information icon (usually a lowercase “i”) to the left of your URL, and/or you see a big, scary HTTP error in your browser.
I just tested my site, and … I’m sad now.
OK, once again, don’t despair. Getting SSL on your site isn’t impossibly complicated.
I’m not going to go into details here (after all, I’m just a wee marketing agency), but some searching will tell you what you need.
The easiest way is probably to work with your web host/provider, but that can get expensive. Personally, rather than subscribing to my host’s SSL service (something like $15 or $20 a month), I use ZeroSSL – it’s free, and the only catch is that I have to manually renew it every 90 days (which takes all of 5-10 minutes).
Let’s Encrypt is full of good information, and (of course), Google has some helpful hints.
I hope that helps! Now, get out there and get encrypted!
But wait, there’s more.
Don Bowman, a member of the Board of Directors at the Canadian Internet Registry Authority (CIRA), has added a comment, below, that goes well beyond what I put in this post.
For those of you who might be curious, here’s the result of me running the SSL Labs test.
—
Header/Featured image credit: Google’s Transparency Report – HTTPS encryption on the web
Don Bowman
January 10, 2019I think your ‘properly enabled’ is too broad, it’s just the bare minimum.
I would guess much less than 80% are setup properly…it really needs to get an A from SSL Labs test to be proper
To test, you probably want to reference https://www.ssllabs.com/ssltest/analyze.html instead of ‘use chrome’: for instance, they should have a CAA record, they should *not* allow both SSL and non-ssl (e.g. http://foo/* should redirect to https://foo).
Canadian Tire has this issue, they use both, it leaks your session.
#tlswallofshame
Also, TLS is more than just web, they should have it on email (also https://www.checktls.com/)
e.g. Aterica has good ssl, but missing CAA
Another thing – a lot of companies forget their 2nd domain: e.g. they get foo.com, but forget foo.ca; or foo.ca has the foo.com certificate and is broken.
(you should have got cromulent…ca as well! where’s your .ca!)