Why is my website displaying as ‘Not secure’?

Posted by on Feb 9, 2017 in Industry, Marketing Advice, Security

Secure Featured Image

If you keep your browser up to date (which we recommend) you might have seen a warning about sites you visit being unsecure. In this article, we will try to explain why you are seeing it, whether you should worry about it and, if you have a website yourself, what you can do to stop your website being flagged as “Not secure”.

Not Secure

First, a little bit of history

When the internet was first introduced, it was a tool for sharing data. It made it (relatively) easy for computers to connect and share information with each other. A protocol was devised that allowed one computer to request information from another computer or server. This was called the HyperText Transfer Protocol or HTTP. It served us very well until people started putting things on the internet that they didn’t want shared – things like passwords, phone numbers and eventually bank details & credit card information. At this point, a new version of HTTP was created: HTTPS. The S, unsurprisingly, stands for secure.

How does it work?

The mathematical field of cryptography is one that is fascinating but sadly too large and diverse for this article. We are going to have to simplify some parts of it to keep this to one blog post.  When using an HTTPS website, your computer and the server encrypt all the information that is sent between them. They do this in a clever way which means that only the intended recipient can decrypt it and (importantly) it also means that the contents can’t be altered by hackers. If you are interested in the theory behind it, read about Public Key Encryption.

Why do we need these precautions?

Interestingly, (or worryingly) it is very easy for hackers to see the data that you send or receive with your computer over the internet. This is made even easier if you are on a public WiFi network but can also be done on private networks (such as the one you have at home or work).

If the information is not encrypted, the hacker can simply read the information. If it is encrypted, it is very difficult for the hacker to read the information. This is why, on Google Chrome, any pages that ask for sensitive data such as passwords or credit card details will be flagged as unsecure.

drawing.svg

What if I don’t ask for sensitive data?

For the time being, if your website doesn’t ask for sensitive data your site should not be flagged so prominently unsecure. Instead, you will see an information icon that will only show the site as ‘Not secure’ if it is clicked on.

Stealing data, anything else?

Yes, unfortunately it’s not just the data you send from your computer that can be read and tampered with. The data that is sent from the server to your computer is just as vulnerable.  Sometimes, this can be even worse.

A clever hacker could also add things to the web page. For example, the hacker could make the website look like it wants you to sign in, except, when you enter your username and password, they are sent straight to the hacker rather than the website you are trying to access. The hacker could also ask you to download files that contain viruses or other malicious content.

Long Term

Although none of us can say for sure what Google is planning, it looks like they are heading towards marking all HTTP sites as unsecure. This is a first step. How many steps they will take and how long it will take them is anybody’s guess. I wouldn’t be surprised if there was another interim step that showed the “Not Secure” warning on all sites that offer downloads before eventually marking all plain HTTP sites, regardless of what they contain.

It is also likely that other browsers will follow suit, Mozilla’s Firefox has already released a blog post saying they would like to phase out HTTP.

Our Advice

We take security very seriously at Fellowship, so we would always air on the side of caution.  Our advice to all web users would be to only share personal information over a site with https. If the page you are trying to use to pay doesn’t use HTTPS, I would not share bank or card information. If it is asking for a password, I might consider using it if that password wasn’t being used anywhere else and there wasn’t any other personal information on the site.

Another benefit of an SSL (the certificate that marks your site as secure) is that Google and other search engines have started favouring secure sites in their search listings. If SEO is important to you, then investing in an SSL will help to improve your website’s rankings.
As a site owner, we would advise you to get an SSL, even if you are not asking for private information. If you are interested in talking to us about the implementation of an SSL certificate, please contact Matt, our Digital Account Manager.