[SBWG] Google's SSL changes are coming fast!

Published: Tue, 01/24/17

Hi, ,

You may have heard that Google will soon start penalizing sites that are not secured with SSL certificates.  The first phase is to flag sites that ask for passwords and/or credit card data.  Eventually, any site that does not have SSL security will be flagged as "not secure".

The Google Chrome browser already displays a site's security status in the URL field if the site is considered secure.  To the left of the URL, you'll see a green padlock and the word "Secure" in green.  The URL will also begin with "https://".

Sites whose URLs begin with "http://" do not currently have a status message to the left of the URL, but the upcoming version of Chrome will show the words "Not Secure" in red.  Not having SSL security on your site will also mean that search engine results will show "Not secure" at some point in the near future.  This, as you can imagine, will have an adverse effect on the confidence of someone searching in Google.  They're much more likely to go to a site marked "secure" that one marked "not secure".

This coming change is a big deal and needs to be addressed as soon as possible.  There are two parts to addressing the issue on your site:

1. Obtain an SSL certificate for your site.
2. Change all the links on your site from "http" to "https".

The type of SSL certificate you will need depends on how your site is used.  If it's just a matter of the WordPress password screen, you can get by with a free SSL certificate from Let's Encrypt or a similar service.  This assumes that your web host supports Let's Encrypt.  Many hosts already support Let's Encrypt and more are coming on board every day.

If you sell from your site, the way in which you take payments dictates whether you can use the free certificate or not.  If you use the standard PayPal interface and the buyer goes off your site to the PayPal site to make their payment, you can use the free certificate.  If you use Stripe or another payment processor where your buyer enters the credit card data on your site, you need a paid certificate.  The costs for these range from about $15 to several hundred dollars per year.

Paid certificates are typically good for one year at which point they need to be renewed, i.e. purchased and installed again.  The free Let's Encrypt certificates expire every 90 days, but the host has a background process that runs and renews them automatically.

The certificate is actually the easy part.  Once you have a certificate on your site, you must make sure that all the site content is served from the https URL.  Otherwise, the status will be shown as "not secure" and you might as well not have the certificate at all.  Depending on your site, this can be a fairly straightforward process or not.  The only way to tell is to do an assessment of your site.

I know the first question you'll probably ask is "how much is this going to cost?"  The answer, like most things, is "it depends."  If you need a paid certificate, of course, that cost depends on which level of security you need.  Even with a free certificate, there will be the cost of updating all the URLs and links in your site.  Depending how the site is constructed, this could be simple or complex.  Again, there's no way to tell without evaluating your site.

I will, of course, be happy to evaluate your site and review with you what you'll need to get up to speed with SSL.  I expect a very high demand for this service in the coming weeks so I suggest you plan to do this sooner rather than later.  It will be first come first served with my Website Management Program clients getting first priority, so this would also be a good time to review that offering to see if it's right for you and your site.  Details on the WMP can be found here:


Feel free to contact me with any questions or concerns.