Website Not Encrypted? Google Soon Will Add Warnings That Could Turn Visitors Away
Come July, Google Chrome will add stark security warnings that could turn business away from your website if it’s unencrypted. Specifically, Google will brand your site as “not secure” in the address bar of its popular web browser if it senses you’re operating without encryption. “Users presented with this warning will be less likely to interact with these sites or trust their content,” so it’s “imperative” that site operators get their websites encrypted, said Patrick Donahue, security engineering product lead at Cloudflare, a web services provider.
Some transportation executives lauded the coming change as a positive step to enhance cybersecuirty.
“I think Google is absolutely doing the right thing by advocating for tighter security,” said Kris Rzepkowski, executive director of marketing at Bennett International Group.
Tim Haynes, vice president of online marketing at Penske Truck Leasing, added, “I consider it important for security and customer safety.”
Moreover, this move by Google to police the web will be replicated by Mozilla Firefox, Microsoft Internet Explorer, Microsoft Edge and Apple Safari sometime after July, according to Donahue.
Given that those browsers together service more than 90% of all the people surfing the web, according to Netmarketshare, it’s no surprise that the “not secure” branding campaign is expected to trigger a stampede of businesses — including transportation firms — desperately looking for encryption come July.
Indeed, even now, Google is posting more subtle warning notes in its browser about many websites. The warning appears as an exclamation point in the address bar, which you need to click on to retrieve Google’s admonition that the site is not secure.
In contrast, the search giant has decided that come July, its warning will be stark and dramatic. Visit any website that’s not encrypted and that site will be branded with the words “not secure” right in the Google Chrome address bar — no clicking necessary.
“Google has been gearing up for this change since 2014,” Donahue said.
It’s in Google’s “best interest to make policy decisions that are in the best interests of the majority of U.S. businesses,” Bennett’s Rzepkowski said. “Trying to be proactive in slaying some of these security concerns is a necessary role for Google. I do personally believe that Google has risen to its position in the search space by providing a platform from which most businesses today have profited over the past 10 years.”
For years, the campaign to encrypt websites has been mostly limited to e-commerce sites, where shoppers enter their credit card numbers and other highly sensitive information that hackers are looking to steal.
Such sites run on the hypertext transfer protocol secure standard — or HTTPS — and often feature a green lock or other green emblem in your browser address bar, indicating that the website is encrypted and operates at a much higher level of security than other sites.
Amazon.com, for example, features the emblem of a green lock when its web address is called up in most browsers — clearly indicating that its site is encrypted.
Standard websites that run on the older hypertext transfer protocol — or HTTP — are not encrypted and feature no such emblem.
Compounding the anticipated pandemonium over “not secure” branding is a related decision by Google to “remove trust” in any website certified as encrypted by Symantec prior to June 1, 2016.
The reason: Google has repeatedly expressed skepticism regarding the veracity of Symantec’s certification process prior to that date, and has simply decided to invalidate such certifications for users of its Chrome browser.
The decision — which goes into effect no later than July — will be a major blow to some website operators in its own right, given that Symantec is one of the largest purveyors of encryption certifications on the web.
Hardest hit by the dual decisions will be operators of nontransactional websites, which require no passwords for entry and do not accept credit cards or other forms of digital payment.
For years, such sites were not favorites of hackers, given that no monetary transactions took place there and consequently, many nontransactional sites did not worry about encryption.
But more recently, hackers have been plundering these unencrypted sites by inserting code in their webpages that enables them to download malware to someone visiting that site, or code that directs a visitor to a phony webpage asking for credit card or other personal information from the site visitor.
Even so, some in the trucking industry are a bit leery of Google’s power to unilaterally brand millions of websites as sketchy neighborhoods — essentially dangerous places you don’t want to visit.
Tom Benusa, chief information officer at Transport America, for example, sees Google’s move as heavy-handed.
Granted, Benusa sees the sense in requiring e-commerce sites to operate with encryption. But forcing millions of other nontransactional websites to encrypt — based on the worry that some of those may one day be implanted with malware by sophisticated hackers — is a step too far, he said.
“For sites that are not asking for information and don’t even contain a form to gather data, we feel that these sites should be allowed, as they always have been, to operate” without encryption, Benusa said.
He also remains unconvinced that what’s good for Google when it comes to encryption is necessarily what’s good for everyone doing business on the web.
“I think that Google can only ensure their profits — not ours,” Benusa said. “This change reflects only their business philosophies and strategies — not that of their customers. ... I think Google can be counted on to make the web more expensive for advertisers.”
Chad Reiling, social media manager at Trans-System, is more sanguine about the coming change. But he, too, believes all businesses need to train a watchful eye on moves made by Google that impact millions of businesses overnight.
“The web will continue to be a viable place to do business, provided businesses are willing to play by Google’s, Facebook’s and other major media outlets’ rules,” Reiling said. “In this case, Google’s rules are intended to support the safety and experience of the end user — as they should be.”
“But care should be taken to ensure these entities do not shift away from their user-centric position,” he added.
Whatever your perspective, the good news for truckers looking for encryption in light of Google’s move is that many web hosting companies have decided to offer basic encryption as a free, value-added service.
“Today, HTTPS is fast, simple to deploy, and cost-effective if not free — and there’s no longer an excuse for not using” it, said Cloudflare’s Donahue.
Many of those web hosting companies offering free encryption work with Let’s Encrypt, a nonprofit organization whose mission is to offer free, basic encryption to any website owner that needs it. Let’s Encrypt also provides the certificate businesses need to prove to website visitors — and to Google — that their site is encrypted.
If you’re looking to go the free route with Let’s Encrypt, the best strategy is to talk with your web hosting company and verify that it has a tool on your website control panel that enables you to easily add a Let’s Encrypt certification to your site.
Many web hosts without such a tool also enable you to install Let’s Encrypt certification. But that manual process is tedious and it’s often easier under such a circumstance to simply switch to a web host that features a Let’s Encrypt tool.
Either way, you’ll need your web designer, or someone very web savvy, to verify your website’s transformation to encrypted status and to ensure that all the coding on your site reflects that change.
An easy alternative — if you have a very small site with just a few pages — is to simply purge your old site, re-establish it as an encrypted website from the get-go and then simply rebuild the few pages you have from scratch. Of course, there are also any number of web hosts and security providers more than happy to encrypt your website for a fee.
But the bottom line is that transportation firms need to get their encryption done before July. That will ensure their websites avoid the “not secure” branding and eliminate the need to approach encryption-for-a-fee providers as a party incredibly desperate for their services.