Lots of Changes as of Late with Regards to SSL Security
The biggest change with regards to SSL and using HTTPS links on all pages is:
The Google Chrome web browser has begun rolling out Version 68, which will mark any website as “insecure” that is not using an SSL certificate for any web page.
The browser now shows this explicitly:
Previously, the words “Not secure” were not visible, only the “i” with the circle that you could click for more information.
When Google releases version 70 in October, the warning will be more pronounced – Red letters with a warning triangle.
What Should Website Owners Do?
Now is a good time to consider converting your entire site to use HTTPS secure links on all pages – Not just the pages that accept credit card data.
The first step is to obtain an SSL certificate if your site does not already have one. If you’re a hosting client of ours, we offer a variety of options for SSL certificates. Obtaining one through us ensures your certificate will not expire without your knowledge, and we can help with any issues that may come up.
Once you have an SSL certificate and it is installed for your website, your web pages must be converted to use SSL on all pages. This can be somewhat involved, as old insecure image calls, JS/CSS calls, etc… all need to be updated. If you host with us, we have a seamless process to handle all of this without any work needed on your end. We charge a one time fee to complete this conversion. Contact us for details.
Besides changing links, code should be added to force SSL for anyone coming into an older non-secure link. This is typically done in your site’s .htaccess file. We take care of this for our clients that opt to have us complete the SSL conversion.
The last step is registering the secure HTTPS version of your website at Google in your Search Console account.
TLS 1.0 Should Be Disabled for PCI Compliance
The other big change with regards to SSL is for ecommerce sites who are under the scope of PCI compliance. If your site accepts credit cards directly (i.e. you’re not using an offloaded card service like Braintree or Authorize.net SIM where the customer is entering their card details on the processor side), then to be PCI compliant, your site can no longer use the outdated TLS 1.0 protocol.
Confused by what TLS 1.0 is? It’s a method used for encryption that is theoretically unsafe under certain conditions. The PCI council has set the deadline of June 30, 2018 to no longer use TLS 1.0 to be PCI compliant.
What’s the impact? If your site does not support TLS 1.0, then very old web browsers like Internet Explorer version 6 through 10, old Android phone browsers, and outdated browser versions may not be able to access your site securely. SSL Labs has a handy TLS chart that shows which browsers are affected.
If you are hosted with us, and would like TLS 1.0 disabled, just drop us an email, and we can disable it for your website. We made the choice not to automatically disable this protocol globally, as some websites may not be in PCI scope, some may want to cater to older browsers, etc… It is an optional change for any of our hosting clients.
…
If you have any questions about these changes, get in touch with us, or leave a comment!
Looking for a web host that understands ecommerce and business hosting?
Check us out today!