Your website should be using an SSL certificate by default now

You need to take action now to make your website secure

In July 2018, Google will be updating their Google Chrome browser to show all websites as being “Not secure” unless they have an https:// secure server certificate.

Until now, Google Chrome has shown secure websites as “Secure” and with a padlock beside them, while all other websites have a little  ‘i’ in a circle.  Recently, if anyone has clicked on the  they’d see a message which says “Your connection to this website is not secure” – but it’s been hidden away.

From July it’s going to be made really obvious.

If your website doesn’t have an SSL secure server certificate and isn’t using it by default, at the moment you’ll see the ‘i’ in the address bar when you visit your website using Google Chrome.  After the update in July, you – and your visitors/customers – will see the big “Not secure” warning without clicking anything – it’ll just be there.

It doesn’t cost anything to get a secure certificate

In fact, with your Digital Red hosting account, you’ve already got one.  It’s installed by default – and is already there.  You could visit https://www.your-domain.co.uk now.  Until you check and update your website, though, there may be some non-secure images or links which still give security warnings.  You also need to tell your website to only work on a secure connection: you want people who visit http://www.your-domain.co.uk to be redirected immediately and automatically to https://www.your-domain.co.uk.

SSL certificates used to cost about £50 a year, need a special kind of account, and to be installed and updated every year.  Your account now has a free “Let’s Encrypt” certificate which has been working for almost a year already, and which automatically renews itself.  You don’t need to do anything to get the certificate, you just need to make sure that your website uses it.

What you need to do – and when

You need to make your website work as https://www.your-domain.co.uk without any security warnings or errors.  That’ll probably need some minor changes to how some images and website content is loaded.  You or your web developer may be able to do it.  If not, I can help you.

Don’t leave it too long though – the sooner that you get your website updated, the better.  You could have a secure website now, but to save yourself the embarrassment of the “Not secure” badge in July, you need to get your site sorted out before the end of June.

How to tell if your website is already secure

Simple: use Google Chrome and visit www.your-domain.co.uk.  That’d be the non-secure site by default, so if you see the padlock and the Secure note next to your-domain.co.uk in the address bar, you’re done.  Just make sure that there’s no shield icon to the right of the web address which warns of “insecure content” being blocked.

You can use the Why No Padlock? website to test your website: you should get six big green ticks: five under the ‘Connection’ and one under ‘Mixed Content’ – like this:

If you update your own website

You need to make sure that each page on your website refers only to secure content – so all of your images, stylesheets, fonts and scripts need to be downloaded over https:// connections.  You can then use the .htaccess file to ensure that visitors can only access your site on https://www.your-domain.co.uk.  You don’t need to tell anyone you’ve done it, and nobody needs to make any alterations to links or bookmarks.  The search engines will reindex your https:// site and replace their http:// search results over the next 2-6 weeks.

I’ve already updated loads of websites: depending how they were originally written, some are easy and others are more difficult. They’ve taken anything between 30 minutes and 2-3 days to modify.  I can help you if you get stuck: you can call me on 020 3411 4445.

If someone maintains your website for you

Hopefully they’ll already have the switch to https:// in hand, but it’s worth you checking to make sure.  You can tell the person who looks after your website that your site is hosted on a cPanel-based server and that Let’s Encrypt is already generating the certificate.  It’s a job they’ll have done before, so should be able to do it for you fairly quickly.

If I maintain your website, or if you think I maintain your website

I may have already switched your website over to default to using https:// already, but if I have done, I’d already have told you.  I’m sending this email to everyone with a hosting account on the Digital Red cloud server.  It’s possible that I arranged the hosting of your website, but that I don’t actually maintain it – in which case – I won’t have done anything about setting your website to use https:// by default.

Please don’t assume that I’ve done it, or will do it for you, unless I’ve already said that I’m working on it.  It isn’t something that happens automatically and even on a simple website, will need a little manual work.  Call me on 020 3411 4445 if you’re not sure.

If you have other websites hosted elsewhere and they don’t give you a secure certificate

The easiest thing for you to do would be to speak with the people who host your website and ask them why!  Alternatively, we could move your website so that it is hosted on the Digital Red webserver and will benefit from the automatically-generated “Let’s Encrypt” certificates.

A hosting account with 1 GB of discspace is £49pa: I can set one up for you, and help transfer your site from the old server to the new at the same time as setting up the SSL secure certificate.

If you have a hosting account but don’t have a website (maybe you use your account only for email)

If you don’t have a website, you are not affected by this change, and don’t need to do anything!  You don’t need to let me know that you don’t have a website or if you don’t want to use the secure certificate.

Eh?!  Scrolled to the bottom and don’t know what this is all about?!

Google have decided that it’s about time the web got more secure.  They’re going to start showing up everyone who has a website that isn’t secure by putting a big “Not secure” sticker next to every site that doesn’t have (and use properly) an SSL secure server certificate.  They’re starting that in July with Google Chrome, and other browsers will follow.

To avoid looking like a dodgy geezer, everyone who has a website must get an SSL certificate.  The good thing is that if you have a hosting account with Digital Red, you’ll already have one – you just need to start using it.  As you got this email because you have a hosting account with Digital Red, you’re halfway there already.  If you’ve not got your website sorted out already, now is the time to go and do it!

Questions or problems?

Bring this page to the attention of to the person who looks after your website or contact me if you have questions for me.  You can call me on 020 3411 4445 between 08:30 and 17:30 Monday to Friday, or email me anytime.  Before you do that, though, if you don’t have a website, this just isn’t for you – you don’t need to do anything!