Earlier this year (2018), Google’s Chrome web browser began marking sites without HTTPS as non-secure, meaning that when using a website, HTTP connections are being penalised. This has implications for many schools, in that crucial school information placed on the website will get flagged up to potential readers as being insecure, advising that:
Your connection is not private
Warning: Visiting this site may harm your computer
Other web browsers, other than Google Chrome, are also displaying security alerts when https is not being used. Not the best welcome to your school website.
Before we explore the steps that schools and web managers should take, let’s first explore what https is, and why web browser companies are encouraging websites to be secure.
HTTP (HyperText Transfer Protocol) and HTTPS (HyperText Transfer Protocol Secure) are both protocols, or languages, for passing information between web servers and clients. All you need to know is that HTTPS is a secure connection, whereas HTTP not secure. With a standard HTTP connection, it is possible for unauthorised parties to observe the conversation between your computing device and the site.
This “conversation” is typically mundane, unless you are entering sensitive information such as your password, credit card information, or social security number on a website. An HTTPS connection adds a blanket of security over that conversation using an SSL/TSL protocol (Secure Sockets Layer and Transport Layer Security). This connection encrypts data to prevent eavesdropping, protects the integrity of data to prevent corruption in transfer, and provides authentication to ensure communication only with the intended website. In short: HTTP is not secure, and you should never trust your sensitive information to such a site. HTTPS is secure and is becoming the web standard.
Users expect a secure and private online experience when using a website; in penalising HTTP connections, Google is taking steps to ensure they get it.
To enable HTTPS on your website, you must first obtain an SSL Certificate from a Certificate Authority (CA). This certificate does a couple of things. Firstly, it enables your website to communicate with users using encrypted, non-corruptible data. The certificate also acts as a stamp of approval from a trusted party (in this case, the CA) that says your site is legitimate and secure (Source: SEJ).
What steps should schools take?
Ensuring that your school website is up-to-date and HTTPS secure is relatively easy:
- Use an up-to-date web browser on a PC or Mac, such as Google Chrome, Firefox, Safari etc (not Internet Explorer!), and check that you are using the latest version of the browser software – usually hidden in the setting menu, or the ‘about’ information.
- Input your school website address. If you see the ‘secure’ notice (see picture), then everything is fine, and your website should not cause any warning notification to visitors. You do not need to follow the subsequent steps.
- If your school website does not show the closed padlock, then the site is not secure, and warning notifications may affect visitors.
- See why there is no padlock on your school website by adding the full web address to a free online service like https://www.whynopadlock.com/ where a full list of security issues will be presented to you.
At this point, you have four options:
- Speak to the website manager or developer to ask that the HTTPS protocol is initiated as soon as possible.
- Try and initiate the HTTPS protocol yourself, if you have access.
- Contact a web specialist to undertake the work for you (Click here to contact our team if you would like us to quote to do the work for you).
- Do nothing. Bury your head in the sand. Put people off visiting your website in the future.
The process of converting a website to HTTPS should not take more than a couple of hours for a competent web specialist, depending on the platform your website relies upon. You will need to ensure that the website is securely certified by an approved body, do a full backup of your site, change all your internal links, check code libraries, update all external links that you can, and create a 301 redirect. Simple. With the recent data revelations, the need to ensure that websites are secure, encrypting information, and backed-up in case of violation is even more important.