marcus.io

Proactive 2018

Caution! This article was published over a year ago, and hasn't been updated since. Situation, software and support of the topic below could have changed in the meantime.

At first, my prediction for 2018 and its consequences for my business was: "you need to be really informed regarding GDPR" - since it has the potential to change both how I run my business, at least regarding customer data. And I felt that I somehow need to know the keyword when being confronted by customers. That's why I scratched my head in public about this topic (and I promise, a second article is on its way!)

But yesterday the Google Chrome Team dropped another bomb:

Chrome will mark all HTTP sites as "Not secure" in July 2018.

They tweeted it close to midnight European time, so at first, my sleepy mind was not aware of all the consequences that could arise out of this. But at the latest when Anselm Hannemann sent out today's issue of WDRL #16 it finally hit me. He summed up my thoughts (rather: gut feeling) in words, stating:

I just imagine all the clients with their small business sites and portfolios desperate about this change. It’s great to see the shift to a more secure web but sometimes I feel like those who decide don’t think enough about the impact of small entities using the Internet as well.

Just like Anselm, I don't doubt the noble intentions. But I also presume many customers will be confused by Google's move. I don't have as many direct and small customers as I had some years ago, but I'm sure that they'll assume a defect with their web page and will contact the guy who built their website some time ago. And I could totally understand! I would behave like this myself in other specialist competences I know close to nothing about.

You could drive this "how would I react" game even further and could start to predict questions that these customers might have. Or you could turn this around and start playing with the idea of sending them a proactive e-mail, announcing these changes and trying to supply solutions. It's not that the SSL topic is totally new to me and I just start to propagate it - in contrary, the last few (direct) projects launched with https. I'm talking about older projects.

Anyway, here's a rough draft (please chime in via twitter if you'd like to add or change something):

Dear XXXXX,

8th of February, Google has announced, starting with July 2018, Chrome will mark all sites/web addresses starting with 'http://' as "not secure". What does this mean? Maybe you know https:// sites from, for example, online shops or banks. Usually, you see a green lock icon right next to the web address bar in your browser. That all sites adapt this https/SSL protocoll is the goal behind this move. This has a couple of advantages:

  • Data submitted on your site, for example in contact forms, will be encrypted. As of now and in http://, such data is submitted unencrypted and in an unsecured way
  • Google not only pushes this topic forward by this Chrome move but also ranks https sites higher in their search results
  • Browser vendors have agreed on putting exciting new web technologies that could improve the experience of your customers behind https://. Maybe you know that you need http:// for the so-called "geolocation" feature (meaning programmatically detecting where the users of the website is from if they agree to it) for some time now. The same is valid for fascinating technologies regarding the offline capabilities of your website. And many technologies more to come. So an investment in https:// is a future investment, regardless of the "July 2018 deadline".

So these are the advantages of using https/SSL. But how do you get there? Luckily, there are services that supply so-called "SSL certificates" (essential for running your site in https://) at no cost, for example, Let's Encrypt.

(This is the moment where I will have checked the customer's hosting situation, if possible and visible to me. Let's assume the exemplary customer is on a web host that still does not supply Let's Encrypt certificates in their smallest web host packages and is eager to sell their own certificates (for example HostEurope)).

Unfortunately, your web hosting company does not work with these services in the sense that installing such a free - but safe - certificate is a matter of one click (because exactly this is the case on other web hosting services). They rather prefer to sell you their own certificates instead. That leaves you some options:

  • Change the web host. I'm aware that this is the most annoying of all options since, most of the time, it is not just the website that needs to move, but also your emails
  • Let's check together if your webhost offers a new product, supplying this free https://. That would also include a move of some kind, but most of the time a less stressful one.
  • Let's contact your webhost together urging them to be a modern company and supply Let's Encrypt certs even for your product line
  • Or, of course, buy one of their "own" certificates. I would advice against this, since it supports a business model on the web hosters side that should have faded the moment services like Let's Encrypt appeared.

In any case, feel free to contact me regarding this topic. Let's act until summer so that your website's visitors will not ever be confronted with some mention of the word "unsafe" regarding your website.

Kind regards,
Marcus Herrmann

I'm totally aware that I did not explain everything technically correct up there. But I'm positive that both you and the exemplary customer will get the gist of it. So what do you think?