(Original Article – 12th December 2016 – updates at end)

Should your website be using SSL?

SSL certificates are fast becoming an essential for ANY website, and these are just some of the reasons why:

  1. Google has revealed plans to show the following “Not Secure” alert in future versions of it’s Chrome browser’s URL bar for all HTTP pages. When it does make this update, do you really want your customers to see the below on your website?
  2. Google is now using HTTPS as a ranking signal – this means that you gain an SEO advantage from moving to HTTPS.
  3. Because SSL gives your website a secure connection, this will prevent malicious third parties from accessing any information given to your business by your website visitors, for example credit card details on a membership or eCommerce site.
  4. Seeing the green lock in the URL bar gives your customer peace of mind and has the potential to drive up your conversion rate.
  5. Google introduced the first phase in January 2017 with the release of Chrome 56, which labelled sHTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature. In these instances you will see this:




In following releases of Chrome, Google will slowly extend the HTTP warnings, as an example, in Incognito mode they will label HTTP pages as “not secure”, as users use this mode when they have higher expectations of privacy.

Steps to making your site more secure

Step 1: Pick a type of SSL certificate

There are three different types of certificates you can get:

      • Domain Validation (DV) – low authentication; gives you a green padlock and the word ‘secure’; SHA-2 and 2048-bit encryption; suitable for non-eCommerce sites & basic brochure sites. No warranty included (depends on where you purchase the certificate).
      • Organisation Validation (OV) – high authentication; gives you a green padlock and the word ‘secure’; SHA-2 and 2048-bit encryption; suitable for eCommerce sites & sites collecting personal info; $100,000 warranty (depends on where you purchase the certificate).
      • Extended Validation (EV) – strengthened authentication; gives you a green padlock and names the certificate’s owner in the address bar; SHA-2 and 2048-bit encryption; provides the best security; suitable for eCommerce sites, sites collecting personal info and where user trust is paramount; $1,000,000 warranty (depends on where you purchase the certificate).

Step 2: Buy SSL certificate

You can buy SSL certificate from many places, but we would recommend buying one from your hosting company (like us!). Most hosting companies already offer them and some will help you set them up. Plus it’s convenient to keep the cert in the place as the hosting as they go hand-in-hand.

Step 3: Install onto your server

If you buy from your hosting company this will be done for you.

Step 4: Setup up your website to start using https:// rather than http://

You will need to update:

      • all your sites URLs
      • internal hyperlinks in your content
      • urls located in theme templates
      • urls located in theme css
      • urls located in theme scripts
      • CDN (Content Delivery Network) if you use this service

This will help you avoid mixed content errors – where some content is using http:// and some https://

Next – there are a couple more things to look into:

      • Social Shares numbers are reset
      • Random plugins may break
      • Update Google Search Console (previous WebMaster Tools)

Step 5: Test your site thoroughly

If you would like CuCo to help with this, feel free to drop us a line and we would be more than happy to help!



Update – 9th May 2017

It’s official! Firefox has now followed suit! As of Firefox 52, you will see a lock icon with red strike-through in the address bar when a login page you’re viewing does not have a secure connection. This is to inform you that if you enter your password it could potentially be stolen by eavesdroppers and attackers.

You will also see a warning message when you click inside a login box to enter a username or password.


If you have any questions about SSL or need assistance with setup please feel free to contact CuCo and a member of our digital team will be more than happy to help.


Update – 19th August 2017

As of Chrome 62, which is released in October, the ‘Not secure’ warning will be shown in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode. This is on top of pages that display forms that have password or credit card fields.


This is how Chrome will show the warning based on the type of browser and page:

Here is how it will look as a user starts filling out a form:

Googles future plans are to to show the “Not secure” warning for all HTTP pages, even outside Incognito mode – but the implimentation is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we’re ready to take the next steps.

Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network.

Update – 26th July 2018

As of Chrome 68 the ‘Not secure’ warning is now shown on any page still using HTTP.

In essence, Google is public shaming websites that still aren’t using HTTPS with this move – with other major browsers sure to follow on their heels shortly. This move will be followed in October 2018 Chrome (70), when they start showing a red “not secure” warning when users enter data on HTTP pages.



If you have any questions about SSL or need assistance with setup please feel free to contact CuCo and a member of our digital team will be more than happy to help.

Update – 1st September 2018

As of Chrome 69 it will focus on highlighting its negative security indicators and will stop marking HTTPS sites as “Secure” on the address bar. This is because Google wants the default state of any website to be secure. It is also looking like that from October, Google will be taking things further – the usually gray “Not Secure” will flash red once you start typing in data into a field such as username or password on HTTP pages to really highlight the warning.

First published on 14 Dec 16 – and further updated in May 2017, August 2017, July 2018 & September 2018.