Many clients have been in touch wondering what the new means in the latest version of Chrome browser. Once clicked Chrome tells the user that "Your connection to this site is not Secure". For an e-commerce site owner and to shoppers this message, which is meant to be neutral, sounds like a warning.
This is all part of Google's push to get all sites to be running fully encrypted over the next year or so. Chrome browser is now used by 54% of the web over desktop and mobile so Google have all the market share they need to get this done. By default all websites load connections over http. Those who have an SSL certificate in place can run their sites over https and encrypt the data between the browser and the web server. Needless to say e-commerce sites must use encryption when transmitting or receiving Credit card information and ideally, when sending or receiving customers personal information.
In the case of Magento 1x when SSL / https is activated the default behaviour is to only encrypt the customer account section which includes; creating new accounts, loggin in and checkout. However, the whole site can be served over https by setting the base_url to https as well as the secure_base_url. In most cases this works without a problem (occasionally, if you have external scripts eg facebook that are loaded over http it can cause an error but your developer should be able to fix this quickly). In the case of Magento 2 there is only 1 base_url setting.
Beginning January 2017 Chrome (Chrome 56) will flag all http pages that collect passwords or credit cards as non-secure.
We know there are a lot of sites that do not have any encryption at all and rely on their payment gateway to encrypt credit cards leaving customer data un-encrypted. In the near future Chrome will throw a dramatic warning to the user not to proceed.
Currnetly Google claim that 50% of all web traffic is already secure. However, there are many top sites that still run as http only eg bbc.co.uk.
Over the next year Google will push towards 100% encryption and will show a warning on all sites running plain old http like so:
Needless to say this is not the sort of thing you want your customers to see on an e-commerce site.
Inevitably all sites will have to run full encryption on all pages. The good news is that ssl certificates are not expensive. You can either opt for a cheap Domain level validated certificate like the Rapid SSL from GeoTrust (with warranty) or even a free (no warranty) ssl from LetsEncrypt. You can install this for free directly from your Plesk control panel.
If you want to stand out from the crowd you can of course opt for a 'Greenbar' ssl. Often referred to as an Extended Validation or EV certificate.
These list your company name alongside the padlock and show visitors that you have passed through security checks to prove who you are to the certificate provider. While these are a lot more expensive and take longer to issue then a normal SSL certificate, many shop owners are finding this a useful way to show shoppers that they are serious about their security. Dx3webs currently offer Geotrust 'sTrueBusiness ID w/ EV SSL which you can purchase from here.
Historically https ie encrypted traffic has carried a speed penalty as the content literally has to be encrypted and decrypted at each end. Once your site is running full https then it is possible to use the new http/2 protocol. All our server support this. This allows faster connections between the server and the browser.
You can see a practical example of this here: https://www.httpvshttps.com/
If you have any questions about any of the above please contact us firstname.lastname@example.org