As with everything “internet”, there are constant changes, updates, and better ways to do whatever you want to do online. It’s a never-ending sea of change.
In my recent research to bring you into compliance or least increase your understanding of what compliance means when the GDPR takes effect next week, I opened several cans containing more than just worms.
One thing for sure, the world is more and more concerned with how their data is being used! Privacy is the “issue of the day” for everything from signing up for an email list to posting on Facebook. Now, with the new regulations from the GDPR, the public demand for a secure online experience is growing.
With this intensifying emphasis on privacy, I want to re-visit the idea of HTTPS. As Google states, “HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site.”
Get on this bandwagon asap
It is quickly becoming the “standard operating procedure” for proof that your site is safe. Look in the footer I have on this page and you will see my security certificate from GoDaddy.
If you are using Wix – my recommended website builder – you have the SSL certificate built in and your URL will have the HTTPS protocols. You can skip the rest of this post today! (However, I can’t vouch for any other site builders, so go check your URL while I wait.)
So what’s your situation? If your URL is the plain wrapper, HTTP (no S at the end) then you saw one of the two pics below. KEEP READING!
Why you need to take the extra step
This is my jewelry website:
You probably have the above warning if you don’t have the certificate.
However, Google and other browsers are going to label you as “Not Secure” eventually. You don’t want this:
Essentially, you are on borrowed time. Eventually, all sites will have a more aggressive red warning!
In both cases, the visitor to the site needs to click on the icon/flag to see the information in the drop down, but example #2 is pretty RED, yes? Do you want a big red flag and the words “Not Secure” to be associated with your site?
Who really needs it?
For the sake of appearance, everyone needs this. Some of you might have a shopping cart that (eventually) shows the secure URL, but only at the page when someone is starting to give their personal data to you. That is not enough nowadays. Every page should be under the auspices of the added security features found in the HTTPS.
For many reading this, the first thing that shows up when someone lands on your site might send them clicking away instantly! Click To Tweet
I know some of you are thinking that because you don’t have a shopping cart (and why is that, exactly?) or you don’t take any information from anyone who visits your site (again…why would that be true if you are trying to be a “business”?) that you shouldn’t be “forced” to get this upgrade. Well, no one is forcing you. There are no fines if you don’t do this. But surely you want to look (and appear as) safe to your visitors, right?
We are forced into all kinds of situations as businesses. So go ahead and roll your eyes. Then go fix your site.
Free or cheap is available
If you are truly using your site only to blog or as a portfolio only, then find a free certificate. Google it. But be careful. And if you aren’t very savvy about coding and other “stuff” then consider contacting whoever hosts your site and getting them to help you.
My jewelry website is strictly a portfolio. I have never sold online and I take NO data (beyond some cookies). The thought of any extra costs is just out of the question. Eventually, I will “fix” the issue and maybe I will get a “free” certificate. If I do and if I have the time, I will try to share the process.
But for this site, where I have people leaving personal data like joining my list, using the search engine or adding comments (thanks for that!), I needed to be on top of this security certificate because I trade in trust as much as anything else. I got it up and running some time back. It’s easy. I promise.
In my case, I went to my host, GoDaddy. I chose to keep it simple – plus they are there to call 24/7 if I got confused or broke something. It’s sixteen cents-a-day – around $60 a year. I sleep well knowing I have an officially accepted SSL and a badge to prove it.
For anyone who wants something cheaper, I saw cheaper examples. Google it…but be careful. I can’t give recommendations since I have not used any other products. Do your due diligence.
One noteworthy issue to understand: You are essentially moving (migrating) your website to a new server. Your site will need to be “found” on the internet again. As another benefit, after the dust settles, it nice to know that Google will rate a secure site higher in searches than a non-secure site.
If all of this has you throwing your hands into the air and cursing the “internets”, and you just want a hand to hold, connect with me anytime for a quick chat about your website and let’s brainstorm your issues. Include your website address in your email to me.
Overall, this article is scraping the very tip of a big iceberg, but HTTPS upgrading has been on my mind for quite some time. The GDPR just put it front and center. You need to put it front and center.
Meanwhile, put any questions you have in the comments. Or take a moment to let me know you read this rather important article. I love knowing that I am helping. Your comments are my only support.
Good article! We’ve been banging this drum at FASO for over two years and have been offering Free SSL on all sites for nearly three years. Here’s our original article: https://clintavo.com/blog/104547
Anyone can get a free SSL certificate from Let’s Encrypt – although it’s a bit technical to do so. But the point is you don’t actually have to pay anything if your platform can assist with Let’s Encrypt integration.
One other thing readers need to be aware of. The deadline for this is much closer than people realize. You said, “Eventually, all sites will have a more aggressive red warning!”
The next step to the aggressive red warning is July 2018 – so we’re talking about six weeks and Chrome will start marking non-SSL sites very clearly as “non-secure” as Google announced here: https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
At BoldBrush/FASO, if it’s helpful, we built a tool to help you check if your site is ready:
https://my.faso.com/boldbrush/tools/ssl-checker/
Thanks!
Free is good. Another benefit for your clients since you would just do all the set-up for them, Clint. And I saw a few companies offering free, but the “how-to” instructions made my head spin. And my platform, WordPress, is always tricky. So I was willing to spend. I opt for free/cheap when I need to learn a skill that I will use over and over again, but a single task is usually not worth my “time” to learn. Time is as valuable to me as money.
But as you say, free works “if your platform can assist”. Most reading this won’t know what “platform” means, so am just hoping that they will get it done in whatever is the easiest manner possible. If they want free, but still have to pay someone to do the conversion, then it’s not free.
The bigger priority for many is the GDPR next Friday which includes getting a privacy notice hooked up and a cookies alert! Then the SSL/TLS certificate (converting to httpS) should be easy! Oh, the joys of being a 21st-century business!
Understood.
Here’s an article that explains how to use Let’s Encrypt with wordpress: https://mythemeshop.com/blog/lets-encrypt-free-ssl/
Or, if you use Pressable (they’re a local firm I know who specializes in managed wordpress hosting) they handle it for free: https://pressable.com/
Yes, everybody is in a tizzy about the GDPR although I, personally, think most (non large company) people are getting a bit too worked up over it. There are a ton of questions around it, who it really applies to, how it’s enforced…especially for people with no EU nexus, what constitutes targeting EU customers, what constitutes consent/contract etc. These things will get resolved over the years, probably when some EU agency goes to court with an entity like Facebook. Updating privacy policy and being compliant is good of course, not saying not to do that, but I think it’s worth taking a bit more time to do it right if needed. Of course, I am not a lawyer.
Personally, I think for most people https is actually the bigger more pressing issue – let’s face it, even NOW browsers show questionable icons on http and a nice big green lock on https.
The biggest problem we’ve faced with https and artists is, frankly, it’s just a very technical and boring subject and nobody really understands why we keep pressing them to upgrade. We’ll probably auto-upgrade everyone we can who still hasn’t done it, but there are some cases where we can’t do that. But when their browsers turn red and the contact support – we’re ready!
The blog you link is almost a year old, so by my general standards of advice, I won’t “highly” recommend it to my readers, but appreciate your helpful tips, Clint. In a glance, it seems like valid information.
We can agree to disagree regarding the GDPR. Just in the same way that the RED warning will become alarming, not having a Cookies alert or privacy notices on sign-up forms or websites will have the same effect eventually. Anyone who ignores the GDPR in their online sites and marketing practices will begin to look untrustworthy at best and just plain sleazy at worst.
This is especially true as more and more websites comply – after all, we all have EU visitors to our sites! Over time, the lack of compliance will become noticed. Missing privacy policies will begin to stick out like a RED flag, too.
With nearly 8 Billion spent so far, US businesses are respecting the GDPR. Most in the industry expect it to be adopted and become law here, too. Perhaps an upgraded 2003 CAN-SPAM Act to include web activities or just a new set of rules that align with GDPR. It’s inevitable. It’s a very good set of regulations.
And of course, as you know, it’s not about “targeting” EU customers. In fact, the words “targeting” and “customer” doesn’t need to apply and no money needs to be involved. Someone from the EEA/EU just needs to land on your site.
It’s about transparency. And from my point of view: it’s way overdue! If you haven’t read my previous two-part post about the GDPR, you might take a moment to do that. Some of what this will fix brings best practices into the light of day. It’s things that ALL marketers should be doing anyway.
I have been railing against spammy practices in the “lead magnet” marketing world for over two years. Someone out there just might file a complaint – you never know. A competitor, or just a high-strung regulations freak? I don’t want to take any chances. The people who point out spelling errors on Facebook are to be feared, right? LOL.
I will concede this: Both issues, the GDPR and the SSL/TLS certificates, need attention. That is why I took time to research and write on both subjects. Just like you, I want everyone to be successful and both of these issues will put people on a better path to becoming more trusted which is integral to success.
Let me clarify – (I thought I had) – I am not saying not to update your privacy policy – just saying I don’t think the EU authorities are waiting with baited breath to come down on every blogger and artist in the US, deal with trying to enforce the issue, etc on May 25th. I’m saying doing it right is more important than doing it fast.
I must be misunderstanding some of it though, I had read on an official (I though) site those words about targeting.
From:
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
That page says in part:
When the regulation does not apply
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR
I do think the ideas are good and the the USA will do something similar at some point, so compliance is certainly a good idea, but I did think that intent and targeting made a difference.