When browsers suddenly see red and SSL encryption becomes a must-have

At the end of April 2017, Google announced that the Google Chrome browser will soon warn about websites that have no or insufficient SSL encryption. The marking of websites as "insecure" will be issued starting with the upcoming version of the Chrome browser. The release of version 62 is scheduled for the end of October 2017.

The marking as "insecure" applies especially to websites that contain forms and where users enter and submit their data. This includes contact forms, newsletter registration forms, or login forms. If the transmission is not encrypted, data is sent in plain text. The risk, in this case, is that intercepted data can be read.

A website encrypted via SSL / HTTPS provides a protected data transfer. Users feel secure when using a website and entering their data. In addition, SSL certificates contribute to increased security on the web. Another benefit: they increase a website's visibility on Google and other search engines.

A non-encrypted website, on the other hand, can lead to image damage and a loss of ranking - HTTPS has been an official ranking factor of Google since August 17, 2014. Furthermore, there is an increased risk of warning letters due to the missing/insufficient encryption.

Different types of certificates are available for securing websites:

• Single-domain certificates - valid for one domain only.
• Wildcard certificates - valid for an unlimited number of direct subdomains / first-level subdomains of a domain
• Multi-domain certificates - valid for a large number of different domains

The lifespan varies depending on the provider and model. As of March 01, 2018, SSL certificates may only be issued with a lifespan of 27 months. Therefore, we recommend purchasing a certificate for a lifespan of 36 months.

Since mid-2016, "Let's Encrypt" has been offering free SSL certificates. Let's Encrypt is a non-profit certification authority (CA) that has made it its goal to establish HTTPS as the standard for the World Wide Web. The aim is to enable every website operator to encrypt his website easily and free of charge. To make this possible, Let's Encrypt has created an automated process for issuing SSL certificates. The validity of Let's Encrypt certificates is 90 days.

This undoubtedly raises two questions: How good are free certificates compared to paid ones? And is free really free?

An SSL certificate is not automatically more insecure just because it is free. Certificates are considered secure regardless of whether they are paid for or free.

The question of whether free is really free can only be answered with a "both yes and no":
On the one hand, the answer is "yes", because the SSL certificate itself is free.
On the other hand, the answer is clearly "no", because the purchase of a certificate alone is not enough. There are also costs for implementation and configuration, as well as for the regular renewal of the certificates every 90 days.

As already explained in the previous section, the free SSL certificates from Let's Encrypt are considered equally secure when compared to paid certificates. The validity of these certificates is comparatively low at 90 days - the "classic" certificates usually have a validity of 12, 24 or 36 months - however, the shorter duration is basically unproblematic.

The use of Let's Encrypt in a professional environment is recommended, provided that a corresponding technical infrastructure exists, which allows a fully automated configuration of the systems. MFC has such a technical infrastructure, which allows us to configure and manage Let's Encrypt certificates automatically with our configuration management Puppet.

We presume marking websites as "insecure" is only the first step in penalizing websites without SSL encryption. We expect that the other popular browsers will also move to mark unencrypted websites as "insecure" in a much more noticeable way than is already the case. A website marked as insecure always gives a dubious impression.

To avoid this labeling and counteract the associated loss of trust, the backend and frontend of a website should be converted to HTTPS – and this is best done before the release of the new Chrome version at the end of October 2017. Whether you rely on paid or free SSL certificates for this does not matter in terms of security for the time being.