1-206-338-7375 PSALA@AMINC.org

Google SSL Shaming and the “Not Secure” Message to be Shown in Website Browsers

by | Sep 25, 2017 | Featured, Hot Topics | 0 comments

By Jeff Lantz, Esquire Interactive LLC

Beginning in October, 2017, Google Chrome Will Show a “Not Secure” Message in Websites that Do Not Have SSL Security and Where Users Can Enter Text (Such as a Contact Form) – What You Need to Know and Do

An implicit aspect of law firm representation is the security, trust, and confidence that clients can expect when retaining an attorney.  Through current and upcoming changes in Google Chrome, law firms will need to make changes to their website or risk undermining this security, trust, and confidence.

Google Chrome Security Warnings

Several years ago, Google announced that it wanted the web to be more secure by encouraging website owners to implement SSL (secure sockets layer) security to safeguard the transmission of information between website users and servers.  (When SSL is installed, the address bar changes to “https”, a lock is shown, and the word “Secure” is displayed.) 

As part of this effort, Google announced that websites with SSL may receive a very slight boost in search engine rankings in a very tiny percentage of cases.  Because this “boost” was not meaningful, most website owners chose not to implement SSL security unless it was otherwise needed (such as if credit card transactions were to be undertaken).

Subsequently, Google began a subtle form of “SSL shaming” website owners by placing a small “i” information icon in the address bars of websites opened in Google Chrome.  This caused non-SSL website address bars to look like this (the red circle has been added):

Google Chrome information bar with red circle non-SSL icon

If your firm’s website does not have SSL security, it will look like this when opened in Chrome.  When the “i” icon is clicked, a message will be displayed reading “Your connection to this site is not secure.”  

While not exactly the type of message that law firms want to send to clients, it’s possible that these icons are rarely clicked, since they are shown in the address bars of most websites. Mozillla Firefox and other browsers soon followed suit and similarly adopted “i” icons and security warnings.

Google Announces that Starting in October, it Will Increase SSL Shaming By Showing a “Not Secure” Message in Websites that Do Not Use SSL and Where Users Can Enter Text (Such as a Contact Form)

If your firm has a Google Search Console (formerly called “Webmaster Tools”) account, you’ve likely received a message from Google advising that starting in October, Google Chrome will be adding an explicit “Not Secure” message to the address bar if your website has pages where users can enter text (like a contact form) and if your website does not use SSL security.  The address bar for your firm’s website would thus look something like this when opened in Google Chrome:

Google Chrome information bar saying Not secure

Now, website visitors andpotential clients can’t avoid seeing the “Not secure” message.  How will they react – should they avoid sending a contact form?  What is their impression of your firm and how it will handle their confidential information?

Switching to SSL Security – Fortunately, It’s Not That Hard or Expensive

Integrating an SSL certificate into your firm’s website can be done fairly quickly.  SSL certificates can be purchased through a third-party vendor and installed on the server where your website is hosted, or a firm can make use of a shared SSL certificate.  Two popular options are discussed next.

SSL Option # 1 – Using Cloudflare

The solution that I like best is the free Full SSL Certificate through Cloudflare (www.cloudflare.com).  In addition to the SSL security, this solution also allows a firm to take advantage of Cloudflare’s free content distribution network (CDN) functionality.  (CDNs provide faster loading speed as well as another level of security, and are use by all major websites – like Netlix, Google, Amazon, etc.  For more information, click here.)

Cloudflare’s Full SSL certificate provides encrypted security between the website hosting server, Cloudflare’s CDN servers, and end users, and results in websites showing https://, the green lock, and the Secure message in the address bar. The address bar for a firm’s website will then look like this in Google Chrome:

Google Chrome secure website icon

What Needs to be Done to Implement the Cloudflare Full SSL and CDN Solution?

To utilize Cloudflare’s solution, the following steps will need to be done:

  • Create an account for your website in Cloudflare
  • Change the nameserver records on your registrar to Cloudflare (note – you will still use your current domain registrar – like GoDaddy – for domain registration and renewal)
  • Set up the CDN with Cloudflare – this can be done with one button click
  • Install the SSL with your website and test the pages to make sure that https://, the green lock, and the “Secure” message are all showing in the address bar for all pages. This last step can be tricky, so it should be done by a developer or someone familiar with installing SSL certificates.

For most law firm websites, this process will likely require about 2-3 hours of a developer’s time, assuming that there are not any complications and that the website does not have dozens or hundreds of pages that need to be checked.

SSL Option #2 – Purchase an SSL Certificate from an SSL Seller or Reseller

Alternatively, a firm could purchase a dedicated SSL certificate and install such certificate on its own website.  Dedicated certificates generally start around $10/year and range to well over $100/year depending upon the type of certificate purchased (such as if a firm wants its name to appear in the address bar by the lock).  If a firm is only interested in having https://, a green lock, and the secure message, the less expensive SSL certificates will work fine.

In my experience, installing a dedicated SSL certificate usually takes a little longer than the Cloudflare option, as different hosting servers and certificates all have slightly different requirements and processes. Nonetheless, having a Cloudflare or a dedicated SSL certificate will provide the same result – having that nice, warm “Secure” message in the address bar for website visitors and prospective clients.

Jeff Lantz

Jeff Lantz is an attorney and the CEO of Esquire Interactive LLC (www.EsquireInteractive.com), a leading provider of website development, branding, Internet marketing, video, and social media services for attorneys and law firms.  He is also the author of the ABA book Internet Branding for Lawyers: Creating The Client-Centered Website, and the book The Essential Attorney Handbook for Internet Marketing, Search Engine Optimization, and Website Development Management.

Accessibility by WAH