Mixed drinks are good. Mixed content, not so much.
This month Google released a mixed content mandate. It’s a new and really major change to how websites are displayed in Google’s Chrome Browser – which is now used by 76% of all users on the Web.
In a nutshell, Google will mark your site as NOT SECURE if your site isn’t fully SSL encrypted. This is a big deal for consumers. It will also affect your search rankings, and how end users trust your site.
n the past, secure SSL sites were only used when you logged into your bank account or when you submitted credit card details on an eCommerce site. Why? SSL takes extra processing power.
Instead of just sending the contents of a page through the Internet, the Web server has to scramble everything in a secure way, and then your computer, phone or tablet needs to unscramble the contents before they are displayed. (How this is done is a whole other discussion, but it uses public key / private key encryption and really big prime numbers.) What this really means is that takes extra computing power to pull this off.
Now, Google wants your entire site to use SSL. They say it’s to prevent your information from being intercepted and to prevent against phishing attacks and malware. That’s true. They also say that the extra processing power needed for encryption is minimal with more modern computers and phones. Probably also true.
But the real reason they are doing this?
Sergey Brin – one of the co-founders of Google grew up in totalitarian Russia. The KGB monitored everything citizens did. When Google found out that the NSA was siphoning Google’s end user information, they were pretty upset.
Google’s SSL mandate is meant to make it more difficult for government agencies to monitor end users. The NSA can likely still get in, but they have to use a lot more processing power to decrypt the information.
So where does that leave us?
It leaves us with mixed content.
Just putting an SSL certificate on your site isn’t enough. You also need to make sure that all of the links, images, CSS, form submissions, iframes and other content on your site is fully secure.
One single image that is hard-coded with HTTP instead of HTTPS will render that entire page non-secure.
If you need to change your site to HTTPS, there are a few steps you’ll need to take:
1. Make sure that your hosting plan is set up to work with an SSL certificate. If you’re on a very inexpensive, shared hosting plan, you may need to upgrade your hosting.
2. You’ll need to add an SSL certificate if you don’t have one already. I find it’s easiest if you purchase this through your hosting provider, so they can set this up for you. Otherwise, you’ll need to go through generating a CSR and then installing the certificate onto the server. In many cases, you’ll also need to make sure that the contact information for your domain is up-to-date so that the SSL certificate can be validated by the issuing company.
3. Once an SSL certificate is in place on your site, you’ll need to change all of the links, images and design files to use https://www.your-domain.com.
We recommend doing a full offsite backup of your site first including the database. Depending on the type of site that you have, you’ll likely need to change design files (i.e. WordPress or Magento), as well as make sure that any links or references in the database are updated.
This is also a good chance to create a milestone in your version control system, such as Git. Not using a version control for your source code? You should be. Again, that’s a whole other conversation on how to do that. But if you’re not paranoid about backing up your site and using version control, chances are you’re going to lose some important content.
As far as updating links in a database: I’ve found that one of the easiest ways to update the database is to create a database dump file – this will save it out as a text file. And then you can use a text editor to do a massive find-and-replace.
Depending on the site, you may need to update your .htaccess file (for Apache servers). If you have caching layers, such as Varnish, in place, you’ll need to possibly reconfigure and/or restart these services.
For example, if you’re using Apache on a Linux server, you may want to create a rewrite rule that redirects all of your HTTP links and URL’s to secure HTTPS URLs.
Need help making sure your site is secure? Connect with us today via email or give us a call at 303-473-4400! We’re here to help.