While Google  already blocks some types of “mixed content” on the web and makes it difficult to view non SSL websites it has now announced that from early 2020, Chrome (and other browsers will follow that example so they don’t appear “insecure” ) will block all mixed content by default, breaking some existing web pages. Which makes the information below on why all websites need to have a valid SSL certficate below even more pertinent.

What is mixed content

Mixed content is confusing. If you are viewing a web page that’s both secure and not secure. For example, a usually safe and secure web page via https but the web page is getting a JavaScript file via HTTP then it is possible that the script could be modified—for instance, if you’re on a public Wi-Fi network that isn’t secured—to insert malicious code into the  web page that could monitoring your keystrokes etc.

Google announced in September on it security blog that if your website is not using HTTPS/SSL when they implement their latest changes  in 2017, your website credibility and search engine rankings may be affected. Chrome- Googles web browser  has already begun to mark non-secure pages containing certain input fields as Not Secure in the URL bar as you can see below. 

At the moment this only appears on non-SSL pages that ask for a password or credit card information and  it’s not too noticeable. But Google  has confirmed that in the near future, this warning will appear on ALL pages served over HTTP vs. HTTPS and it will be in RED and look like this NOT SECURE- not exactly the sort of thing that will instill confidence in your website!!

There is already a lot of research which shows that Google is already using  HTTPS as a ranking factor…SSL DOES Correlate with Higher Rankings!!

Websites need to convert from HTTP to HTTPS to Avoid the ‘Not Secure’ Warning and feel confident with a Secure green padlock

Another reason why you should convert your website to HTTPS/SSL is that its safer for your visitors

HTTPS and SSL prevent man-in-the-middle attacks.

When an SSL certificate is installed on a web server, it operates as a padlock and acts as a secure connection between the web server and browser. An SSL certificate binds together your domain name (or server or hostname), company name and location. While how an SSL certificate works goes into more details–involving a public key and a private key–what you need to know here is this: Even if a hacker manages to intercept your data, he won’t have the private key to decrypt it. Basically HTTPS and SLL adds extra layers of protection.

So what do website owners need to do

The first step would be to contact their webhost and purchase and  install a Secure Socket Layer certificate (SSL)  to ensure that data between your web server and browser remains private and secure and they are not penalise by Google’s SSL update.

Phishing or spoof emails attempt to trick you into clicking on links which will redirect you to a website and ask you to confirm or update personal information such as credit card details, account numbers, or other information the scam company may already have. They may have some of your personal details correct from a completely different source such as domain registration which may add to their credibility.

Phishing emails generally try to look like the legitimate provider’s email but when you look carefully the  From and reply to address is not the legitimate providers email address. Often the grammar and spelling is incorrect or very poor and the layout slightly or very inconsistent with the real emails.

Another extremely common scam email that many domain owners becomes target for is where scam emails and fake letter invoices are sent which look like domain registration renewals but are nothing but a scam!! They don’t come from your domain registrar and don’t even look like they do but they do look legitimate. These types of scam are one of the many reasons to have a good relationship with your registrar so that you can easily query invoices or emails. These scams emails and letter offer a genuine sounding but non-existent product or service such as “Traffic Generator” or “Google VIP Support”. An example is below.

1. Don’t use weak passwords

The traditional advice for strong passwords is to  “use a long, random collection of numbers, upper- and lower-case letters and wacky characters”.

A strong password:

• Is at least eight characters long.

• Does not contain your user name, real name, or company name.

• Does not contain a complete word.

• Is significantly different from previous passwords.

• Contains upper and lower case letters, number and non alpha numeric characters such as #$%^*

So don’t use personal information, an animal, sports team, business name, nickname, quotation, family member, phrase, collections of related words or pet names; avoid dictionary words; and don’t expect to fool anyone by using common missspelllings, $ubst1tuti0ns or by adding numbers53 on the end.

Microsoft has this tip “Relate your password to a favorite hobby or sport. For example, I love to play badminton could becomeILuv2PlayB@dm1nt()n.”

2. Keep your password secure (in others don’t share it or write it down)

Don’t leave notes with your passwords to various sites on your computer or desk. I”ve lost track of the post it notes I’ve seen with passwords left posted on computers 🙁 And passwords in emails are especially vulnerable- think about it if a hacker gets access to your email account they will be able to see your passwords to any accounts that you have received or sent via email.

And don’t share it – a shared a password, is not a  declaration of true love lol it is a security risk 🙂

If you share a password, you lose control of it because you don’t know who else the person you shared your password with shared it with, who they emailed it to or where they wrote it down.

3. Don’t reuse passwords

A study in 2007 found that the majority of people reused passwords 🙁 They found that the typical user needed about 25  passwords but only had about six.

That’s a problem because it rewards anyone who steals one of your passwords with the key to a number of other sites as well, making the damage far worse.

Consider this example,  in 2014 approximately 5 million Gmail account names and passwords were uploaded to a Russian forum- if the majority of these million or even 20% used the same password for their email as they did their bank accounts then thats alot bank account access right there!!

Also with this uploaded data website hosting giant WordPress searched its own user database for the stolen credentials and found 700,000 matching email addresses and 100,000 matching email and password combinations.

In this example with WordPress.com  for each email account that was compromised they also had a 1 in 14 chance of successfully compromising a WordPress account too.

If your password is stolen in a data breach then you should expect that the crooks will try it out on Facebook, Twitter, WordPress and any other websites they think you might be using too.

There you go – if you follow these simple tips your on your way to reducing one way the hackers can get access to your accounts!!