“Why does my Chrome browser say ‘Not Secure’ for most websites now, including mine?” That’s the question I started hearing last year (2017) from all sorts of site owners and web surfers. This is Google’s fault. They decided in 2014 that to increase security (higher level of encryption of signals across the Web) for the entire World Wide Web, they would rank sites higher in search engine results if they had the “https” designation indicating the use of encryption using SSL (Secure Socket Layer). We’d been seeing that “https” thing all along when we purchased things through websites. It was originally a tool to ensure privacy/security for your payment information.
Great idea for that purpose, but Google decided we should all use encryption for transmitting anything to/from our sites, so now they punish you in search engine results if you don’t have an SSL certificate from your web host or someone else.
When I first looked into this, I noticed that web hosts tended to front the paid version of this feature (it adds an annual cost to your web host subscription). Since the SSL certificate is specific to a website domain name, if you have more than one site, like I do, it can get expensive (about $40 per year per site on my web host at the time, Host Gator).
But, ah-ha! A free version exists! After I started migrating my sites to Site Ground (my nice new web host), I found a more visible notation for Let’s Encrypt at my new web host and realized I had another option.
Free always has catches, though, so here’s the deal (according to an article at Dreamhost, another web-hosting service):
Let’s Encrypt uses domain validation (DV) certificates. They don’t support something called organizational validation (OV) certificates. OK, but should we care? Although there is no difference in the encryption protection between DV and OV certificates, the DV ones only secure the connection to the website. Anyone with administrative login to the site can add a Let’s Encrypt certificate. An OV certificate will actually validate information about the person purchasing the certificate (name and physical location), and will send an email with a verification the person has to respond to. You can see the steps for getting an OV certificate over at Dreamhost, here. Other web hosts also have purchasing options to upgrade your SSL security.
So, my question was, do I need this extra OV certificate thingy? Answer: probably not. Unless you are processing credit cards directly or transmitting some kind of confidential/sensitive information, the free Let’s Encrypt certificate should be all you need. You certainly don’t need to pay for SSL (just get it through Let’s Encrypt to make Google happy) if you are just blogging and not selling anything from your site. If you are linking directly to big commercial sites like Amazon.com, they will take care of purchasing security over there. If you do sell stuff but the payment is handled by an entity (called a “payment gateway”) like Paypal or Stripe or Square, then they will take care of security for purchasing.
Bottom line is, take a look at what your web host offers for SSL, and if you don’t see Let’s Encrypt as an option upfront, take a look in the cPanel features (if you know how to work your site from there), or ask your web host for a free option, or ask your website designer (who should be able to take care this for you). This way, you’ll get your https without an extra cost you don’t need.