Tag: Not Secure

GoDaddy Using Google’s Change to Label Non-HTTPS Websites as “Not Secure” in Chrome To Sell Overpriced SSL Certificates

Yesterday we discussed someone’s belief that their website would be useless in its current form due to a company’s blog post about Google making a change to their Chrome web browser to label non-HTTPS websites as “not secure”. Unrelated to that, yesterday we  got sent an email from GoDaddy touting purchasing SSL certificates from them to avoid websites being labeled that way by Chrome. Two things stood out with that. The first being that GoDaddy charges much more than you need to be paying for an SSL certificate, which will in part prevent a website from being labeled as “not secure”, but also that GoDaddy doesn’t seem to really understand what they talking about when it comes to HTTPS. That latter fact isn’t all that surprising considering GoDaddy’s poor security track record.

The subject of the email was “Your customers need SSL on their sites ASAP.”.

On the page linked to from the email, their lowest end SSL certificate, which would be the level you need to avoid the “not secure” label, the introductory price is 60 dollars if you pay for two years upfront and then after that 75 dollars:

With other providers you can pay a fraction of that price. It also looks like that used to be true with GoDaddy as well, as they have apparently significantly increased the prices they charge for SSL certificates over the years despite nothing that would have increased their costs.

Using Let’s Encrypt you can even get a free SSL certificate and there are plenty of web hosting providers that have the capability integrated into their control panels to allow setting those up. It’s worth nothing that GoDaddy’s security company has been a major sponsor or donor to Let’s Encrypt, which seems like a tacit endorsement of Let’s Encrypt .

That GoDaddy is overcharging for SSL certificates instead of being like other hosting providers and offering free SSL certificates seems worse to us when reading one of the three testimonials they chose to show on that page that touts them providing an affordable solution:

I received a call from product support to let me know Google was getting more rigid about “secure sites”. We were able to make the upgrades that I could afford, and make my site more mobile accessible AND secure.

Another testimonial seems more insidious since it gives the impression that GoDaddy is providing cheaper certificates than others instead of more expensive ones:

I’ve set up SSL certificates from various companies but will never use anyone but GoDaddy every again. It’s easy to set up, great support and at a fraction of the price it’s great all around!

That is a great example of why testimonials are not a great source of information because that one allows GoDaddy to make it seem like they providing a more reasonable priced product without having to lie. If they really were providing cheaper certificates they would have been able to present evidence to back that up.

Misleading Marketing

The email made the following claim:

SSL is not only the right thing to do for your customers, it’s also great for boosting their search rankings and getting more traffic to their sites.

No link was provided that backed up that claim. On the page to purchase an SSL certificate, the claim is made repeatedly in regards to Google search results, but again no evidence is provided.

Based on what Google has said it doesn’t sound like using HTTPS has much impact. Here is in part what Google said when the disclosed that usage was a ranking factor:

We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

As far as we are aware they haven’t announced strengthening it and they seem to be using changes to Chrome to increase usage of HTTPS.

In another instance, a Google employee explained the impact as follows:

If you’re in a competitive niche, then it can give you an edge from Google’s point of view. With the HTTPS ranking boost, it acts more like a tiebreaker. For example, if all quality signals are equal for two results, then the one that is on HTTPS would get … or may get … the extra boost that is needed to trump the other result.

Importantly, if both websites were using HTTPS the impact on the ranking boost of either one would be nullified.

Misleading on that seems of less importance than a page they created just to promote buying their SSL certificates due to the change to Chrome.

There they claim that “A Not Secure label on your website can devastate your business.”:

No evidence is presented for that despite it being a serious claim.

What seems like a clear indication that they are not interested in informing people about what is happening, but selling something is another part of that page which states that using HTTPS will “shows visitors they’re safe with the little green lock in their address bar”:

The next HTTPS related change in Chrome, occurring in September, involves it downgrading what is shown for HTTPS pages:

Do They Know What an SSL Certificate Even Is?

Going back to the page for selling SSL certificates there is what is supposed to be an explanation of how a HTTPS connection works, but it seems to have been written by someone that isn’t familiar with it all:

An SSL certificate doesn’t “automatically creates a secure, encrypted connection with their browser”, instead the SSL certificate is just used to validate that a secure connection is being made with the intended website instead or with another party.

Among the other issues with that is that the level encryption is determined by the server and the web browser, not the SSL certificate.

GoDaddy might be able to justify a higher price for an SSL certificate if good customer service was provided, but considering how off the marketing material is, it is hard to believe that their customer service would be well informed about them.

Atlantic BT’s Scare Tactics Lead to Belief That Google Is Rendering Non-HTTPS Websites Useless by Labeling Them “Not Secure”

One of the problems we have found in dealing with security over the years is that you have a lot of people managing websites that believe they have a much better understanding of things than they do. Security companies make this situation worse by spreading misleading and outright false information to market their products and services.

One area where we frequently see issues, not just when it comes to security, but more generally as well, is people managing websites believing that upgrading software on a website will resolve some issue they are having. What seems like it should give them some pause, but apparently doesn’t, is that they don’t themselves even have the capability to handle the upgrade, but believe they know what the impact of that would be.

What we have found repeatedly in that situation is that they will contact someone like us about having an upgrade done and not mention that their reason for getting the upgrade is the assumption that it will resolve that issue. In some cases they only bring it up after the upgrade has been fully completed and the issue still exists.

Due to the increasing frequency we run into this type of situation we recently changed how we do things, so now in the contact form for upgrade services we specifically ask why there is interest in having an upgrade done.

A recent example of that showed why that is important and brought across misleading claims from a company named Atlantic BT about the changing handling of non-HTTPs website in Google’s Chrome web browser.

The reason given that this person was interested in having a fairly significant upgrade done was that their website was going to be “useless” in a few weeks due to a new Google security regulation. We really didn’t know what they were talking about and for good reason, it turned out the reality was very different.

What is happening is that in July with the release of Chrome 68, Google will start labeling non-HTTPs web pages as “not secure”. Here are the before and after according to Google:

That wouldn’t make a website useless, though it might make an eCommerce website, like the one we were contacted about, less appealing.

What was more important was that upgrading the software on the website wouldn’t have an impact on that since HTTPS is handled by the server, not the software running on the website. As long the software on the website allows you to configure things so that addresses on the website start “https” instead of “http” there is no need for an upgrade to implement HTTPS.

So where did the idea that the website would be useless come from? It turned that was due to a blog post on Atlantic BT’s website. The intent of the post seems to be scare people in to contacting this company for security services.

The name of the post as listed in the URL for it, https://www.atlanticbt.com/blog/google-chrome-warn-users-non-secure-websites/, seems neutral. The visible title isn’t, “Non-Secure Websites, Beware! Google is After You”.

In the first paragraph they state:

This could create many challenges for web owners and designers. Traffic and revenue losses, as well as drops in organic search rankings, could all be consequences.

In second paragraph they make a claim that there is a requirement to use HTTPS, despite there not being one:

By July, Google will require ALL websites to have their entire domain set up as HTTPS.

In third paragraph they again try to push the negative impact, without quantifying how much, if any, they are claiming there would be:

This means that Google’s policy update will have major implications on your site’s web performance.

In the fourth paragraph they can’t even get to a benefit of HTTPS without playing up fear first:

Before stressing over the potential impact of this update, it’s important to recognize the countless benefits of establishing a secure connection via TLS.

The final section of the post, titled “What are the implications of Google’s update?”, starts with more unquantified claims:

Google is increasingly using security as an algorithmic ranking factor within their Search Engine Results Page (SERP). In 2014, Google publicly announced that websites would receive a boost in rankings if they switch from HTTP to HTTPS. And in-line with that policy, sites that remained HTTP would be at risk of losing rankings. This is a serious threat to the acquisition of organic traffic on HTTP websites.

So people should be doing something now because there was change four years ago, which Atlantic BT can’t actually cite say percentage impact of (as far as we are aware there wasn’t much impact on rankings due to that change).

Next, they finally mentioned a quantified stat:

There is also an added risk of dropping conversion rates and losing customers. Studies show that  85% of web users would choose not to make purchases from a website if it was labeled as “non-secure”.

If you follow the link though it doesn’t make the specific claim they claim it does and there are a number of other issues. What is claimed on the link page is that a survey found that:

In fact, 85% of web users state they wouldn’t buy through a website where they weren’t certain their data was being transferred securely.

Among the issues that we can think of off the top of our heads:

  • That isn’t a study.
  • The question posed is different.
  • People stating they would do something does not necessarily reflect what they really would do.
  • The survey was done by a company that sells SSL certificates, which makes the result somewhat suspect. Fuller details that could be used to better access the veracity of the survey, like what was the wording of the question, were not provided.

No other quantified statistics were provided in the post.

The final paragraph of the post seems to be what all the rest was leading to:

If you’re concerned about the potential impact of this upcoming Chrome update, or the security of your site, contact the experts at Atlantic BT.

Based on what we saw in that post it would seem like you would be best steering clear of that company.