Need for SSL?

Richard Korts
Richard Korts used Ask the Experts™
on
My son sent me this message:

I just got off the phone with Go Daddy and they said that starting in December, Google will start making sites that do not have that certification harder to find or they will be deemed as unsafe. This is the first I have heard of such a thing and am wondering if that is legit or bullshit?

Is this true, or just GoDaddy trying to make more money from SSL certificates?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
It is true that http only sites will be downgraded in search. It has been an ongoing project for google for the last 2 years. As for December 2019 that might have been hype.

  You can always use letsencrypt to get the required certificate

In 2014, Google announced that encrypting a site where data transmission via SSL or TLS takes place would count towards the ranking. Because of this, website owners should sort out a certificate for their own project. This is also combined with the fact that transitioning to HTTPS is becoming even cheaper and easier so now the number of encrypted sites has significantly increased over the last two years.

http only sites will be marked as unsafe soon right now it is simply marked as not secure
David FavorFractional CTO
Distinguished Expert 2018

Commented:
1) I just got off the phone with Go Daddy and they said that starting in December, Google will start making sites that do not have that certification harder to find or they will be deemed as unsafe. This is the first I have heard of such a thing and am wondering if that is legit or bullshit?

All browsers have stated for roughly 3x years this is coming... because... all HTTP sites can be malicious, because there's no security.

At this point all sites should be HTTPS, especially since certs have been free for years.

2) What will occur when the change goes into full effect will be that all browsers will produce the suspicious site warning for all HTTP (non-HTTPS) sites, which is correct, because HTTP is insecure.

3) December might be the date + no one knows when exactly this will occur.

Since this has been stated for 3+ years now by all browsers, something like 85%+ of all sites are already HTTPS.

Likely after this occurs, the other 15% will become HTTPS compliant quickly.

4) Is this true, or just GoDaddy trying to make more money from SSL certificates?

Yes this is true.
Top Expert 2016

Commented:
malicious sites can get an https certificate just as easy as a safe site. DV certificates are free from lets encrypt. What I don't like is that the EV certificates are being downgraded in the browsers (no more green bar) (you have to explicitly click on the lock!)
Fractional CTO
Distinguished Expert 2018
Commented:
I'd agree with David Johnson on both points he made.

1) Anyone telling you they know the implementation date of required HTTPS... they're misinformed, as no one knows. Browser companies have been saying this will occur at some point for 3+ years now.

2) The entire point of EV certs + normal certs has converged, as most browsers (at least today) seem to be disabling the green bar EV indicator which was the entire point of having EV certs.

Tip: The only difference between an EV cert + normal cert is you must pay (sometimes very dearly) for EV certs with no additional security over free non-EV certs.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial