Websites, Security, Tutorials

Install an SSL Certificate to change your website’s address from HTTP to HTTPS

Introduction

Google announced last year that they were prioritising sites that had a verified SSL Certificate over those that didn’t. This meant, in SEO terms, that those who made the move or who were already set up that way had a slight SEO advantage (all things being equal, which of course they never are.) They also devised a way to highlight this to the viewer: you may have noticed that some sites now have a website address that starts with HTTPS and also a little padlock that says “Secure” next to them, whereas others just have an exclamation mark in a circle. If you visit a site with the padlock, you can click on it and this message is displayed:The Connection is Secure Message in Google Chrome

Likewise, if you click on the exclamation mark (on an unsecured site) you get this less reassuring message:

Google Chrome message: the connection to this site is not secured

What is SSL?

SSL stands for Secure Socket Layer and is a security protocol that uses a certificate chain between the server that hosts your site and a third-party who is authorised to issue certificates to verify that you are who you say you are online. When you have set up your SSL certificate and followed the steps on your server to verify the certificate, your site’s URL changes from http://yoursitename.com to https://yoursitename.com – and the address shown in Chrome is displayed with the green padlock and is prefixed with Secure |, as shown above.

Do I need an SSL certificate for my site?

I had clients ask me whether this was an essential task and for a while I said that it should be on the to-do list but wasn’t something they needed to rush towards, given the nature of their websites. For anyone trading online, selling products, exchanging personal or sensitive date, the change has been more pressing and really, if that’s the purposes of your site, you should have done this by now. But if you’re not asking clients for their personal information via the web, why the need to change?

There are two main reasons for doing this now. First, as of today, the new version of the Chrome browser marks sites that do not have an SSL certificate as “Not Secure”. Essentially nothing has changed: the site is no less secure today than it was yesterday. The point really is that it’s not as secure as sites that do have an SSL certificate. As more and more sites make this change and we come to expect to see the word “Secure” up there in the address bar, there’s an element of reassurance, of professionalism, to a site that secure over one that isn’t. The second reason is that it can also help with identifying bogus sites and tells your customers that the site they’re on is the real deal. There are some common scams that rely on users not really understanding that the site they’re on is a convincing copy of the real one, and then the scammers use that fake front-end to abuse the trust you’ve placed in the company you think you’re dealing with in order to persuade you to hand over personal details that can then be used to access your bank accounts or cards. So there are definitely benefits to you as a consumer to only interacting with sites (especially for financial transactions) with SSL certificated sites. As a business, it means your customers can come to your site and be assured that they’re not on a copy site, and that it really is you that they’re dealing with, and that any data they send will not be falling into the wrong hands.

How do I make the change to HTTPS on my site?

The steps to create an SSL certificate and install it on your site are given below.

Once you’ve installed the certificate there are three more steps:

  • Fix the links on your site so they use the new https URL (the steps here are for WordPress users, since that’s what I use for my site);
  • Create a redirect to ensure that any searches for the HTTP versions of your site are automatically routed to the new HTTPS address; and,
  • Verify your site’s certificate;

With the optional fourth step of updating your Google Webaster Console.

As you can see, before adding the security certificate, my site’s URL looks like this:

Site URL with HTTP Address

By the time we’ve worked through these steps it will look like this:

Site URL with HTTPS Address


The instructions here assume you’re using a relatively current version of CPanel to administer your site. If you’re using a site builder like Wix or SquareSpace you’ll need to check their site-specific instructions. To help you out I’ve put some links to the most common platforms at the bottom of this page. If you’re not sure about this get in touch.


Step 1: Create and Install your SSL Certificate

1. Login to CPanel and scroll to the the Security section.

2. Click on SSL and then Install and Manage SSL for your site (HTTPS).

Menu Options in the CPanel SSL Security App

3. Click on Certificate Details.

4. Scroll down and click on Install an SSL Website.

5. Select your domain from the drop down and click Autofill by Domain.

You then get a message showing that the certificate field below is completed. That’s it!

When I did it I got a warning in Chrome that it was a self-signed certificate (as in one assigned by the same host as my server.)  Kaspersky decided to chip in too:

Kaspersky Error when clicking Self-Signed SSL Certifcate Site

This means that it has not been verified by a third-party and could, therefore, be a fake! Of course, I know it’s not but what about my customers? Let’s install it properly and verify the details. That will get rid of the warnings.

6. This time click Let’s Encrypt SSL in CPanel. 

Security Apps in CPanel

You can see from the list that I have an SSL certificate assigned to the site but that it is not installed.

List of Domains with LetsEncrypt SSL Certificates

7. Click Reinstall. You can see that the listing changes to show that the security certificate has been installed.

LetEncrypt List of Security Certificates Installed

Great. That’s the first part done. Now if you go to your browser and click refresh on your web page you should see the site listed as Secure.

Step 2: Change Site Links

On WordPress, which is what I use for my site, it’s really easy to do this.

1. Login to your Admin panel (yoursite.com/wp-admin), then click on Settings and General.

The SITE URL field in WP-ADMIN

  1. Change the WordPress Address (URL) and Site Address (URL) values to https.

  2. Scroll to the bottom of the page and click Save Changes.

That’s WordPress done.

Step 3: Redirect Search Engines to your HTTPS Site

If your site has been online for a while you will (hopefully) have other sites linking to you, links from social media, etc. Without a redirect in place the the browser will just assume any pages or posts with the web address starting HTTP have disappeared, which is very bad for your SEO and very bad for your business generally! Setting what’s called a “301 redirect” will ensure that anyone coming to your site from an old link will find your new HTTPS-addressed page. You do this by accessing your site’s htaccess file.

1. Access the server and navigate to your site’s files. You can either do this with FTP or directly via CPanel.

2. Create a local copy of your site’s htaccess file.

3. Add the following code at the top of the file:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^yoursite.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www.yoursite.com [NC]
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [L,R=301,NC]

4. In the code above, change yoursite.com to the name of your site. My htaccess file now looks like this:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^languedoc121tech.fr [NC,OR]
RewriteCond %{HTTP_HOST} ^wwwlanguedoc121tech.fr [NC]
RewriteRule ^(.*)$ https://www.languedoc121tech.fr/$1 [L,R=301,NC]

You can use any text editor, such as Notepad (installed with Windows) or something more sophisticated, like Notepad++ (freeware).

5. Save and copy the updated file back to your server.

That’s it: the redirect is in place. If you click on an old link to your site, say from a Facebook post, and it should find the right page.

Step 4. Check on your SSL Certificate

This is another non-essential step, but it’s nice to verify it’s all working so I recommend you visit the SSL Labs page to check your certificate. Click on the link below, enter your site’s URL and click Submit. All being well you’ll see the certificate details listed on the page below. 

https://www.ssllabs.com/ssltest/index.html

Now for one more step, which you can skip if you’re not using Google Webmaster Tools.

Step 5: Add your HTTPS site to Google Webmaster

It’s worth having all versions of your website’s address registered in Google Webmaster because Google likes verified sites – and we all want Google to like our sites! If you haven’t already set up your site with Google Webmaster, now is the time to do it. 

1. Sign in to your Google Webmaster account. You can see that there are already register versions of my site with and without the “www” – but nothing yet for HTTPS.

Overview of Sites Registered with Google Webmaster Console

2. Click ADD A PROPERTY.

3. Enter your site’s details, then click Add.

Add a New Site to Google Webmaster Console

4. Select the Alternate Methods tab and choose your method. I like the HTML file upload method, which involves downloading a file and putting in the /public_html file on your site’s server. If you’ve been through the verification process with other non-HTTPS versions of your site, you don’t need to copy the file again.

Verify Site with HTML File Upload in Google Webmaster Console

5. When the file is on your server, click I am Not a Robot and then Verify.

After you click Verify you’ll get a message confirming that your ownership of the site has been verified. Et voila!

6. Now do the same for the HTPPS version of your site but minus the “www” in the site address. For example, your site can be accessed using the URL www.languedoc121tech.fr or just languedoc121tech.fr so both need to be registered with the Search Console.

7. Next, click on Search Console to go back to the overview page (which lists all the domains you’ve registered using the Google Webmaster account) and check the listing. Mine looks like this, with HTTP and HTTPS versions for the variations of the domain name (with and without “www”).

Revised List with HTTPS Sites Added in Google Webmaster Console

That’s it: you’re done!

Conclusion

So there you have it. It’s a little bit of work, a little bit techy places, but not a major job and doesn’t cost a thing if you do it yourself. If a web developer tries to bill you for multiple hours or suggesting you pay for your SSL certificate, then you would be better to find another developer! Or you can contact me, of course.

If you do decide to do this yourself, please leave a comment below. Likewise, if you get stuck or have any problems.

Useful Links

Here are links to SSL installation instructions for some popular website builders.

SquareSpace

Wix

Weebly

Do you need help? Contact me now to arrange a personalised tech support or training session.

 

""
Security

Your Computer and GDPR: Secure File Storage and Encryption

If you’re running a business you will definitely be storing and using personal data. That means you have obligations under the new GDPR rules. In my last post, Your Website and GDPR: Privacy Policy and Consent, I described what’s needed to get the online side of your business compliant. But what about any files, documents, or invoices, or any other records you keep? This post will explain ways to ensure your customer records are secure.

Know What, Why & Where Information is Stored

When you audited your business (you’ve done that, right?) you will have created a list of the types of information you hold, why and where. In all likelihood this will include some electronic files stored on your local computer and maybe also paper copies or other paper-based records.

For example, maybe you keep it all in entry in your Outlook address book, or you might have a customer-registration form, or a database entry in a CRM application.

If you’re creating electronic copies, are they backed up anywhere? Are you backing up to a physical drive or to the cloud? Is your cloud storage secure, in the EU,  and GDPR compliant?

Any method of collecting or storing data falls under GDPR, so read on to find out ways to ensure your computer and any paper copies of files, and therefore your customers’ data, are protected and secured.

Storing Digital Records and Files

Using a Third-Party Tool

If you are using a third-party application, for example, using an application like Wave or Freshbooks to generate and track your invoices, you will have to check on the GDPR compliance policy of that company. Most companies are busy working towards compliance but the onus is on you to check. Because any software like that will require you have an account with a secure login process, as long as the company says they’re compliant, you’re probably good to go: just make sure your password is as secure as it can be. If you’re not using one of the many password manager tools, now would be a good time to start (although they come with their own risks, of course!)

If you’re not sure, get in touch. Most software providers are fully aware of the demands being placed by the new GDPR rules and are keen not to lose business due to non-compliance.

On your Computer

If you are keep data locally, on your PC, you need to know where this is so you can find it to provide it on customer request and/or remove it. And it needs to be secure. The question to ask yourself is this: if someone steals my computer, my phone, my iPad (or whatever piece of tech you store your files on) can the personal data of my customers be accessed? If the answer is yes, there are a few simple things you can do to lock that information down.

Encrypt Your Computer, Files and/or Folders

First, you need to ensure that your PC and the files you stored there are encrypted, which is just a fancy word for password-protected.

You want to make sure your PC is locked. Think about whether someone who finds or steals your PC could open it and start working without having to jump through any security hoops. Make sure you have a login password, pin, or fingerprint scan set up to enable access your device.

Then, make sure you have an encrypted folder specifically for any files that include customer data. There are several ways to do this: you can pay for software, you can use a ZIP or other password-protected archives in place of folders  for customer files (a bit clunky, but it would do the job), or – chances are you can use software that is already installed on your computer, either bundled with the OS or as part of your internet security package. If you’re running paid-for software from one of the main internet security companies it’what’s available. For example, Kaspersky Total Internet Security provides a tool called Secure Folders and Comodo Internet Security has Protected Data Folders. No need to spend any more money. Bonus.

Secure your Backups

Backing up to The Cloud

If you’re backing up to The Cloud (think Google Drive or Dropbox) you need to ensure that their service is secure and GDPR compliant. More and more of us are using cloud storage these days, but as that will involve passing digital information from your computer to the cloud how secure is that really? Is encryption used when the files are transferred? Is it a US or EU based company? What happens in the event of a data breach? Where the data is stored?

And it’s not so simple as you think: lots of us use Google Drive nowadays and while it’s really easy to backup your files using their Backup and Sync tool, which is fine for your personal files, unfortunately (at least at the time of writing) it’s not a workable option for your customer files. Why? Because Google have said that unless you’re paying for the service as part of a My Business account, Google Drive (personal) is not GDPR compliant.

Backing up to an External Drive

If you’re backing up to an external drive, you need to make sure that access is encrypted. As with your physical computer, ask whether someone who took your drive could open it and access your files. Protected your device and your files in the same way you would on your computer.

Secure your Hard Copies

So much for the paperless office. We all end up with paper copies of some sort – and some of us prefer to keep records that way. If you are keeping records on paper, the question re security goes back to the what happens if someone accesses your files. In the same way that you are responsible for protecting electronic files, you’re required to ensure paper files are secure. With paper files that means keeping them under lock and key. That means getting a lockable draw or filing cabinet – ideally something fireproof, just to be sure – and locking them away.

And Last Steps…

Lastly, document it all. You should have all this in a single file as the result of your audit. If not, now would be a good time to do it.


Image credit: iStock.com/drogatnev

Disclaimer: This information is intended as guidance only. It is not a substitute for legal advice and is based on personal research conducted by the of the author. Ensuring your business is GDPR compliant is the responsibility of your Data Controller. 

If you need help with this or any other aspect of your home or business IT, contact me to arrange a free consultation.

Zeros and Ones with a Padlock and text " Are You GDPR Ready?"
Security

Are You GDPR Ready?

What is GDPR?

From May 28th the new general data protection regulations (GDPR), Regulation (EU) 2016/679, come into effect. These will give individuals far greater control over their personal data, with the scope of what constitutes personal data greatly enhanced to include:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

For businesses in or trading within the EU, this means much tighter controls need to be in place to ensure that the terms of the GDPR are not being breached. The full text of the regulations is available online from the GDPR Info website and is required reading for anyone who is responsible for data within a company of any size and all sole traders.

For small businesses, this may seem daunting, but there are a few simple things you can do.

7 Steps to Get Ready for GDPR

  1. Audit all the personal data you use or hold. This means information for customers, visitors to your website, newsletter or mailing list subscribers. This means data you hold or collect both on and offline.
  2. Publish a Privacy Policy on your site. This must be written in plain and readable language and clearly state what information you use and hold, why it is used, where it is held (if it is stored), and how individuals can request details about their personal data and also request its removal.
  3. Implement an Opt-In policy. For your website, this means you need to ask every visitor to your site whether they are happy with your Privacy Policy before they access the site and any information is transmitted.
    For any mailing list subscribers, you need to contact them asking them to confirm that they are accept your privacy policy and wish to continue their subscription.
    And any forms on your site need a consent button, so people know what information you will hold and an opt-in for any related mailing lists.
  4. Move your site from HTTP to HTTPS. This is vitally important if you run an online store or accept credit card details. It’s less of a priority for non-commercial sites but does give your visitors a level of reassurance and also has advantages for your site’s SEO.
  5. Update your Terms & Conditions. These must specify what data you hold, why, where, and how customers can find out about this. Communicate any changes to an existing policy to your customers.
  6. Document your Data Retention Policy. Know what you are storing where so that if someone asks what you are holding or asks for information to be deleted, you can easily find it and comply.
  7. Ensure all Personal Data you hold is stored securely. This means checking that any cloud storage you use is GDPR compliant (for example, Google Drive is not unless you have a My Business account), and any files that you keep in your home or on your laptop are secured, either with a physical key or with a digital one.

Now read part 2 in this series.

In this next post find out how to makes sure your website is GDPR ready by publishing your privacy policy and obtaining consent from new visitors.


Image credit: iStock.com/Matthew de Lange

Do you need help? Contact me now to arrange a personalised tech support or training session.