Find out below if your website is stopping candidates submitting their CV to your jobs.
Before you read the full blog post: Have a look at your website on Google, is it showing “Not Secure” the same as the image below?
Or maybe it looks like this!
If your site looks like this on Goggle you need to change it ASAP because Google is telling candidates who visit your website not to submit their information to your Recruitment Agency.
To make matters worse Google are starting to punish websites that are not secure by removing the offenders from their search results.
Your Website SHOULD Look Like Ours Below!
As you can see our website says “Secure” beside the domain. This means Google likes our website and will recommend our website in it’s search results. It also means that any information collected on our website is secure from hackers.
If your Website is secure, Congratulations you don’t need to read any more. BUT if your website is not secure, reading and implementing what is on this blog post will be the best move you will make today.
What is it and how to fix it?
It all began in January 2016, when Google started flagging sites in Chrome that showed only ‘http’ in the beginning of any URL, instead of the more secure ‘https’. In September 2016, letters and emails started being sent to the owners of sites that had had their website flagged as being insecure.
And in January 2017, the push really began with Google sending out more warnings and notifications both to website owners and to the general online community through their support pages. Then, in October 2017, they went one step further. Now when users land on a site that is not secure, they will be shown a warning message indicating that.
Why is Google doing this? Simply put, because they want users to be safe and have the best experience possible while using their browser. After all, if users don’t feel safe, they’ll likely move onto another browser that gives them a better experience. And with 44.5 percent of all Internet users making Chrome their go-to browser, that’s a market share Google doesn’t want to give up.
Now for the Technical Stuff!
Note** If you are not technical minded and want to bypass all the technical stuff by getting someone who knows how to fix the problem do it for you. Please scroll to the bottom of the page, fill out the form and we will have the problem fixed in a matter of days. You can go back filling the roles for your clients.
Differences between HTTP and HTTPS
HTTP is something both website owners and users are familiar with by now. While they may not know exactly what it stands for (Hypertext Transfer Protocol), they do know that these letters appear at the beginning of all websites. Digging a little deeper into the technical side of things, this is the underlying protocol used by all things Internet, and it determines how messages are formatted, how they’re transmitted, and what actions web servers and browsers need to take in response to them.
HTTP is not to be confused with HTML, a type of code that will display and format web pages in a certain way. Instead, when a URL is entered by a user into any browser, an HTTP command will be sent to the web server that page is hosted on and direct it to fetch, transmit, and show the web page being requested.
HTTPS isn’t that different. It works exactly the same way with the only difference being that the web page being requested will be secure, meaning that any information entered into that web page will be kept private and confidential and be less susceptible to attacks from hackers. The abbreviation is very similar, but with the ‘S’ on the end, it turns into ‘Hypertext Transfer Protocol Secure’. And changing that one letter tells the web server that it must not only fetch and show the web page, but that it must do so over an encrypted transmission that will not leak any of the information given.
In addition to adding a layer of encryption, there are other ways HTTPS provides for a more secure user experience. The integrity of the data is kept intact because it cannot be modified or changed during a transfer, whether those changes were intentional or not, without being detected and having a warning issued. It also proves to users that they are communicating with the website they intend to. This protects against attacks from other people that may try and intercept information and builds user trust.
This is important because users expect to have a private and secure experience when using a website, and they expect their data to be kept secure as well. Now, with Google’s new changes, they will be alerted to the fact that their information is not being kept secure with a warning that looks like this:
Using SSL Certificates
Using SSL Certificates
SSL stands for ‘secure sockets layer’ and an SSL certificate is a small data file that bind a key, or code, to an organization’s details. When installed on a web server, the padlock icon and HTTPS protocol will be activated and allow for secure connections between the web server and browser. Websites that ask for credit card information are required by the Payment Card Industry (PCI) to have an SSL certificate installed on the site. But sites that have it, even if they don’t ask for credit card information, can use them to gain a customer’s trust and protect them against phishing schemes.
There are three types of SSL certificates available to website owners and the one chosen will depend on the level of security a website needs.
A domain-validated SSL certificate, also called a low assurance certificate, is the most common type of certificate used. These certificates allow for automated validation, meaning that it will ensure that the domain name is registered and that an administrator approves the request. These certificates have a processing time ranging from a few minutes to a few hours, but they should be used on internal systems only.
Businesses and other organizations are recommended to use an organization-validated certificate, or a high assurance certificate. These certificates need real people to validate the domain ownership as well as the organization’s information such as the name, city, state and country the organization is located in. This is different than domain-validated certificates because the process is not done automatically. The processing time for these certificates can range from a few hours to a few days.
One of the newest types of SSL certificates are EV, or extended validation, certificates. These certificates require the most intensive validation, checking to ensure the business is a legal entity with business information being required to prove domain ownership. This is important because the standard SSL certificates do not indicate that the website is run by a legitimate verified business. Users can identify sites that use EV certificates because the padlock will be shown as green like this:
The processing times for these certificates can be anywhere from a few days to a few weeks and they are recommended for all e-commerce businesses.
No matter the type of SSL certificate a business wants for their website, there are many different ways to get one. Many web hosts offer them for free as part of their package, but they can be purchased from independent providers as well. Some of the biggest names are GeoTrust, DigiCert, and Symantec.
But why would someone pay for something that they can get for free? Because free SSL certificates are only secured with a self-signed certificate and when Chrome lands on these websites, it may post an error message. Some people will continue on to the site, but many will leave never to return.
That error message is shown because self-signed certificates are virtually unregulated. A site can be compromised but still show as secure. But certificates that are issued by a trusted certificate authority can be removed from the site if guidelines are not followed, which will alert users to potential threats.
There are however, times that self-signed certificates are perfectly appropriate to use. For instance, if the payment page takes users to the PayPal site to make their payment, the original website may not need a security certificate because PayPal will already have one installed and will secure the transaction on your behalf.
In addition to the different types of SSL certificates, website owners also need to consider how many domains they want to protect. While everyone will want to protect their main domain, many also have many sub-domains that they may also want to protect. Certificates that protect only a single domain are logically known as single-name SSL certificates. But wildcard certificates are those that can protect multiple domains.
Because they protect more than one website, wildcard certificates can be a bit more costly, but they will easily pay for themselves over time. Also, one wildcard certificate is much easier to manage than a number of individual certificates that are purchased separately for multiple domains.
For those that have a great number of domains to protect, a multi-domain certificate may be the best option. These provide the same protection as wildcard certificates considering that they protect more than one domain. But they can protect many more, up to 210, in fact!
Once an SSL certificate has been installed, it may remain on a site for some time. And over that time, it may at some point become invalid. Luckily, there are a number of websites that will check and verify the SSL certificate information for you and deliver results in just seconds. They include: SSL Checker, Global Sign’s SSL Server Test, DigiCert’s SSL Installation Diagnostic Tool, SSL Lab’s SSL Server Test, and GeoCerts SSL Checker.
Using Server-Side 301 Redirects!
Most of us have entered a URL address into a browser only to see a dialogue box pop up that tells us we are being redirected to another site. Webmasters and website owners do this for a number of reasons. Maybe their site has been permanently moved and they don’t want to lose customers. Or maybe they’ve just installed new security features such as SSL certificates and still want to make sure their customers and visitors get to the appropriate page. Because in this last situation, when SSL certificates have been installed, using a server-side 301 redirect is the next step.
Web administrators, developers and web hosts can sometimes install a 301 redirect onto the server. But for business and website owners that want to do it themselves, it’s fairly easy.
First a text editor such as Notepad needs to be opened. Then the following code needs to be entered: Redirect 301 / http://www.example.com. Of course, the domain name that is being redirected such as http://www.abcplumbing.com needs to be entered instead of ‘example.com’. The file then needs to be saved as .htaccess and then the file just needs to be uploaded into the web space.
This process only works on Linux servers, but with the majority of websites being hosted on Linux, it won’t be a problem for most. When Windows is the operating system of a web server, the web host should be contacted to determine how a 301 redirect can be installed.
Sometimes when a 301 redirect is used, the HTTPS pages get lost in the mix, meaning that they cannot be crawled or indexed by Google, which eliminates one of the reasons for taking the trouble to ensure the site’s ranking is not affected. To avoid this, there are a few things to take note of:
- Do not use robots.txt files, as they can block HTTPS pages
- Do not include meta no index tags in your HTTPS pages
- Use Fetch as Google to test whether or not your pages can be accessed by Google’s bots
While using 301 redirects are safer and easier to use, they’re just not enough, even when combined with an SSL certificate. For this reason, website owners will also want to support HSTS.
HSTS stands for ‘HTTP Strict Transport Security’ is a mechanism that helps protect websites against attacks and hijacking of cookies. In short, it will initiate the HTTPS protocol even if only HTTP is entered before a URL and force the user to use a secure connection. This is important for businesses to understand because even if they have an SSL certificate and a padlock indicating the website, and any information communicated over it, is secure, hackers can still get around it.
HSTS is a small factor in the amount of security a website can have, but it’s an important one. Consider the steps taken when leaving your home. You may lock the door through the keyhole. An SSL certificate works as this lock. It’s definitely harder for people to get in, but it’s not impossible for criminals that want to break in. And even if that criminal is redirected to picking the lock, it can still be done; the same way that a 301 redirect can still be hacked as the opportunity still exists during the insecure redirection from HTTP to HTTPS.
But, if a padlock is put on the door, and the criminal must first break into the lock on the doorknob and then get through the padlock, there’s little chance they’ll be successful. This is the added level of protection HSTS brings. Without it, hackers can still capture cookies used on the site, any session IDs that are used, and force redirection to a phishing site that looks and acts just like the website the user is trying to get to. When HSTS is installed, they won’t be able to do any of these things.
The installation process will depend on what type of web server is being used, but there are a few requirements before it is installed that every website owner or developer will have to ensure the site has first. They include:
- The website must have a valid SSL certificate
- All HTTP links must be have a 301 redirect to an HTTPS link
- All subdomains must be protected with an SSL certificate
- The directives for those subdomains must be specified
- HTTPS requests must have an HSTS header
- They must be valid for at least 18 weeks
- The preload directive must be specified
HSTS may seem like just one more confusing acronym you need to remember when trying to secure your site, but the premise is very simple. It’s just another layer of protection that will let all website owners rest easy in the knowledge that their website is padlocked, instead of just being locked.
So how important is SSL and making sure your site is as secure as possible? Well, for Recruitment Agency owners that want to instill trust in their candidates and make sure they’ll be back, it’s important. And in the eyes of Google, it’s even more important.
While currently, Google will not shut down websites that are not secure, they will penalize them by placing them lower in the search engines. And while for the time-being, SSL certificates and other security measures are most recommended only for pages that ask users for their personal information, website owners and businesses are recommended to use SSL certificates on all pages of their website, regardless of whether or not personal information is being asked for.
Would you like The Recruitment Marketing Expert to Secure Your Website For You?
If you are not technical minded and want to bypass all the technical stuff by getting someone who knows how to fix the problem do it for you. Please fill out the form below and we will have the problem fixed in a matter of days. You can go back filling the roles for your clients