Secure to not secure: What you need to know about Google’s TLS announcement
Google is cracking down on sites using “non-secure” versions of TLS (Transport Layer Security).
To keep your site secure and your users feeling safe, it’s important you make sure you update your version. We get that it can be confusing keeping up, understanding what it is, and what you need to do. So, here’s all you need to know about Google’s TLS announcement.
What is TLS?
TLS stands for Transport Layer Security. It’s a security protocol that helps data pass privately and securely through communications over the internet. For example, when a browser loads a website, TLS will encrypt this communication between the browser and the server, making this data more secure. This encryption is also performed over other forms of communication, such as email, messaging, and voice over IP.
What if I don’t have the right version of TLS on my site?
Apart from having data transfers from your website left vulnerable to a cyber-attack, browsers will also be displaying “Not-Secure” messages to users coming to your site – this’ll put users off, which will harm traffic and conversions. From March 2020, Google will become more aggressive on this front by displaying a full-page warning to users, causing more of a negative impact on traffic and conversions on your site.
What has Google announced about TLS?
On Tuesday 14th January 2020, Google started sending out messages to webmasters via Search Console, explaining that sites that don’t support TLS 1.2 or higher will show a “Not secure” warning in Chrome from now on. In March 2020, Chrome will start to show full page warnings for such sites. This message can be seen in the screenshot below:
Google’s “Not Secure” warning.
Has Google said anything about this before?
In October 2018, Google, Apple, and Microsoft all announced that they would be dropping support for TLS 1.0 and 1.1 by early 2020 due to known security vulnerabilities in these protocols. TLS 1.2 will be the default protocol version for these companies, but all 3 tech giants have encouraged site owners to add support for TLS 1.3 as soon as possible.
Why is Google considering older versions of TLS “Not Secure”?
Some vulnerabilities have been found in versions 1.0 and 1.1 of TLS, such as POODLE and BEAST, causing these protocols to be insecure methods of sharing information online.
POODLE is a man-in-the-middle attack that causes the protocol to downgrade the connection, making it vulnerable to an attack.
BEAST is also a man-in-the-middle attack that would decrypt data being exchanged across version 1.0 of TLS, taking advantage of a vulnerability in the Cipher Block Chain mode.
What are the consequences of not having the correct version of TLS on my site?
Apart from having data transfers from the website left vulnerable to a cyber-attack, browsers will also be displaying “Not-Secure” messages to users coming to your site which will harm traffic and conversions. As of March 2020, Google will become more aggressive on this front by displaying a full-page warning to users causing a much greater negative impact on traffic and conversions on the site.”
How do I know if I have the right version of TLS on my site?
It’s really easy to check. Just input your domain into this online tool from CDN77 and scroll down to see the enabled SSL/TLS protocol versions on your site:
Check your enabled TLS Version.
Remember, Google only requires your site to be updated to TLS version 1.2 or higher, so you won’t be displaying non-secure messages on Chrome even if you’re not using the latest version of TLS. However, more up to date versions of TLS do provide increased security and other benefits, such as reduced latency when establishing a connection, so it makes sense to update to the latest version.
How do I update my version of TLS?
The method for updating your version of TLS depends on the server type you’re using. To help you out, here are links to instructions for some of the most common server types below:
What’s the difference between TLS and SSL?
Essentially, TLS is the new version of SSL (Secure Socket Layer) and can be almost be viewed as version 3 of SSL. The only reason for the name change is because the protocol is no longer associated with Netscape.
Do I need a new TLS certificate?
No, Google has confirmed that these changes do not require websites to obtain a new TLS certificate.