Your site appears as "Not Safe". How to solve?

As of February 2017, the Google Chrome browser in its version 56, is showing on all sites that do not have https, and that have a password field on the page, as an area for login as an example, as an insecure site, with the message "Not Secure" in gray.

This is because there are still many sites that do not care about SSL on the internet, even with so many security flaws occurring in recent times, there are many sites that still do not think about having an SSL certificate and guaranteeing privacy for its users.

In fact, those who really need to have active encryption on a website are product sales sites, as there is a register of people with sensitive information, such as email, addresses and credit card numbers.

However, with the increasing number of applications and sites on the internet, where the user needs a registration to be part of, many of these sites, despite not selling products, depend on an email and a password from the user to start the session, identify who is using the site and interacting with the system. Many of these sites do not have this SSL certificate installed.

Currently, SSL certificates are easier to acquire, the company COMODO even has a server application for creating, purchasing and automatically renewing certificates for websites installed on IIS or Apache.

A website without an SSL certificate means that all traffic between your browser and the application server is transported without any encryption, that is, all data entered in form fields, comments, logins, any type of data, can be intercepted by anyone who is halfway through the network.

This does not mean that someone from China can see what you are accessing on the iG website, but it could very well see what you search on the Baidu website (Chinese search website), as long as the packages pass through the same router or backbone that whoever is intercepting this data.

One of the bodies of the world government that most detour routes for examining packages is undeniably the FBI in the United States, to conduct research on user intentions in order to protect the country. Each wants to defend his, to a certain extent is right.

Chrome version 55 on a login page without https.

Version 56 of February 2017 already displaying the text "Not Secure".

However, to what extent do you allow yourself to lose privacy and have to accept that everything you do can be intercepted, and that your passwords go to various sites all without any encryption, free for anyone to take and be able to take passwords from your Facebook, Gmail , Hotmail, Netflix?

The importance of SSL is no longer luxury, it is a necessity, and the Internet needed this help so that all sites can have, even if "unnecessarily" the advance of having greater privacy protection for its users.

Even with encryption enabled, some information is still traceable, for example, if you are using a proxy server on your computer, it will receive the called URL, even if it is in https.

There are also other proxy servers that intercept https content transparently, but in this case, they forge the SSL certificate, performing an operation to authenticate SSL inside the proxy, and re-encapsulating the user with a new SSL, usually signed, not recognized as valid in the browser, and also marked as "Not Secure".

This can happen: On your cell phone the website is presented as secure, but on the network of the company you work for, the same website always appears as "Not Secure", this is because the company uses a transparent proxy, instead of traditional proxy settings .

For the proxy companies, another big problem is the new SSL certificates based on SNI (Server Name Indication), which is a type of certificate much cheaper, cheaper, compatible only with updated browsers, and which are issued only for the name of domain, without relying on a valid IPv4 address.

To use a transparent proxy with these certificates, all sites are marked as insecure, as the browser with a transparent connection, tries to make the SSL connection directly to the server, only by the IP address coming from the DNS, but the browser does not deliver the domain being accessed, and therefore, the certificate validation fails for the domain. This does not occur if the browser uses traditional proxy settings.

Although an institutional website does not have SSL and appears "Not Secure", this does not mean that it is a fake or fraudulent website, or that the company that developed it did not comply with the best development, but it is something technical that solves if only with a certificate.

A COMODO SSL certificate costs an average of US $ 100 per year and allows you to solve this "problem".

When a site uses SSL properly, it contributes to security, encryption, privacy, and respect for the user, and still has a chance to rise in the ranking of Google searches (after all, Google itself is encouraging sites to use SSL) .

Update on: 05/25/2017:
You can also issue an SSL certificate with Let's Encrypt. See the tutorial at:

1 comment:

  1. fala muito, mas resolver que é bom não resolve.uma bosta de site.