Over the last few weeks, we have been researching web traffic for 177 of some of the most productive brokerages in sales volume and sides. While we are still diving deep into the study, there was one stat which gave me grave concern; the number of broker websites which are not secure for a customer to login or to complete a form.
Securing information between a person who completes a registration or property inquiry form and then sends it to a web site’s server is achieved when you see the HTTPS before the web address.
Example:
- https://www.WAVGroup.com – Communication between person browsing and the website server is secure
- http://www.WAVGroup.com – Communication between person browsing and the website server is NOT secure.
Today, we do not even consider launching a website – with or without forms – without applying HTTPS website security.
For years, Google has been pushing webmasters to apply HTTPS to secure websites. While this method has been a long-time practice, most companies were not adhering to it if their site did not have an e-commerce payment feature. That is until Google started to highlight non-secure websites as “Not Secure” in Chrome back in July of 2018. Nowadays, the majority of web browsers display non-secure websites to people.
During our research, we exposed that almost 25% of the 177 websites in the study were non-secured websites. These are websites from brokerages who are productivity leaders in sales volume or sides or both. Websites which included subscribing to a newsletter feature, submitting a property inquiry with a showing request, or a site registration and login form. Scary!
Non-secure websites are open.
A simple scenario of creating a new username and password on a non-secure website makes it easy for others to see it. When the submit button is pushed, the browser sends the information to the website’s hosting server in a form that is as readable as this article.
There are plenty of tools to capture the communication into a file and query it to find the information. Unsecured Wi-Fi hotspots like in airports, restaurants, and public places make it easier for the bad guys to capture non-secured communication with these tools.
Open hot-sports make it imperative to secure websites to protect the consumers privacy and security, leverage Search Engine Optimization, and preserve the company’s brand image.
Consumers Privacy and Security
The EU’s General Data Protection Regulation (GDPR), California Consumer Privacy Act of 2018 (CCPA), and the discussions in the U.S. Congress on new federal regulation policy; state that any compromise of a person’s personal or private information must be disclosed. It will be difficult to remediate any violations of these laws when a company maintains non-secured websites.
An item to note: While CCPA’s accountability to the law is limited to only big companies, the U.S. House and Senate hearing was inclusive for every company and preemptive to state law. The federal government is reviewing how to align data security with a privacy policy.
Search Engine Optimization (SEO)
Search Engines have been saying since 2014 that one signal they use for ranking websites is if they are using HTTPS. Google previously stated usage of HTTPS as a ranking signal is part of their algorithm.
For these reasons, over the past few months, we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.
Should we be concerned about this since Zillow, Realtor, and Trulia is winning this war? I absolutely think it makes a difference for long-tail searches. These sometimes include typing in a property address or performing a search for a ‘home for sale in a neighborhood for $250k’.
Company’s brand image
This is one upsets me. Brand is extremely important to a company and having a web browser say “Not Secure” is leaving a negative brand message to the consumer. Let’s take a look.
Chrome:
Here is an example when accessing a non-secure website in Chrome. When the consumer clicks on the information circle next to Not Secure, the following message is delivered.
Brand message: We want your business, but we don’t care enough to protect you from the bad guys!
The next example shows how a secured website is treated by Chrome.
The consumer is presented with a lock icon.
All is okay with this company! 😉
Firefox:
When accessing a non-secure website, Firefox only displays the information circle. But, look at what is displayed when the consumer clicks on the site.
I like how Firefox displays a secured website. They present a bold green lock next to the web address.
This aligns and signals the dedication of a brand that is concerned about my security and privacy.
Safari:
Apple’s treatment of a secured website only displays a little lock next to the web address. It is okay, but nothing really bold.
Apple’s lack of treat treatment on non-secure websites is a little disheartening. As a consumer, you only know when the website is secured. I guess Apple thinks people are more aware of their browsing habits.
Brave Browser:
If you like a browser to test for SEO and easily select ad and tracking blockers, try Brave Browser. It has become a go-to for surfing the web.
Brave treats non-secured websites similar to Firefox. A big red “Not Secure”. Click on the Not Secure and the message is loud and clear.
Summary:
All your website assets need to be set up with HTTPS. The cost to implement is minimal compared with not having the proper security in place to protect people, losing out on long-tail SEO, and jeopardizing the company’s brand with consumers. It all matters in today’s business world.
There really isn’t any excuse for having a non-secure website. If your team is too busy, call us. We’ll handle this for you and make the necessary phones calls to get the job done. One more item to check off your “to-do” list.
WAV Group can facilitate the process of moving your website assets from HTTP to HTTPS. Call Victor Lund or David Gumpper to discuss how the WAV Group can assist.
“website assets need to be set up with HTTPS” Interesting, what does that entail to get set up with HTTPS?
“cost to implement is minimal” What are the costs involved, and what is provided?
“We’ll handle this for you and make the necessary phones calls to get the job done.” Is this something I can do; and who are the entities and numbers to call?
Hi Krist: Great questions and I am glad that you have asked. It seems you have already secured your website. Excellent!
What does it entail to setup HTTPS? I’ll need to be a little techy here, but the following is a high-level overview.
The cost to implement?
Purchasing a digital certificate will vary from CA to CA. If your host provider has Let’s Encrypt or other open source CA, it might be free as part of the package. GoDaddy is a CA and charges $64/yr for a single site certificate. Domain-wide certificates can run up to $300 per year.
Then you have the cost to create the CSR, install the final certificate, and resolve any mixed content. Your website hosting provider will probably handle this and should only take 1 to 3 hrs tops.
Handle phone calls to get the job done, and can you do this yourself?
As you can see from the above, accomplishing https on a server is about coordination between the Domain Registrar, Certificate of Authority, and the website hosting provider. Sometimes, this is easy as everything is covered under one company, like GoDaddy. Other times, you have to act like a traffic cop to ensure three different completed their tasks and follow-up with communication. Additionally, testing has to be done on the site to resolve mixed content: pages containing a combination of HTTP and HTTPS links or URLs. If these are not resolved, browsers will let the consumers know the site is not FULLY secured.