Google is encouraging the world wide web to shift all website pages to https as ‘best practice’. Google’s first step in this direction in 2017 was to introduce a security warning in Chrome for any web pages containing input fields set for password or credit card, if that page is not served as https. This is a sensible and measured step.
However, many people who consider themselves to be web-savvy, trust websites because of the appearance of https without having any real understanding of what it means. This support article is intended to provide a non-technical audience with a basic level of understanding of website security and also explain our current policy regarding https.
Installing a security certificate allows a domain (website URL) to present as https which causes web browser software such as Google Chrome and Microsoft Edge to display a padlock or other symbol in the address bar to indicate that the site is 'Secure'. It also allows the website to avoid the ‘Not secure’ warning that would otherwise appear if a standard http page contains password or credit card input fields.
A https page simply means that the website domain holder has installed a security certificate and therefore the web page you are viewing does indeed belong to the domain name that is displayed in the browser address bar. It does NOT necessarily mean the site itself is in any way legitimate or that it is not part of fraud or a phishing scam. If a scammer wants to harvest your details, the cost of installing a certificate is unlikely to deter them. And in fact these days you can get a certificate for free as per this article https://www.bleepingcomputer.com/news/security/14-766-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites/
Https introduces the benefit of encryption of data between the web browser software on your computer and the web server hosting the web page. Most commonly, people connect to the internet through their own internet service provider (ISP) via their home or office Wifi. Since Wifi traffic is encrypted by default anyway, the value of the encryption from https is to protect from a 'man in the middle' attack whereby an employee of an ISP could be monitoring or sniffing un-encrypted traffic, seeking an opportunity to exploit. The incidence of this exploitation compared to phishing scams is extraordinarily rare.
So, although the web community generally agrees that https is best practice, we also know that many people misunderstand its efficacy. In relation to our platform, our current approach is to encrypt pages with logins (by using https), since people sometimes use the same password for multiple purposes and we don't want even the extremely remote possibility that a password could ever be 'sniffed' by an employee of an ISP during interaction with our site.
We also use https for any back-end pages where a website administrator is logged in and viewing a database of members, so that this personal information is similarly encrypted. Lastly, we do offer the opportunity for website administrators to display https web input forms. This can be achieved by displaying a button or link to a https version of the web input form instead of displaying the form within a widget on a standard http page. The https version of the URL to the form is available to website editors simply by clicking the 'link' button beside the form in the Online Registrations area.
Since web browsers will display a security warning if a page serves https content combined with http content, we do not advocate mixing secure and non-secure content within the same page. It is likely that at some stage in the future we will start supporting https for custom domain names (vanity URLs) of our clients, but requests for this are currently rare since we already provide the above https methods for sensitive data.