One Simple Security Warning Can Ruin Sales

ssl_secure

When it comes to online shopping, customers are always one click away from abandoning their purchase. Add to this the abundance of surveys that show consumers are leary of submitting their payment information, especially when they are unsure of the security of the website. This is why it is so important to ensure that the checkout process for your ecommerce store is safe and does not cause the dreaded browser warning:

The dreaded security warning

The dreaded security warning

What causes security warnings?

There are a number of factors that can cause a browser security warning. Any time a user sees a warning, it calls into question the security of the site. And these are the types of questions EVERY merchant must avoid.

Insecure calls to images, js, or css

On any secure (https) page, *every* html call to an image, javascript script, or css stylesheet must also be via a secure (https://…) URL. If not, then many web browsers will display a warning about insecure content on a secure page. The most picky about this rule is Internet Explorer. Firefox is less strict, so it may not generate an error.

This is why you must test your entire checkout process in both IE and Firefox, to make sure there are no security warnings. Remember, a majority of people use Internet Explorer, so you cannot ignore it.

How do you find these insecure calls?

  • This is where Firefox comes in handy. On your secure page in Firefox, go to:
    Tools -> Page Info -> select the “Media” icon
    This will show you every image/js/css call on this page. Make sure each one starts with https://
    It will be easy to spot the insecure calls, and fix them.
  • TIP: Realize that images can be referenced in css files (background images), as well as in javascript files, so you may have to use separate files for your secure pages to keep everything secure.

Secure URL does not match the domain of the certificate

An SSL certificate is normally issued to one specific domain name (unless you have a wildcard certificate). The www. prefix is considered part of the domain name. So, if your SSL cert. was issued to www.your_domain.com, but you make your secure calls via:
https://your_domain.com/
this will cause a security warning in most web browsers:

Domain does not match

Domain does not match

Make sure the URLs you use in your secure pages always match the certificate domain exactly. You can check the domain that is attached to an SSL certificate by clicking the “padlock” in your browser and clicking “View Certificate”.

Expired SSL certificate

Once an SSL certificate expires, it will issue a warning to every person that goes to a secure page that the certificate is expired. This will scare away many potential buyers. Make sure your SSL certificate is always valid. You can always check the expiration date by clicking on the padlock and clicking “View Certificate”:

View Expiration Date (click to enlarge)

View Expiration Date (click to enlarge)

Make sure you get your SSL certificate from a trusted vendor. A good vendor will go to great lengths to notify cert. owners when their SSL certificate is about to expire.

SSL certificate not installed properly

This can be a tricky one, as some browsers (like Internet Explorer) may not complain, whereas others (like Firefox) will warn that the SSL security is not valid. The most common occurrence is when you forward an SSL certificate to your web host but forget to include the intermediate certificate, or forget to send the detailed installation instructions that cover how the intermediate cert. should be configured.

If you have a GeoTrust or Verisign based SSL certificate, Verisign offers a certificate validation tool that can verify if your certificate is installed correctly.

Third Party SSL certificate is expired

Often times merchants include tracking scripts, affiliate code, security badges that call images and javascript from third party sites. If any of these remote sites have an expired or invalid SSL certificate, it will cause a warning to popup for your potential purchasers. Always verify any third party code you add is calling the proper secure URL, and that these vendors are reputable and have valid SSL certificates.

** Remember that third party images/js calls must also be secure on a secure page to avoid any security warnings.

One of the more common mistakes we see is merchants using Google Analytics changing the URL for secure pages incorrectly. They change:
http://www.google-analytics.com

to:
https://www.google-analytics.com

which is incorrect. The actual secure URL is:
https://ssl.google-analytics.com

Making your website portray an image of safety and security at all times to every visitor will help maximize your sales and cut down on cart abandonment. What else can merchants do to make their stores appear more secure?

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

6 Comments

  1. Hi Rob,

    Great article. I have seen websites load an insecure image/file during the checkout process and it definitely does not look good for the business to have a pop-up saying the website is insecure.

    –M

    • This can be a big deal when first time customers who are not familiar with the company get these warnings. They will likely shop elsewhere, as this sets off alarm bells, and combined with their unfamiliarity with the site may be too much to overcome to close the sale.

      • Another thing eCommerce sites have to be careful with — is to ensure that the SSL certificate doesn’t expire. Some sites are not aware of their SSL ceritificates expiration date and then the customer is greeted with a message “This site has an invalid SSL Certificate”.

  2. Farrhad A says:

    This is so true. Such a small thing can adversely affect sales. Great point covered here.

  3. SSL John says:

    Great advice. I dont know how many times I have to tell people the very same things. Glad I’m not the only one.

Leave a Reply to Farrhad A