google-will-flag-featured

Google flagging insecure HTTP pages – how to fix NetSuite websites

Important: this article’s content, first published in January 2018, has been updated to include most recent insights.

The pressure to have secure websites is building. People who access insecure ones with Google Chrome are starting to see, since October 2017, warnings that they’re sending information insecurely. This applies to any HTTP pages where users can submit forms, as well as all HTTP pages in Incognito mode.

A secure (HTTPS) website provides end-to-end encryption of all data, including form data. People can enter passwords, credit card numbers, and other confidential information without exposing them to interception. With the widespread use of public Wi-Fi, keeping data secure is more important than ever. Most shopping malls and libraries provide unsecured Wi-Fi access. Anyone nearby can intercept whatever people send and receive. HTTPS pages, which use the encryption scheme called SSL or TLS, take away this risk. They’re safe even over unsecured Wi-Fi.

Most people are unaware of the risk, but now they’ll see warnings whenever they view a form that isn’t secure. Even if they don’t understand the issue, they’ll be nervous about using a form where they see a warning. Chrome has the biggest market share of any browser, and user nervousness will translate into lost business. Other browsers are also starting to issue warnings. Forms or sites not using HTTPS will mean lost revenue.

Chrome now marks all HTTP pages as not secure. Even a page which doesn’t contain a form is at risk, since a “man in the middle” attack could alter a page in transit, inserting ads or changing links. If you’re going to upgrade your site, you might as well upgrade all its pages.

We are receiving more and more questions about how to solve this in NetSuite’s SuiteCommerce platforms, whether Site Builder or SCA.

Fortunately, it’s easier than ever to use secure HTTPS with SuiteCommerce Advanced. At NetSuite’s Help Center you can find instructions on how to purchase an SSL certificate. Pay special attention to those which are NOT SUPPORTED:

  • Wildcard certificates
  • Self-signed certificates
  • ECC (Elliptic Curve Cryptography) SSL certificates
  • Subject Alternative Name (SAN) fields on an SSL certificate (that is, adding multiple domain names to a single certificate). Only the Subject Name on a certificate is considered. In cases where SANs are specified on a certificate (using a subjectAltName field), they are ignored.

You can select an SSL certificate from the vendor of your choice, but it must meet the following restrictions and recommendations:

  • All SSL certificates you plan to use with NetSuite require:
    • a 2048 bit RSA private key that uses the PKCS#1 RSA Cryptography Standard. (The PKCS#8 Private-Key Information Syntax Standard is not supported.
    • must be Apache-compatible and PEM-encoded.”

NetSuite Help Center

For Site Builder there is a solution as well.

Up until recently, Site Builder websites were not able to have secure shopping pages. Only the Checkout section of the website was secure, either using a secure checkout domain hosted by NetSuite (https://checkout.na1.netsuite.com) or a custom subdomain (https://checkout.mywebsite.com). Fortunately, not long ago NetSuite released a patch that allows Site Builder websites to implement HTTPS for Shopping pages as well.

To do so, you need to submit a NetSuite case requesting NetSuite to enable Switch #79 in your account. Once NetSuite has confirmed that the patch was implemented, you’ll be able to move forward with setting up an SSL Certificate for your shopping pages following the same procedure described above.

For those who have chosen to implement a custom subdomain for their checkout (https://checkout.mywebsite.com), they won’t be able to use this solution since NetSuite provides a single slot for Secure Domains. There’s an additional solution that of couple of customers have tried already, which is using an external CDN – like CloudFlare – to surpass this number of slots limitation.

If you have questions about how to implement the solutions above please contact us.

Related Posts