As of the latest release of Chrome, sites not using TLS encryption are being called out in the address bar. Users will now see a “Not Secure” label when visiting sites over plain HTTP, even if the site does not transmit sensitive information.
While this warning does not elevate the severity of lacking TLS encryption, it may cause customers and partners who do not understand the nuance of the situation to assume the business is “Not Secure” altogether.
In 2014 Google began to treat HTTPS use as a ranking signal for their search engine results. While this signal does not currently carry much weight, Google has expressed that it may strengthen the signal over time.
VerSprite suggests enabling TLS with strong ciphers on all sites, both external and internal.
It is important to use valid, signed certificates even with internal assets so that employees do not become accustomed to bypassing security warnings, a practice that increased the likelihood of falling victim to phishing attacks.
A secure Apache configuration for modern browsers might look like the following:
SSLProtocol1111111111111all -SSLv3 -TLSv1 -TLSv1.1