Google moves toward marking all non HTTPS websites as ‘Not Secure’
In 2017 Google has begun a process whereby it is differentiating between what it classes as ‘Secure’ and ‘Not Secure’ websites.
In the short term, the most vulnerable websites are those which sell online, and Google has begun emailing the relevant webmasters for sites of this type to inform them of the new policy.
Googles email begins as follows –
Non-Secure Collection of Passwords will trigger warnings in Chrome 56 for http://www.xxxxxxxxxxxxx.co.uk/
To: owner of http://www.xxxxxxxxxxxxxxxx.co.uk/
Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.
This distinction is derived from your website URL. If it begins with http (which the majority of websites do) these will now be deemed ‘Not Secure’ (see image example below from one of our clients websites)
The ‘Not Secure’ warning is clearly visible to the left of our clients page URL.
In addition, should a user click the ‘i’ (information) icon on the left, a drop down will appear with further details about how Google views this page, and its advice for
usage. (see image below)
As you can imagine, this will alarm many potential visitors/customers and force them to back away from the website, when in actual fact there is nothing wrong!
Any website which requires a password for any type of log in or access, plus inputting any card details for payment, will display the ‘Not Secure’ warning if they do not have SSL Certification.
Eventually, Google is saying that Chrome will show a ‘Not Secure’ warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. We are therefore forward planning our clients websites and recommending they should migrate their website to use HTTPS for all pages.
In future releases of Chrome there are plans to label all HTTP pages as non-secure.
So even if you do not have private information or e-commerce, your website will still be marked as non-secure. In addition, future updates may reflect that Non Secure message in red as opposed to grey. (Which will make it stand out to browsers even more)
WHAT EXACTLY IS HTTP/HTTPS
This is a very technical thing to talk about – but in an effort to make it simple:
HTTP (Hyper Text Transfer Protocol) – this is just the basic reference to how information is shared on the internet in its original form, basically as plain text. This allows anyone to view that information who gains access.
HTTPS (Hyper Text Transfer Protocol Secure) – this is the same as HTTP but the difference is that the information gets “scrambled” into character strings via an SSL certificate. Only the receiving and sending computers can then see that information. Others may be able to access it – but they will never be able to “read” it because it is so scrambled.
For your domain to begin with https, requires an SSL Certificate.
It used to be that in the past only e-commerce websites or websites that took credit cards or required personal information needed to be secure (ie use an SSL Certificate to designate the page URL’s as HTTPS) But with the advances in technology – and of course increases in hacking and exploits, this is quickly changing. Google specifically is leading the way with their requirements to have a secure and safe web experience for its users.
We have a responsibility to begin informing all our clients that if their website does not carry an SSL Certificate (and thus gain the ‘https’) it will be shown on the search results as ‘Not Secure’
This is what Google is now saying is its official policy.
“ To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
Chrome will soon mark non-secure pages containing password and credit card input fields as Not Secure in the URL bar.
Warnings will be enabled by default for everyone in Chrome 56, slated for release in January 2017.
To ensure that the Not Secure warning is not displayed for your pages, you must ensure that all forms containing <input type=password> elements and any inputs detected as credit card fields are present only on secure origins. This means that the top-level page must be HTTPS and, if the input is in an iframe, that iframe must also be served over HTTPS.
Long term – Use HTTPS everywhere
Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages. “
Are there any advantages of a secure, https website?
Yes, there is.
- SEO– Google has mentioned it is a ranking factor – and even if it is only a small factor, it may just be enough to give you an edge over a competitor.
- TRUST– When visitors see a “NOT SECURE” warning – and as people with little technical knowledge, it may cause them to run – fast. By showing a “Secure” signal you are then becoming a trusted website in their eyes and will not be concerned with leaving comments, filling out forms or doing any other activity on your website.
- CHROME– With the upcoming changes and the large usage of this browser – not having a secure website will be a trigger for insecure warnings.
Having a secure website not only gives your visitors a sense of security as they browse your content, it can also help in search results since Google has stated it will use it as a rank signal. We expect it will grow as a ranking signal as the web continues to evolve.
Making the switch
As mentioned, the biggest challenge lies with implementation errors that could cause your website to become much less visible via Google Search. The business of migrating from HTTP to HTTPS is not especially easy, and should be handled by an experienced developer and/or SEO specialist – take a look at the checklist below to see what’s involved. The migration needs to ensure:
- That the security certificate is validated and configured correctly;
- That old HTTP URLs are redirected via a 301 to the equivalent HTTPS URL;
- That Google can crawl the new HTTPS URLs;
- That any hard-coded URLs are updated to HTTPS and thus do not break;
- That an HTTPS XML sitemap is submitted;
- That all site variants for your website are verified In Google Search Console (eg http://mywebsite.com; http://www.mywebsite.com; https://mywebsite.com; https://www.mywebsite.com).
We recommend every business website should be upgrading HTTPS in 2017 as Google ramps up the pressure.
If you are ready to make the change – there are some things you need to consider when getting ready to migrate to HTTPS.
- You will need to get an SSL certificate
- Your website URL will require a dedicated IP address. (Note: Shared hosting platforms are NOT sufficient to facilitate SSL Certification)
- You will need some time and patience to make the migration. Unfortunately, this is not a “push a button” and it is done type of project. The bigger the website the more time consuming it will be.
- You have to be aware that you may lose your social sharing counts because your shares were based off your HTTP version of the website.
- This change may affect your current rankings. Google will need to fully re-index your website with the new URL structures. But you should bounce back to your pre-move rank, subject to your webmaster being proficient to set everything up as per points 1 to 6 above.
Incorrectly installing SSL can harm your website in the long run – so use caution if attempting to do it on your own.
Because of how Google is now pushing SSL, it is really not something you can ignore. Right now, you’ve got the carrot of improved search rankings. But Google is showing they’re not afraid to use Google Chrome to “punish” sites who don’t move to SSL.
We believe there is good reason to protect your visitors’ connections, increase visitor confidence, and boost your search engine rankings in the process.