As early as September 2016, Google announced that with the update of the Chrome browser to Chrome version 56, the search giant would require websites that collect personal information like credit cards or passwords to have an HTTPS connection.
Websites that decide to be non compliant and stick with the HTTP protocol will be marked by Chrome security measures as an unsecured website, and visitors will have to take additional efforts to access website content. Of course, if Google Chrome security is warning someone that a website is insecure, they may decide against viewing any of that website’s content.
After their initial announcement about Chrome security, Google gave webmasters until 2017 to implement this change before affecting the Chrome experience for websites without HTTPS.
Of course, this isn’t the first time that Google has used its extreme influence in anything search to bring about major changes in web design and functionality. Another major recent Google initiative had to do with mobile-first search, and email popups were the target of their wrath.
Let’s explore the implications of Google SSL problems and Chrome security warnings for Non-HTTPS websites.
HTTP vs HTTPS
If you’re not familiar with HTTPS, it may be useful to start by defining the differences between HTTP and HTTPS.
Specifically, HTTP (hypertext transfer protocol) and HTTPS (secure hypertext transfer protocol) are two types of transfer protocols. In a nutshell, these transfer protocols are languages that pass information between the client and web server.
Put simply: HTTPS is secure; HTTP isn’t. To get a little more technical, HTTPS operates on port 443 and HTTP operates on port 80.
If your site is not secure, this means that anyone can read or observe the exchange between your website and your users’ devices. The implications of this are greatest for websites collecting sensitive information like social security numbers, passwords, or credit card information. Without the protection of HTTPS (and making use of security best practices in general), the information collected is vulnerable to getting into the wrong hands.
What makes HTTPS secure is the addition of another layer of security, using an SSL/TLS protocol (Secure Sockets Layer and Transport Layer Security). The SSL encrypts the data being transferred from the server to the client’s website by providing an established link between both.
Thanks to Google putting it’s gargantuan and well-respected hand down, HTTPS is the new web standard and Chrome security measures refuse to let web users forget it.
Why You Need SSL
Even if you don’t collect sensitive user information right now, you certainly might in the future. With this in mind, it’s much easier to establish a new website with SSL than to have to switch over to it later.
Before the Google SSL initiative, ecommerce sites were some of the only online entities worried about SSL. But then again, Google being concerned with HTTPS is not really news—they announced that they were making HTTPS sites a ranking factor in 2014.
SEO master Brian Dean’s research confirmed this, finding that in over a million websites, HTTPS sites ranked higher in Google’s first page results. A caveat: a secure site is just one of 200 search ranking factors, and doesn’t necessarily have as much weight as other ranking factors.
HTTPS protects the integrity of the data collected on your website to prevent corruption in data transfer, as some intruders can otherwise insert malware or ads that can make your site vulnerable. It also provides a medium for authentication to ensure that the client is communicating only with the website.
Importantly, HTTPS protects the privacy and security of your users, even if you do not deal with sensitive personal information. If you need any more convincing, consider the implications of page load on a website with HTTPS. These websites load 334% faster than those without complaint Google SSL certificates.
SSL Encryption
One thing that has traditionally held people back incorporating an SSL certificate on their site has related to the cost of effectively doing so.
Although there are options for free SSL certificates, like Let’s Encrypt, there are other associated costs in incorporating SSL in terms of finances (like web development hours and additional hardware), not to mention the fact that changes can eat up bandwidth and cost you CPU cycles.
Despite these potential issues, website owners are quickly hopping on the bandwagon of securing their websites (and customers!) and as of this writing, half of all websites are SSL-encrypted.
Things You’ll Need to Secure Your Site for Google SSL
To incorporate HTTPS on your website, the first step is obtaining a SSL certificate from a recognized Certificate Authority (CA).
The SSL certificate allows you to do two things: it enables the communication between two sites through the use of encrypted, non-corruptible data, and serves as a guarantee (or stamp of approval) from the CA that the site is secure and legitimate. For a similar comparison, think of it as something like a Twitter verification badge.
There are several CAs to consider from which to get your SSL certificate. Let’s Encrypt offers free SSL/TSL certificates, while popular CA providers like Symantec charge up to $1495-$1700/year.
The use of free SSL certificates results in a green padlock on the side, before the URL in the address bar. In contrast, a premium SSL certificate will display the website’s name to the right of the padlock.
(source)
Content Delivery Network CloudFlare offers a shared SSL certificate with their free package. A shared SSL certificate won’t work on your own domain though; it’s better for servers that aren’t seen by the public (like a login page).
When implementing SSL, you’ll also need:
- A web server (like Apache) with mod_ssl that supports SSL encryption
- A unique IP address, which CAs use to validate the secure certificate
If you aren’t sure about these final two items, you can ask your hosting provider about them, or ask more generally about if you can use HTTPS on your website.
How to Secure Your Site for Google SSL
Once you’ve gathered the things you’ll need, you can start by asking your hosting provider to approve the SSL certificate. This is so that when your pages are accessed using the https:// protocol, they actually hit the secure server.
After that, you can start building up and backing up your web pages that need to be secured. These pages can be built the same way a normal HTTP page is built, except that you’ll need to link to HTTPS— especially if you are using any absolute link paths on your website to other pages.
Additional considerations when making the switch to Google SSL:
- Update your internal links and links to other absolute paths, such as those directing to images or external sources: like CSS sheets, JS files, or documents
- Check code libraries
- Create 301 redirects for links
- Update URLs and settings on Google Search Console, AdWords, social media profiles. You can save social shares in WordPress using the Social Warfare plugin
- After updating the information, recrawl the site again to check if all the pages and resources return the 200 Successful Status Code
Google’s Search Console Help page provides a comprehensive checklist that can help you deal with any technical implications of switching to HTTPS. Search Engine Journal has also written about HTTPS migration, specifically focusing on the implications for SEO.
Changes for Google SSL
Before Google mandated these changes, websites that didn’t have an HTTPS connection were given a neutral indicator, marked by an information symbol in the address bar. When clicked, the information symbol either says “Your connection to this site is not secure” or “You should not enter any sensitive information on this site because it could be stolen by hackers”.
According to the Google Security Blog, this information sign betrays the lack of urgency needed when it comes to website security. After January 2017, websites will be marked as non-secure by Chrome security, which Google hopes will catch the attention of both users and website owners, sparking change in how websites are created and consumed.
(source)
The effects of this Google initiative are not all good for everyone, especially for Symantec, a company that is said to have issued one-third of the SSL certificates online. The reason? A proposal by a Chrome security team member to make Symantec-issued SSL certificates untrusted over the next 12 months because Symantec has not properly validated thousands of their issued SSL certificates.
Should this proposal push through, Symantec will have to reissue thousands of SSL certificates, creating headaches for the company and also for its customers, who have to go through the validation process again and install replacement certificates.
This issue has gone through multiple discussions between the two companies. In the latest development, Google has decided to deprecate Symantec-issued certificates when Chrome 66 comes out (in March 2018) but will start adding warnings in the meantime.
Google SSL Problems: Chrome Security Warnings For Non-HTTPS
HTTPS is the current standard in web browsing that comes with a number of useful benefits, especially with regards to SEO and security.
Any website owner that is hesitant to migrate to this protocol not only risks being marked as a ‘non-secure’ site on Google Chrome, but is also actively risking the security of their users when collecting sensitive information.
Is there anything holding you back from making the switch to SSL? Any tips for those going through the process? Leave your thoughts in the comments below!