In the iteration of Chrome scheduled for October 2017, Google is expanding its use of the ‘Not Secure’ page warnings. This will include a dynamic warning which will appear when a user enters data on a non-secure (HTTP) page.
The warning appears in the space at the start of the address bar where the traditional padlock icon is shown to denote a secure site, as well as the security certificate name if one is present.
This placement, whilst much less disruptive than an overlay or popup, may be more conspicuous than it first appears. Not only are we increasingly aware we should check here before entering data on a site, but as the warning is dynamic it appears in an otherwise static area. There are few parallels between hunting and web design, but ask a practitioner of either and they will tell you that movement draws the eye. So people are much more likely to notice this new warning.
Why is Google making this change?
Interestingly, in the blog post mentioning this change, Google referred to its recent changes to dealing with HTTP / HTTPS as part of its “quest to improve how Chrome communicates the connection security of HTTP pages”. Use of the term ‘quest’ seems to indicate that not only is it taking this seriously, but there are likely to be many more changes to come. Google sees this as a long term objective and something it's going to be actively working towards.
Ultimately the quest is really to make the web more secure. With the aim of all sites moving over to https, one of the ways to achieve that is by making it obvious to users when sites haven’t. By being very obvious about it, even users who don’t know whether or not it matters will be turned off by the warnings and a site will therefore see a fall in traffic.
Google ultimately has noble intentions here, or at least ones that happen to be good for us as well as their shareholders. However, it’s not really doing that much to help webmasters. A bone of contention of mine for some time now is the lack of consistent guidelines and tools from Google for converting a non-secure site to HTTPS. The experience within Search Console (formerly webmaster tools) is especially dire.
There is no way within Search Console to tell Google you have made the change. I have instead previously had to resort to creating a new profile for HTTPS and treating it like a site migration, informing Google in the old profile of the change in location. There is very little official guidance from Google on this and some clear, precise instructions including how they manage the process at their end would be fantastic.
So how do I change to HTTPS?
Telling a server to serve content over HTTPS instead of HTTP is by and large a very easy, simple change. If you contact your hosting company they will be able to do this for you, and it should also be free to make the change.
Where possible, use TLS over SSL. This is the protocol that provides the encryption between you and the server and Google definitely prefers TLS over its predecessor SSL. Although, just to make it extra confusing both are frequently referred to as SSL. It's worth noting the security certificates are still reffered to as 'SSL Certificates' however they work just fine with TLS as well.
If you want a detailed breakdown of the full process, just check out our article on the migration process here:
A (very) quick summary is:
- Update internal links
- Ask hosting company to make the change
- Add global HTTP redirect to HTTPS
The great thing is that most of the complex stuff is taken care of by your hosting. They will also likely be able to buy the necessary security certificate and install it for you in one go. However you may well be able to get a cheaper price if you shop around.
What is a security certificate and why do I need one?
There's no point in ensuring the connection is secure and traffic is encrypted if you don’t secure the source. Put it like this, if you were communicating with another spy, there wouldn’t be much point exchanging encoded messages only the two of you could decode if you didn’t first verify their identity. You wouldn’t know who it really was on the other end.
The security certificate does just that, it verifies a website, and you can see that verification in your browser:
You can buy an SSL certificate quickly and easily, but do shop around as well as the prices vary a lot. I have personally used certificates made by Comodo and RapidSSL. Trustico offer both of these and have competitive pricing, I’ve also used them before to purchase security certificates and best of all, they have live chat in case you need some help choosing the right one.
Once again though, this is another place Google could be very useful as you already need to verify your domain to use Search Console and other Google products. SSL certificates can be created by anyone, but it’s generally only those from trusted issuers which are recognised and treated as valid. Surely Google should just issue its own SSL certificates through the Search Console for free. It would make the entire process much easier as well as free. In fact Google could do well to add an SSL section to Search Console for non-secure sites, which manages them through the process. If it's really serious about it why not offer an adwords coupon for sites at the end of the process, once it has verified the change?
A big reason for many webmasters not making the change is the money it costs to buy an SSL certificate and the lack of guidance and information from Google on how making that change may affect their site.
Is it worth doing?
Well right now with this latest change, yes absolutely. Most sites take user data at some point, even if it’s just a sign-up form for the email newsletter. If you don’t make the change it’s going to start hitting the bottom line pretty soon. Besides, Google has already said that down the line this is going to be shown for all non-secure sites:
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Whilst we’re here… a quick plea for Google:
Please add a section to Search Console that verifies SSL settings and manages non-secure sites through the process and please stop treating it as a change of address, as this only scares people off!
Let us know what you think in the comments, if you need any help we'll be happy to point you in the right direction. And if you’re worried about security on a wider basis Google recommends this tool for testing your site.
