Secure your websites now! Google has officially announced that all web pages served over HTTP and not HTTPS will be marked with a “Not secure” message in Chrome. Google will begin rolling out Chrome 68 in July 2018 and will start to display the “Not secure” warning within the address bar.
This announcement should be taken very seriously, as it affects all webmasters. Even those who have static HTML websites that collect no data from users.
What Is the HTTPS/SSL update?
On September 8, 2016, Google released a blog post “Moving towards a more secure web”. In this post, Google announced that their eventual plan is to label all HTTP pages as non-secure. They also plan to change the HTTP security indicator to the red triangle that Chrome uses for broken HTTPS.
Website security is an important part of ensuring the privacy of your users. Without an SSL certificate, a third party could breach the network. They could then look at or modify the site before it gets to your user.
While security conscious webmasters and users are aware of these risks. There is still a large number that is unaware which Chrome is aiming to address. Chrome has found that the current neutral address bar for HTTP connections doesn’t reflect the lack of security to users.
Google referred to a study by the USENIX Association which stated that users do not perceive the lack of a “secure” icon as a warning. While on the other hand users are dismissive of warnings that occur too frequently. This has lead Chrome to take a gradual approach to the criteria of the warnings. The phases are as follows:
Released: January 2017 (Chrome 56)
In phase one Chrome began to mark all HTTP webpages that collect password or credit card information as “not secure”. Given their highly sensitive nature, this was the most logical step for Chrome and the most important step for users.
Released: October 2017 (Chrome 62)
In phase two Chrome flags all HTTP web pages as “Not secure” in Chrome incognito mode. In addition to this Chrome also began warning users that the site was “Not secure” when entering data on a HTTP page.
On April 27, 2017, Chrome released a blog post “Next steps toward more connection security”. In which they stated:
Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites.
Scheduled: July 2018 (Chrome 68)
As the title of this blog stated, in phase three Chrome will start displaying a “not secure” warning for all HTTP webpages.
The two previous updates from Chrome made a significant impact on the pages now adopting HTTPS. In the last year Google’s public HTTPS Transparency Report found:
- 64% of Chrome traffic on Android now protected, up from 42 percent a year ago.
- Over 75% of Chrome traffic on both Chrome OS and Mac now protected, up from 60 percent on Mac and 67 percent on Chrome OS a year ago.
- 71 of the top 100 sites on the web use HTTPS by default, up from 37 a year ago.
This growth has continued and upon the announcement of phase three these numbers had increased with:
- Over 68% of Chrome traffic on both Android and Windows now protected.
- Over 78% of Chrome traffic on both Chrome OS and Mac now protected
- 81 of the top 100 sites on the web use HTTPS by default
Chrome Plan’s to Distrust Symantec Certificates
In addition to Chrome’s plan for “Marking HTTP As Non-Secure,” they have also announced a plan to Distrust Symantec Certificates. On September 11, 2017, Chrome confirmed that at the end of July 2017 the Chrome team and the PKI community converged upon a plan to reduce, and ultimately remove, trust in Symantec’s infrastructure. Stating this was necessary in order to uphold users’ security and privacy when browsing the web.
An investigation was launched after a posting to the mozilla.dev.security.policy newsgroup raised a number of questionable authentication certificates issued by Symantec Corporation’s PKI. At the time Symantec’s PKI business also operated the following Certificate Authorities:
Google found that Symantec’s PKI various brands had issued certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements. After further investigation, Google also found that Symantec had entrusted several organisations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organisations for some time.
While distinct, this breach along with another incident in 2015, was part of a continuing pattern of issues. This caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure, and as a result, the certificates that have been or will be issued from it.
Currently, Google Chrome is displaying warnings in the Chrome Developer Tools. If you have a certificate from any of these brands I strongly suggest reading Google’s official announcement and plan. Chrome 66 is scheduled to be released to all Chrome users around April 17, 2018.
Is HTTPS Mandatory for SEO?
At present, you won’t be penalized for not being HTTPS in Google’s search results. However, on August 06, 2014, Google officially announced HTTPS as a ranking signal. This means although you won’t be penalised you could receive a ranking boost from having HTTPS.
Avoiding the “Not Secure” Warning in Chrome
Get an SSL Certificate
Getting an SSL security certificate can be relatively easy and cost-effective. GoDaddy, for example, has SSL certificates starting at around $99/yr. The steps for ordering an SSL certificate goes something like this:
- Prepare: Get your server setup and ensure your WHOIS record is updated (your WHOIS record must contain the correct company name and address), etc.
- Generate: Create a Certificate Signing Request (CSR) on your server. Your hosting company might be able to help with this.
- Submit: Purchase the SSL security certificate and provide the CSR and other info to the Certificate Authority, for example GoDaddy.
- Validate: Have your domain and company validated by the Certificate Authority. If you purchase an Extended Validation (EV) certificate this requires additional information. Certificate Authorities will often check government databases and request business documentation for these.
- Install: Receive and install the issued certificate on your server. Your hosting company might also be able to help with this.
Issue time frames vary depending on the type of certificate and validation. SSL certificates can take a few minutes for domain-validated SSL or up to a few weeks for Extended Validation (EV).
For those who have server and SSL configuration knowledge, you could also get a free SSL from Let’s Encrypt. Let’s Encrypt is a free, automated, and open Certificate Authority of which Google Chrome is a Platinum sponsor.
Make SSL the Default
You may already have an SSL or have just set one up. The next most important step is making HTTPS the default address for your site. You may have to do this in a variety of different areas. Here’s a brief checklist of places you might need to change to your new URL:
- Verify: As a first step ensure you can access the HTTPS version of your site.
- Redirect: Setup up a “301 redirect” for your new configuration. Your redirects should be set up to redirect all of your old HTTP URLs to HTTPS.
- Update: Update all of your internal links to point to HTTPS instead of HTTP. If you use a CMS like WordPress or store like Magento by changing the default site URL to HTTPS this will update most URLs automatically. With some websites, you might have configured it to use HTTPS only on login and checkout. Look for a setting to use HTTPS for all pages instead.
- Social Media: Update your social media account to use HTTPS instead of the old HTTP.
- Sitemap: Configure your sitemap to use the HTTPS URLs and submit your new sitemap to Google Search Console and Bing Webmaster Tools.
- Robots.txt: Update the robots.txt to use HTTPs for the sitemap. Also check if new pages have been blocked.
- Canonical Tags: Configure your canonical tags to use HTTPS.
- Google Analytics: Update your URL in Google Analytics to use HTTPS.
- Third-party Tools: Update other third-party scripts including Remarketing Codes, Conversion Tracking Codes and Analytics Codes.
- Check: This list is a good place to start, however, you will likely miss HTTP links for items such as images etc. Keep an eye out for pages that show the “Not secure” warning and use the chrome developer tools to find which content is insecure.
Act Now! It has never been more important than now to use HTTPS for your web pages. Start making a plan to secure your website by July 2018