Not sure about HTTPS? Need to make the jump but not got round to it? Well, these latest changes from Google may just give you the impetus you need. Find out about the changes and just how to become compliant as painlessly as possible in this article.
In the iteration of Chrome scheduled for October 2017, Google is expanding its use of the ‘Not Secure’ page warnings. This will include a dynamic warning which will appear when a user enters data on a non-secure (HTTP) page.
The warning appears in the space at the start of the address bar where the traditional padlock icon is shown to denote a secure site, as well as the security certificate name if one is present.
This placement, whilst much less disruptive than an overlay or popup, may be more conspicuous than it first appears. Not only are we increasingly aware we should check here before entering data on a site, but as the warning is dynamic it appears in an otherwise static area. There are few parallels between hunting and web design, but ask a practitioner of either and they will tell you that movement draws the eye. So people are much more likely to notice this new warning.
Interestingly, in the blog post mentioning this change, Google referred to its recent changes to dealing with HTTP / HTTPS as part of its “quest to improve how Chrome communicates the connection security of HTTP pages”. The use of the term ‘quest’ seems to indicate that not only is it taking this seriously, but there are likely to be many more changes to come. Google sees this as a long term objective and something it’s going to be actively working towards.
Ultimately the quest is really to make the web more secure. With the aim of all sites moving over to https, one of the ways to achieve that is by making it obvious to users when sites haven’t. By being very obvious about it, even users who don’t know whether or not it matters will be turned off by the warnings and a site will therefore see a fall in traffic.
Google ultimately has noble intentions here or at least ones that happen to be good for us as well as their shareholders. However, it’s not really doing that much to help webmasters. A bone of contention of mine for some time now is the lack of consistent guidelines and tools from Google for converting a non-secure site to HTTPS. The experience within Search Console (formerly webmaster tools) is especially dire.
There is no way within Search Console to tell Google you have made the change. I have instead previously had to resort to creating a new profile for HTTPS and treating it like a site migration, informing Google in the old profile of the change in location. There is very little official guidance from Google on this and some clear, precise instructions including how they manage the process at their end would be fantastic.
Telling a server to serve content over HTTPS instead of HTTP is by and large a very easy, simple change. If you contact your hosting company they will be able to do this for you.
Where possible, use TLS over SSL. This is the protocol that provides the encryption between you and the server and Google definitely prefers TLS over its predecessor SSL. Although, just to make it extra confusing both are frequently referred to as SSL. It’s worth noting the security certificates are still referred to as ‘SSL Certificates’ however they work just fine with TLS as well.
A (very) quick summary is:
The great thing is that most of the complex stuff is taken care of by us if you host with us. We will also buy the necessary security certificate and install it for you in one go.
There’s no point in ensuring the connection is secure and traffic is encrypted if you don’t secure the source. Put it like this, if you were communicating with another spy, there wouldn’t be much point exchanging encoded messages only the two of you could decode if you didn’t first verify their identity. You wouldn’t know who it really was on the other end.
The security certificate does just that, it verifies your website.
Well right now with this latest change, yes absolutely. Most sites take user data at some point, even if it’s just a sign-up form for the email newsletter. If you don’t make the change it’s going to start hitting the bottom line pretty soon. Besides, Google has already said that down the line this is going to be shown for all non-secure sites:
Mobilise Solutions can assist with purchasing an SSL certificate for your hosting we have many available through our partners. If you host with us we can also install this on your sites which will help improve your SEO results.