Google is in the process of rolling out new HTTPS support which will come into effect this October. Now, any pages with forms that collect information will require HTTPS, or be labelled as not secure in Chrome.
What is HTTPS
First, some background information on HTTPS.
HTTP or Hypertext Transfer Protocol is a language used for sharing data between web servers and clients. Standard HTTP is an unsecure connection and can be open to third parties who could copy, steal or tamper with the data.
HTTPS, on the other hand, is a secure connection, and uses an SSL/TSL protocol to provide the following three layers of protection:
- Authentication that ensures only the intended website receives the data to prevent potential third-party attacks.
- Data integrity ensures the data isn’t corrupted or changed without notice by the intended website.
- Encryption ensures the data can’t be ‘eavesdropped’ and prevents the information from being stolen.
Currently, HTTP connections in Chrome are shown with a grey information sign next to the URL. Users can then hover over this to see an amber warning that the connection may not be secure. HTTPS shows a green padlock and the word ‘secure’.
As a website owner, you may have already received messages from Google Search Console warning that some of your URLS are at risk of being labeled ‘not secure’ under the new changes.
The new changes will see current web pages that collect private data or personal details and use a HTTP connection labeled as ‘not secure’ in Chrome, and in incognito, all websites with this connection will show as ‘not secure’. This will be highlighted in red with a triangle warning sign.
Even if you’re aware of the rollout, there might be some confusion as to why Google is listing some of these URLS as at risk. For example, you may have been confused as to why URLS without a payment or login form have been flagged by Google. This is because under the new rules all websites with form fields will show as ‘not secure’ under the HTTP connection. Any input fields, including site search boxes and email sign up fields, will all flag a website as not secure if it uses a HTTP connection. While these types of forms don’t scream sensitive data, all of these text fields send data that can conceivably be tampered with by third parties in-between.
Why the changes
Google has been on a long and steady march to a ‘secure by default’ web. Considerable steps have been made to achieve this goal, most significantly in 2014 when Google made HTTPS a ranking signal in a bid to reward secure websites with better rankings. While it isn’t yet a dominant signal that could easily change in the future, and there is even the possibility that Google will increase the pressure by penalising websites with the standard HTTP connection. There have already been some hints at this from earlier in the year when Chrome began naming and shaming some high traffic websites using the standard HTTP connection.
While these actions have been successful with more than 50% of all web requests now via a secure HTTPS connection, Google is still keen to do more. This includes building better awareness, such as highlighting the unsecure nature of the HTTP connection. Any HTTP connection is at risk from third party manipulation, and Google believes the current neutral label doesn’t correctly convey this to users.
A secure web is beneficial to everyone, with web users gaining a secure environment to shop and operate in, and webmasters securing the trust of customers. If you’re still not convinced, here are some more reasons why you should be looking to migrate to HTTPS.
- Reassures website visitors that they can trust your website, making it a valuable business asset.
- Secure websites have been shown to load significantly faster than standard HTTP by as much as 334%. Further updates to improve speed such as HTTP/2 are also only available with HTTPS.
- Potential ranking boosts, particularly if Google continues to strengthen HTTPS as a rank signal and even penalise HTTP websites.
Migrating to HTTPS
Securing your website with HTTPS is easier and cheaper than ever before but still requires a few steps. The first and main step is getting an SSL certificate from a reliable certificate authority (CA) - if you’ve already got one for your ecommerce store, you’re a step ahead. You will need to decide on the type of certificate you need, such as a single source origin or a multi-domain certificate, as well as deciding between an EV-SSL or a standard SSL. The SSL certificate enables your website to use and handle encrypted data that can’t be corrupted, and also acts as a stamp of approval for your secure site.
Once you have your certificate there a few other HTTPS migration steps to ensure your site is flagged as secure, including setting up 301 redirects to the HTTPS page or resource and making sure that your HTTPS pages can be crawled and indexed by Google. You’ll also need to update both internal and external links and URLS throughout your PPC accounts and social profiles.
Google lists further best practices for migrating from HTTP to HTTPS, but there’s no need to suffer alone if you’re already finding the task a bit daunting. We can take control of the whole process, from auditing your site and drafting a plan, to checking and monitoring your search rankings throughout. You can find out more about how we can help with HTTP migration and other website services on our website, or simply call one of our team today to discuss your needs.