Chrome Demands You Get Your HTTPS Together
Last night (August 17, 2017 for those of you reading this from the future), an email notification was sent to a large number of users with access to Google Search Console accounts.
In the widely distributed notification, Google alerted Search Console users that the Chrome browser will begin showing security warnings on pages that contain insecure forms as soon as October 2017.
While the warning specifically states “form,” an internal review of pages that triggered this warning included pages with any text input fields. This included site search boxes and chat features.
Image Credit: Nikki P. and MS Paint
Did you receive one of these alerts? Afraid you have no idea what to do about it?
Fear not! We are here to help you!
Below you find out what this warning is all about, what you need to do about it, and what your friends at Google are doing to help keep your site (and your visitors) safe as you buy, sell, and surf online.
Understanding Your Chrome Security Warning For HTTP URLs
Beginning this past January, you may have started noticing that Google Chrome now marks HTTP pages as “Not Secure” if they contain password or credit card fields.
As Google continues their quest for improved Internet security for all, they will begin expanding the reach of these “Not Secure” warnings this October with the release of Chrome Version 62.
(sample warning your visitors may see) Image Credit: Wired
Once Chrome 62 hits your computer or mobile device, the browser will show this “Not Secure” warning when pages are loaded that meet one of the following two criteria:
- If a user is asked to enter any data on an HTTP page (not just password of credit card information)
- When browsing any page, of any type, served over an HTTP connection in Incognito mode
To avoid having visitors to your website greeted with a ‘Not Secure’ warning, your site must update its server to an HTTPS protocol, or at least modify your form markup to use the secure version of hypertext transfer protocol (HTTPS).
Below are some helpful tips to make the transition easy.
Image Credit: Etsy Studio
So You Received The Chrome Security Warning. Now What?
For starters, you should consider yourself lucky! Google has given you about a six-week advance notice that you have some site modifications to make prior to this update in their Chrome browser.
According to statistics compiled from W3Schools, Chrome is the preferred browser of over 76% of web users.
Ok, so based on that, you probably have to do SOMETHING… so what are your options? Our experience and expertise suggests that you really have 3 choices…
GIF Credit: Imgur
- Migrate your entire domain from an unsecured connection (HTTP) to a secured connection (HTTPS)
- Reprogram all of your pages with forms being served over HTTP to now be served over HTTPS
- Do nothing, and put your site at risk of losing a large percentage of traffic from what is widely considered to be the web’s number 1 browser.
It is no secret around the web development and online marketing communities that Google wants the web at large to be more secure, so if you ever needed an excuse to get the green light to move your site from HTTP to HTTPS – now seems to be the perfect time!
However, you need to be aware that this isn’t a cut and dry solution. Before you simply go buying an SSL certificate, updating your settings with your hosting provider, and washing your hands of this whole “secure site” thing, there are a lot of things you need to take under consideration. It probably would make sense to connect with your web developer or get in touch with someone for an SEO consultation before you get too far down a path that brings high risk.
The Background On Google, Chrome, And HTTPS
If you did begin noticing this past January that Chrome now marks HTTP pages as “Not Secure” if they contain password or credit card fields, then you caught an important (but simply incremental) step in the timeline of Google’s journey to help the world wide web get more secure.
Dating all the way back to 2014, Google has been working to lead the web towards a more secure environment for all. At the beginning of that year, about 48% of web pages on the Google server were secure. As of their last report on July 28, 2017, around 88% of all Google sites and services are now secure… and the internet at large has taken a similar growth trajectory over that time.
In September 2016, the Security Team at Chrome announced on the Google Security blog (linked to in the previous section) that they wanted developers to begin doing their part to help the web be more secure. One month later, a very helpful guide to accomplishing this was released, and the rest is history.
Google obviously realizes there is still a lot of room for improvement, which is likely leading to the notification you received in your Google Search Console last night.
One Last Thing… What Is HTTPS Anyway?
Hypertext Transfer Protocol Secure is a communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site using encryption, data integrity, and authentication. In many ways it’s similar to standard HTTP, except that data in encrypted when sent to HTTPS servers and only decrypted once both parties’ security certificates have verified their identities.
When switching from HTTP to HTTPS you must obtain a security certificate that is issued by a certificate authority which takes steps to verify that your website actually belongs to your organization. When setting up the certificate you can ensure a high level of security by selecting a 2048-bit key.
Another best practice to follow when making the switch is to ensure that your HTTPS pages can be crawled and indexed by Google. To do this make sure that you do not block your HTTPS pages by robots.txt files, do not include meta noindex tags in your HTTPS pages, and use “Fetch as Google” to test that your pages can be accessed before launching.
It is also recommended that your HTTPS site supports HSTS. This tells the browser to automatically request HTTPS pages even if HTTP is entered into the location bar. This will also allow secure pages to appear in Google search results and will minimize the risk of serving an unsecured web page to a visitor.
Image Credit: Chromium Blog
A final tip when making the switch to HTTPS is to set up server side 301 redirects for search engines and users. This is another way to ensure that you are not showing an unsecure page to visitors, which could hurt the site’s reputation.