If you have a website that is running on a standard HTTP version it is likely you will receive an email from Google Search Console like the one below:

Non-Secure Collection of Passwords will trigger warnings in Chrome 56

Google Chrome Browser

We’re used to Google pushing the boundaries of technology in recent years.  It’s because of this relentless push, which covers such software as; Maps, Gmail, Adwords, Docs and of course Youtube that has brought them to the forefront of online tools.

Perhaps one of the greatest contributions is in the form of their web browser - Chrome.  

Just 10 years ago, Internet Explorer was the one to beat, with almost 90% of the market (1).  Fast forward to 2016 and Chrome dominated the market with nearly ¾ of internet users using it as their default browser (2).  

Chrome has also taken versioning to the next level. While Internet Explorer has taken 22 years to move 11 versions (prior to Edge which has increased the rate at which versions are released), Chrome’s next iteration (due this month) will be it’s 56th.  With each version it has added new functionality, pushing the limits of what it is possible for a website to do.

This next version however is one of their most notable.  As their focus moves towards a safer internet, Google has taken the decision to flag websites running under HTTP (rather than the more secure HTTPS) as insecure.

Currently it displays these sites in a neutral fashion, neither stating they are secure or insecure.  A secure page will show a green padlock, and a page running over HTTPS with some form of security issue will be shown a red padlock with a cross through it - to demonstrate that it is potentially unsafe.

Whilst in most cases, websites that either take payments, or have some form of restricted area have been running under HTTPS for some time, Google has taken this to the next level by basically encouraging all sites to run under the protocol.

What is HTTPS?

The ‘S’ stands for Secure.  This is because it encrypts communications between the user and the website.  Traditional HTTP traffic is sent in clear text between the user and web server.  So usernames, passwords, credit cards, etc are all sent in a readable format for anyone on the same WiFi network as you, your internet service provider, and potentially government agencies to read.

By switching to HTTPS, not only is all data encrypted between site users and the server, but your web browser checks the website’s security certificate and verifies it was issued by a legitimate certificate authority.

How Does It Work?

There are two ways secure websites encrypt communications, either SSL (Secure Sockets Layer) or TLS (Transport Layer Security).  Both systems use Public Key Infrastructure (PKI), where by anything encrypted by the public key can only be decrypted by the private key, and vise versa.

The private key is safely stored on the server, whereas the public key is intended to be made available to anyone who wants to interact with the server.

What does it mean for my website?

At the moment this will only impact visitors using the latest version of Chrome on your site.  

However, as stated above, this may be as much as 75% of your visitors, and with the default Chrome set to auto-update, it will not be long before most of that 75% are running the latest version.  

If you are running a non-HTTPS website, chrome will likely flag this in the address bar, informing the visitor that your site is not running over a secure connection.  Whilst it is no more or less secure than it was before this update from Chrome, it may appear to it’s visitors as a non-secure website, which could cause them to question how safe it is, and this may have an effect on visitors leaving your site.

Initially, this insecure flag will only appear on sites that have a username/password login, or a form taking credit card payments.  Chrome have not released any dates on when they will flag sites without logins or payments as insecure, but we advise getting ahead of the curve before this is introduced.

Eventual treatment of all HTTP non-secure sites in Chrome

What Can I Do?

You can choose to leave your website as it is, and it will continue to display as it currently does in all browsers other than the latest version of Chrome.  

However, we would recommend moving your site to HTTPS as this adds customer confidence and secures your website. A HTTPS migration is a relatively straightforward process but there are a number of factors that need to be properly considered to avoid any negative impact on your search engine visibility so we would recommend consulting an SEO expert before carrying out the move.

There are a number of different levels of SSL certificates available (the method of validating whether a site is secure).  These range in usage, visibility and price. 

We will be happy to talk through the different options available for setting up HTTPS on your site. If you would like to request a callback then please get in contact and we will be happy to help. 

 

Sources

1 https://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Reports_from_before_year_2000

2 https://www.w3counter.com/globalstats.php

opayo-logo-footer
brakes_logo.svg
christian_aid
sunsail
uktv
nidostudent

Have a project you would like to discuss?