Google Chrome to show websites as ‘not secure’ from October

Back on the 30 September 2016 we wrote an article about how we had observed that the current version of Google’s browser, Chrome (v53) was going to start to flag websites that didn’t have an SSL certificate as ‘insecure’. The roll out was not across all versions. (original article)

To follow up on this story, Google announced this month to webmasters that from October 2017 the latest version of their Chrome browser (v56) would begin to flag all sites that had input fields and forms on their website but didn’t have an SSL certificate and follow the HTTPS protocol as ‘not secure’.

They announced this to website owners and those that manage websites through the Webmaster Tools Google Search Console by email.

Having already announced its intentions twice before (May 2017 and partially in September 2016) it is likely that this will be their final announcement on the subject.

So, what is affected?

In short, if a website located on a normal HTTP URL has a form or input field of any kind (enquiry form, shopping cart or even a search box) Chrome will flag in the top browser bar that the entire site is ‘unsafe’. Additionally, if an HTTP URL is visited in Incognito mode, the user will see the same ‘not secure’ message.

What it means to website visitors

When a user visits a website that is affected using the latest version of Chrome they will see a grey and red browser notice and the message in the address bar ‘not secure’. Previously, it was just flagged with the ‘I’ icon and when the user clicked that icon it explained that the site was ‘potentially unsafe and that data could be intercepted when input on forms’.

Overall, a very negative experience for users and one that could very much harm the website owner’s reputation and, ultimately, business.

Additionally, it means that the site is exposed to having the data intercepted from the form/input field when on its way to the server and as it’s not encrypted it can be read in plain sight.

Obviously, SSL-encryption has been a requirement for all those who have eCommerce websites and take payment. Those payment pages very often being secured by the payment gateway rather than the merchant website itself. However, this move now makes all websites that gather any kind of data from the user conform to the new HTTPS protocol and the website owners will need to install an SSL certificate.

How do I install an SSL certificate?

As a non-developer, you’ll struggle. You can either ask your website developer to do it for you or ask your host. However, there will need to be a few changes to your website in order for it to resolve on to the HTTPS protocol. Most of these changes will take less than an hour.

As you might expect, SSL certificates range in cost from the new, free ‘Let’s Encrypt’ solution through to branded versions from Verisign at around £700 per year. They all bring different benefits and we recommend that you seek advice as to which one will be right for your site.

Important to remember

When changing over to the HTTPS protocol it’s also vital for your search ranking to make sure that you not only perform an .htaccess or PHP URL redirect for all pages from HTTP to HTTPS but using your Webmaster Tools Search Console ensure that you monitor all 404s (pages that can’t be found but are indexed by Google). Additionally, you may need to put a range of fixed 301 redirects in place to prevent the 404s.

What Google will hate is a sudden change in the URL structure and see pages disappear overnight. That’ll kill any page ranking you have and can take months to claw back. (the negative effect is the same when a new website is built the and old URLs aren’t redirected to the new ones – see our previous article on this subject here ‘Why does Google hate my new website?’.

If care and attention isn’t taken here, your website will fall of the Google search cliff face.

Benefits

For a while now and since Google original announcement back in September 2016, it prefers websites in search results of those pages that are HTTPS other those in the same search results that are not HTTPS.

A website is marginally faster when loading through the HTTPS protocol and that brings natural SEO benefits, too. Slower sites mean that fewer pages get indexed and Google hates slow sites. Given that more than 65% of all internet searches are done on a mobile, speed is everything. If it’s important to the user and so it’s important to Google.

But aside from the technical aspect, it’s about user experience and that is every bit as important. If a user visits a website and gets the impression (and browser message) that it’s all a bit insecure, they’ll move on. Your ‘shop front’ needs to appear safe as you are handling their data and that in itself is a major responsibility. We’ll be covering this and its impact from the introduction of the GDPR laws in our next article.

What is not protected by an SSL

The purpose of the SSL is to encrypt (jumble up so that it’s not readable in any way) the data that’s entered into fields on a website – names, phone numbers, credit card details etc. However, what an SSL doe not do is protect against the following:

1. DDOS – Distributed Denial of Service hacks
2. Brute force hacks
3. Software vulnerabilities
4. Server hacks
5. CMS (Content Management System, such as Drupal or Magento) hacks

So, the clock is ticking. Many website owners will have ignored the previous two warnings and most likely this one, too. It will get to the point where they either spot a drop in website traffic (and sales) or they get customers reporting the ‘I’m getting an insecure’ message when I go to your website – is there a problem?’

Don’t be one of those. If you’d like some free advice as to your best options to get an SSL installed on your website call our technical team today on 01525 373020. We’ll talk it over and point you in the right direction.