Google plans to call out all websites (not just e-commerce sites) for not being secure if they do not switch to HTTPS. But what is HTTPS and why is it so important to Google? In a nut shell, Google is trying to force a more secure internet. To incentivize sites to switch, they are telling website owners that their site’s ranking will be affected (preference will be given to secure sites), and in some browsers, a warning might pop-up indicating a site is not secure. Plus, they want to switch to be in place by this summer.
But let’s start from the beginning.
What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) is an Internet communication protocol that protects the integrity and confidentiality of your users’ data between the user’s computer and the site. For example, when a user enters data into a form on your site, let’s say to subscribe to your newsletter or simply one that is on your contact page, HTTPS protects that user’s personal information. HTTPS encrypts your website data and secures it from others. Data cannot be modified or corrupted during transfer.
Starting in early 2017, Google began talking about flagging non-https sites as being “insecure.” Besides the security issues involved with being a non-HTTPS site, the integrity issues are enormous. Imagine a customer seeing a warning of an “insecure site.” Both your reputation and sales can be impacted.
What will the Google Warning look like?
You may not have paid much attention to it before, but the symbol just to the left of a website address gives you an indication of just how secure a particular site is. In previous versions of Chrome, this symbol might have been a green lock, a yellow warning triangle, or a lock with a red X on it.
In the Chrome 56 update, an HTTP site was currently marked with a neutral icon. If you clicked on that icon, you got a dropdown box that said, “Your connection to this site is not fully secure.”
In January 2017, Google started planning to place more accurate icons in the address bar. Secure sites were marked with a green lock and the word “Secure.” Unsecured sites employed the neutral icon, but with the words, “Not Secure” next to it.
In the latest update, the neutral icon will change to a red triangle next to the words, “Not Secure”—which is impossible to ignore.
As of October 20, 2017, 64 percent of Chrome traffic on Android is now protected, up from 42 percent a year ago; over 75 percent of Chrome traffic on both Chrome OS and Mac is now protected, up from 60 percent on Mac and 67 percent on Chrome OS a year ago; and 71 of the top 100 sites on the web use HTTPS by default, up from 37 a year ago.
What’s Involved in the Switch?
The switch to HTTPS encryption may not be such a big undertaking for large companies, but for smaller ones with a tighter budget it could seem daunting.
Small Business Trends provides a concise list with regard to changing from HTTP to HTTPS:
1) Purchase an SSL certificate; they are very inexpensive;
2) Install your SSL certificate on your website’s hosting account;
3) Make sure that any website links are changed from http to HTTPS so they are not broken after you flip the HTTPS switch, and
4) Set up 301 redirects from http to HTTPS so that search engines are notified that your site’s addresses have changed and so that anyone who has bookmarked a page on your site is automatically redirected to the HTTPS address after you flip the switch.
That being said, there are many related issues and technical considerations involved in this switch. Most business owners will need the help of a website developer or hosting provider who fully understands them.
Types of SSL Certificates
There are several types of SSL certificates. They can be grouped based on validation level or number of secured domains/subdomains.
Validation Level Certificates
SSL certificates based on validation level can be done using email or adding a DNS record. Quite simply, you need to validate your ownership of the domain name.
This kind of certificate can be obtained in a few minutes (or occasionally a few hours). It’s ideal for those who don’t have an organization and no extra security is required.
Types of validation level SSL certificates:
- Domain Validation (DV) is cheap, can be obtained in a few hours (max), and is best for blogs and other non-sensitive websites. This is the minimum certificate suggested for e-commerce portals.
- Certificate Authority (CA) validates domain ownership and other information through the use of public databases.
- Organization Validation (OV) requires 2 to 3 business days to activate, has no clear advantage over DV certificates, and is a minimum for e-commerce portals. This type of certificate is highly recommended for any website where a transaction is happening.
- Extended Validation (EV) certificates require a strict authentication process. It displays the organization the certificate was issued to in the browser. Most banking, finance, e-commerce, health care, government, and insurance sites use EV certificates because a high level of trust and authentication is required and they offer the most popular green HTTPS address bar. It takes about 7 to 10 days to activate.
SSL certificates based on secured domains are different from the above three—you need to pick the certificate type based on domains and subdomains you have.
Types of secured domains SSL certificates:
- Single Name secures only a single host name.
- Wildcard secures unlimited sub-domains for a single domain.Multi-domain SSL Certificate
- Multi-domain supports all different domains and subdomains. This is highly recommended for those who have multiple domains and subdomains.
- United Communications (UCC) allows customers to protect up to 100 domains using the same certificate. It is specifically designed to secure Microsoft® Exchange and Office communications environments.
Where to Get an SSL Certificate.
Pricing ranges from $69.00 to $399, or higher for the more sophisticated, ultra-secure, banking, financial, and health care sites.
When do I need to get the SSL certificate?
In a word, soon. Google has announced they will begin implementing changes in July 2018 as the date for when Chrome will begin explicitly warning users if a site is “insecure.”
HTTPS and Web Ranklings
In August of 2014, regarding HTTPS and website rankings, Google stated, “We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
But in April of 2017 Google stated no plans to boost the https ranking factor. So it seems that attaining an SSL Certificate is more of a security and integrity decision.
According to Barry Schwartz of Search Engine Roundtable, “Going HTTPS is not a bad thing and Google is pretty good at migrating all the ranking signals when you move. But if you mess up, it can be pretty bad for your rankings. So be careful.” Our advice is to have a professional, experienced website developer or hosting provider do it.
It is imperative that you start early rather than late on this endeavor. The risk of being categorized as an insecure site should serve as incentive. Customers or potential customers searching for products on your site may likely never come back if they see Google’s red flag/insecure site warning. HTTPS protects the integrity of your website AND the privacy and security of your users.
Potential intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages. Intruders exploit every unprotected resource that travels between your website and your users. Images, cookies, scripts, HTML … they’re all exploitable. Intrusions can occur at any point in the network, including a user’s machine, a Wi-Fi hotspot, or a compromised ISP, just to name a few.
Additionally, progressive web apps will require explicit permission from the user before executing. HTTPS is a key component to the permission workflows for new features and updated APIs.
Don’t let this change scare you! As we mentioned, this process can seem daunting to a small or midsize business owner. But that is why we are here. TRUE Marketing can help switch your site over to the new secure requirements easily. Just give us a call or send us an email.
As always, if you have any questions, feel free to let us know how we can help you.