Google battles the unencrypted web
In September 2018, Google’s Chrome browser will start displaying secure (HTTPS) pages with a more neutral indicator. Beginning with Chrome 69, the word “Secure” will be removed from the address bar of encrypted sites, but the lock icon will remain.
Then in October 2018, Chrome 70 will display a “Not Secure” message with a prominent red warning icon when users enter data on HTTP pages (see image below). Eventually, insecure sites will always show the warning text and icon.
Google’s thinking behind this somewhat counter-intuitive evolution is that encryption should be the default state, not the exception:
Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure,” we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).
— Chrome Security Team
What does this mean for you?
It means that if your website doesn’t currently use HTTPS, you risk losing Chrome users who are confronted with a blaring red “Not Secure” warning. Keep in mind that Chrome has a 66% desktop browser market share, so the exposure is considerable.
And it’s not just Chrome — Eventually all browsers (desktop and mobile) will follow suit with similar warnings. In short, if your website is still using insecure HTTP you need to ask your developer why.
What is HTTPS?
HTTPS is the secure version of the Hypertext Transfer Protocol (HTTP): A set of rules used to define how information is formatted and transferred over the web. If your website’s not encrypted with HTTPS, your visitors have no assurance that your site pages haven’t been tampered with during transit.
To be clear, using HTTPS will not make your site immune from server malware attacks or hacking attempts. HTTPS encrypts the transmission of data from one point on the web to another, but does little to protect the data once it arrives at its destination.
Benefits of HTTPS
- Encrypted transmission of web pages prevents tampering in transit
- Potentially much faster websites with HTTP/2 protocol (which typically requires HTTPS)
- Page load speed (improved with HTTP/2) is a Google page ranking factor
- Google claims encrypted sites have a page ranking advantage in their search results (albeit a small one)
- Low cost or free digital certificates (required for HTTPS) are now available
What is HTTP/2?
As mentioned above, HTTP stands for Hypertext Transfer Protocol, the mechanism a browser uses to request information from a server and display web pages on your screen. Put simply, the newer HTTP/2 loads web pages 20%–30% faster than the older HTTP/1.1.
HTTP/2 improves speed mainly by creating one constant connection between the browser and the server, as opposed to a connection every time a piece of information is needed. This significantly reduces the amount of data being transferred. Learn more
Okay, what’s the catch?
There really isn’t one that I can think of. The biggest arguments against HTTPS used to be:
- SSL certificates (required for HTTPS) are expensive and require an annual fee. Used to be true. Today? Not so much. In fact, a certificate authority called Let’s Encrypt offers free certificates and an automated installation process designed to eliminate confusion.
- You need a dedicated IP (internet protocol) address to install an SSL certificate. Not true. Server Name Indication (SNI) killed the need for dedicated IP addresses years ago.
- SSL certificates can be a challenge to configure properly. Still true — this can be Voodoo for the untrained. However, most hosts that offer free certificates provide painless one-click installation functionality.
- HTTPS will slow down your website. Not any more. In fact, your site may get considerably faster if your web host offers HTTP/2 (see above).
The biggest headache is in converting your site from HTTP to HTTPS. If you’ve got hundreds (or thousands) of pages with countless internal links and dependencies, it can be a challenge to get everything re-directed properly. It’s not a project for rookies and can ruin your SEO rankings if not done properly.
Unfortunately, the longer you wait, the worse it’s going to get. And come October 2018, if you’re not using HTTPS, Chrome will boldly proclaim your site “Not Secure.”