New Chrome warning signals time to start planning for https transition
Since 17th August, a new warning has started appearing on Google Search Console.
It alerts website owners that any insecure webpages containing text input fields, whether an online form or a simple email address request, will, from October, trigger a 'not secure' notification in the Google Chrome address box. A non-exhaustive selection of these pages are listed on the Search Console as examples.
In addition, all insecure pages accessed via Google Chrome in incognito (private) mode will be marked as 'not secure.'
This is the latest step in Google's 'HTTPS Everywhere' campaign which aims to improve security across the web using the HTTPS protocol.
Google began, in August 2014, by introducing HTTPS as a ranking factor in Google Search. In December 2015, they started instructing their crawlers to prioritise HTTPS pages over their HTTP versions.
What is HTTPS?
A webpage using https is identified by the 'https://' header (if shown) along with a padlock icon. This is designed to assure the end user that the page they are looking for is authentic, has not been tampered with and that any information received or supplied is safe from prying eyes.
With an insecure (i.e. HTTP only) webpage, hackers are theoretically able to take control and redirect traffic while posing as a legitimate organisation. With the HTTPS protocol, the webpage is authenticated by checking the site owner's security (SSL) certificate. If the check fails, a warning is served to the end user.
The HTTPS protocol also protects against so-called 'man-in-the-middle' attacks whereby a third party intercepts and alters data between the host server and end user. Any such deviation would be detected and, again, a warning served.
The cryptographic key bound to the site owner's SSL certificate ensures that even if transmissions were to be somehow intercepted, the information within would be virtually impossible to crack.
How will website owners be impacted?
Since the Chrome 56 update in January 2017, website owners without SSL certificates may have noticed that some HTTP webpages accessed on Google Chrome will have generated a 'not secure' warning. Up until now, this has only applied to webpages requesting extremely sensitive data such as credit card details and passwords.
From October 2017 (Chrome 62), this security measure will be extended to pages requesting any kind of data input. In reality, the error appears on most websites.
For end users using Google Chrome in incognito mode, all HTTP pages will be labelled as 'not secure.'
Forward-thinking website owners should take this as a strong reminder to adopt HTTPS as soon as possible. It is only a matter of time before all HTTP pages will trigger a security alert. This will clearly undermine customer trust for those businesses who haven't upgraded.
Planning for HTTPS
Moving from HTTP to HTTPS requires careful planning. The number and type of domains a business owns will determine the type of security certificate they will need. Certificates should be issued from a trusted Certificate Authority and browsers include their own lists of trusted root certificates.
Because of the need to ensure all assets (e.g. images, videos, advertisements, etc.) are HTTPS compliant, upgrading can be complicated for businesses running certain websites.
If you are planning to upgrade, it is wise to begin by initiating discussions with your web developer, web host or security provider. You can also read through Google's support guidance for a helpful introduction to the process, including how to ensure Google can crawl and index your HTTPS webpages.
A note on HSTS
For added security, Google recommend that HTTPS sites support the robust HSTS (HTTP Strict Transport Security).
HSTS forces browsers to display the HTTPS version of a webpage even when an HTTP request is made. It also directs Google to serve only the HTTPS versions in search results.
However, Google also warns that HSTS can cause problems, recommending a piecemeal approach to rolling it out.
For more information about HTTPS web hosting for your site, please contact us.