HTTPS Now…Because Nobody Wants a Warning from Google
The last thing any of us wants is a warning from Google. It’s kind of like being reprimanded while crossing the street on a red light. You know you deserve it, you know you should have waiting for the light to turn green, but you thought it was safe. It’s embarrassing when such things happen to others, and downright devastating when they happen to you.
This is why it is really important to note the change coming this month with the release of Chrome 56, the newest version of the Google Chrome browser. As announced in early September on the Chromium blog: “Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.” In other words, if a website has pages that collect passwords or credit card numbers and it’s being delivered over regular HTTP, website visitors will soon see an unpleasant little warning in the address bar.
If you’re in the website building industry, and if a warning like this pops up on one of your sites when a website visitor drops by, it can be very bad for business. Website owners aren’t going to like this warning, and neither are website visitors.
Nothing will change, by the way, if the website is already delivered on HTTPS, or if the website doesn’t collect passwords or credit card numbers.
This is the first time that Chrome is marking HTTP pages as non-secure, and it’s a relatively gentle warning – for starters. Just a little (i) and the words “Not Secure” in light gray. However, this is just one step in Google’s long-term plan to make the web a safer place by reducing the number of non-secure websites that are out there. In the future, after many more pages are secured with HTTPS, Chrome plans to mark ALL websites that aren’t HTTPS with a bold red warning…but more on that later.
What the Heck is HTTPS, Anyway?
If you already know what this acronym stands for, you can simply jump down the page for a refresher on why it’s so important. But if you don’t know (or remember) what HTTPS means, keep right on reading.
HTTPS stands for Hyper Text Transfer Protocol Secure and it’s the secure version of HTTP. HTTPS indicates that all communications between a website and the browser to which it is connected are encrypted.
In the past, HTTPS was primarily used on websites that enabled confidential online transactions such as online banking or shopping. Over time, however, it has become increasingly clear that all online connections need to be protected with HTTPS, since this protocol ensures that communications between a user and a website cannot be intercepted by hackers.
Two types of protocols are used to encrypt online communications: SSL (Secure Sockets Layer) and TLS (Transport Layer Security). While SSL and TLS are different standards, both have similar qualities, as both create two ‘keys’ that encrypt communications: a ‘public’ key and a ‘private’ key. Anything encrypted with the public key can only be decrypted by the private key, and vice-versa.
Why Every Website Needs HTTPS
Enabling HTTPS on websites that collect passwords, payment info, or any other personal information is critical. Without it, confidential data that users input into these sites can be stolen, and as everyone knows (see this article, or this one, or maybe even this one), having your website visitors’ accounts hacked is no fun at all.
When a site isn’t HTTPS, hackers can intercept the connection, steal confidential data, and tamper with what a user sees on his or her screen. This means they can inject malicious ads, insert fake content, trick users into downloading malware and more. In short, even if a site doesn’t contain confidential information, having its communications with visitors intercepted can have negative consequences for the website and its brand. If you’ve built the website, this has negative consequences for you, too.
HTTPS is important for another reason as well. More and more companies use HTTPS as a requirement for advanced features and technologies. So, if you’re building a website for a customer and want it to have features such as geolocation, push notifications and more, you’ll need to deliver the website over HTTPS in order for certain browsers (including Chrome and Firefox) to enable these features. In other words, HTTPS keeps your options open – for you and your customers.
The Evolution of Google’s Push for HTTPS
Google’s decision to warn users about websites that aren’t HTTPS may come as a surprise to some, but it certainly doesn’t come out of the blue.
A while ago, Google implemented a little green padlock that reassures users who are using an HTTPS website, it doesn’t dissuade users from trusting a website that doesn’t have a padlock. The current change is part of a long-term plan by Google to increase web security, in general, and encourage website builders and owners to secure their websites with HTTPS.
HTTPS has been a Google ranking signal since 2014. Initially, it was a fairly lightweight signal, carrying less weight than signals such as high-quality content and speed.
In 2015, Google announced that it was adjusting its indexing system to look for more HTTPS pages. Moreover, Google announced that if it found two URLs from the same domain that appear to have the same content, it would typically choose to index the HTTPS URL if a number of criteria were met. Google also announced that it would add weight to a company’s use of HTTPS, “because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
Good News About HTTPS
Slowly but surely, HTTPS is becoming more common. For example, an increasing number of media sites (see this announcement from Quartz) are moving to HTTPS to ensure that their website is “not altered by anyone else on its way to your browser.” In other words, it’s a way to block fake news stories from appearing on an otherwise trustworthy website. Moreover, HTTPS is getting better all the time. In fact, according to istlsfastyet.com, the bad rap TLS and SSL protocols used to have simply aren’t relevant anymore.
In September 2016, Google reported that “more than half of Chrome desktop pages loads are now served over HTTPS.” Furthermore, 12 of the top 100 websites have changed their serving default from HTTP to HTTPS.
In other words, lots of websites are already HTTPS, which means that users’ interactions with them are already protected. But what about all the sites that aren’t HTTPS? Well, there’s good news here, too. Because it is really easy to secure your site with HTTPS these days.
And one more thing. For now, the new warning is only going to appear on pages that contain sensitive input fields (like passwords and credit cards, as mentioned above). However, in the future, all pages served over HTTP will receive a Not Secure warning on Chrome. So if you are already making the effort to protect sensitive pages in your websites with HTTPS, why not protect the entire website? It’s good for your clients, and for you too!
Convinced That You Need HTTPS? Good. Now What?
We hope it’s clear that there is absolutely no reason why your sites should not be delivered on HTTPS. Now you just need to enable HTTPS on your websites (if you haven’t already). And though this process may be complicated on some website builders (we don’t want to name names, but these builders know who they are…), it’s really quite easy with Duda. Here’s why:
Duda offers free HTTPS for anyone who builds a website pointed to the Duda domain. Just follow the instructions here and you’re good to go. Duda’s service, by the way, uses Let’s Encrypt, the automated and open Certificate Authority that gives the digital certificates that websites need to enable HTTPS. (Let’s Encrypt is warmly recommended by Chrome, which is always a good sign.)
The Future Of The Web: Safer
If Google has its way, the future of the web will be a whole lot safer than its present. Users will be educated to know the difference between safe sites (aka HTTPS) and sketchy ones, and they’ll know to stick to places that are HTTPS. In the future, this means any site that isn’t HTTPS (Google hopes these will be few and far between) will be tagged with a more noticeable “Not Secure” warning – perhaps something like this.
In Google’s own words, it wants to ease users into making an association between HTTP and bad. It doesn’t want to associate every HTTP site as bad for now because this will cause users to stop paying attention.
By encouraging developers to make the first move – by protecting pages with sensitive information fields with HTTPS – Google hopes that more and more pages will be secured with HTTPS, and the internet will ultimately be a better and safer place.
Now who wouldn’t want that?!