Google cracking down on websites without full HTTPS
2017 is undoubtedly the year of SSL and full HTTPS for all websites. Before the year is out, all businesses should aim to have their websites full HTTPS (the -S at the end stands for Secure!)
Why should I care about HTTPS
HTTP (Hypertext Transfer Protocol) has been in use by the World-Wide Web global information initiative since 1990.
HTTPS (HTTP Secure) is the secure version and aims at assuring confidentiality and security of exchanges. With the communication being encoded, the protocol protects not only from eavesdropping, but also from data alteration.
Make the change now, avoid being penalised
2017 is a crucial year for website security. Search engines and web browser providers have been pushing 100% site-wide encryption for a few years now, and the number of websites using HTTPS went from 25% to over 50% in a twelve-month period. Full HTTPS (where 100% of pages/content on your website uses SSL encryption) is now a standard feature for new websites, and existing websites should convert to full HTTPS at the earliest opportunity. Whether your website is selling products, advertising your services, or even a personal website or blog, full HTTPS is the way to go.
Google is the world’s largest search engine and they are intent on making the web a safer place for all users. For their web browser (Chrome) Google is introducing changes that penalise and flag any website that loads pages through HTTP and not HTTPS. These penalties will include but are not limited to:
- The restriction of powerful features over HTTP
- The restriction of communication with some hardware over HTTP
- The restriction of using checkouts or payment gateways over HTTP
- Lowering the ranking of an HTTP website in Google Search
- Removing some sites completely from Search
Secure your whole site, not just your checkout
HTTPS is now required across all pages, not just pages with sensitive information.
It’s a common misconception that if your secure pages, such as login, checkout, and admin pages are secured with HTTPS your website will be fine; however, this is not the case. Using HTTP on any webpage introduces the risk of a man-in-the-middle attack, where data can be intercepted between your website visitor and the web server. A malicious user can use this access to track passwords, payment data, and other sensitive information before you reach the important secure pages.
How will the new changes affect your browser?
Secure websites will be displayed with a green padlock or similar icon and the full HTTPS text before the domain name.
The “i” icon in the address bar shows that a website is not using a private connection. Clicking the icon will show what the website is attempting to access or any cookies currently active.
The red “!” icon followed by “Not Secure” shows a website that’s been flagged as dangerous or malicious. In the near future, Google will be making changes on all websites not secured by an SSL certificate to display the “Not Secure” red triangle in chrome browsers. The best time to make the change is now!
Until recently, a website using the HTTPS had a positive visual indicator, usually a padlock next to the URL. Where a problem arose, the padlock would be shown as broken or crossed out. In December 2014, the Chrome security team published a proposal to all web browser vendors: websites using the non-secure version of the protocol will have to be clearly marked as non-secure by the web browsers. This proposal is now being implemented led by Chrome, Firefox and Google making it all the more important to make the change now!
Watch the video to learn more
For a more detailed explanation of all changes, risks and dangers regarding standard HTTP, take a look at this video from the 2016 Google Chrome Summit.
We’re here to help. Get in touch today
If your website isn’t fully HTTPS and you want to know more, get in touch with a member of the team today and we’ll be happy to schedule the work for you.