BackgroundAs early as 2014 Google’s Webmaster/Analytics team had begun openly pushing for the use of better security on the web. They began looking into the factors which affect site security and how they can improve. You can read Google’s ‘HTTPS as a ranking signal’ article to learn more on this. To accomplish this huge goal the easiest target to take on is the usage of HTTPS over HTTP. When using HTTPS the connection between a server and client is secured and encrypted with an SSL/TLS. A requirement for supporting the HTTPS protocol is having a valid SSL certificate for your domain name. Sounds easy enough? Get an SSL Certificate for your domain, install it, and now you have HTTPS support. That’s essentially what Google wants to do, but for EVERY website. From Google’s perspective there’s not a whole lot they can directly do to reach this goal.
Google’s Plan to Secure the WebWith those goals and challenges in mind Google created a multi-pronged plan of action. In the article linked above, HTTPS as a ranking signal, the team talks about the state of HTTPS adoption in 2014 and details some basic information on adoption trends. Seeing an encouraging uptick in adoption rates around that time they began some testing on sites being indexed to track if they use HTTP or HTTPS. Using that data they experimented with using HTTPS usage as a factor for search rankings. Currently usage of HTTPS as a factor only accounts for a very small percentage of search ranking. Another way Google plans to help push the web to be more secure is through the Chrome browser. Starting when Chrome 56 is released the browser will now be marking all HTTP sites as ‘Not Secure’. This change will only affect pages that accept password or credit card input. This is a very important and commonly missed condition of this change.
How These Changes Affect Your SiteIf your site has an SSL, then you will not be affected! You’re site is already secured with HTTPS! If your site does not have an SSL, then you may be affected by these changes. Use the list below to see if you are! At this time, the only site pages that will be marked as insecure with these changes will be pages that accept sensitive user input. Things like credit-card information and passwords being the main concern. Google explains it best in their blog ‘Moving towards a more secure web’:
Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.An example of how this will be shown in Chrome can be seen here:
Original image above provided by Google; found in ‘Moving towards a more secure web’.
Will my site be marked insecure without HTTPS?
- Does your website accept credit card information?
- Does your site require a login for users to access it?
- Does your site have user logins (even if they are optional)?
- Do you exchange any sensitive data through the website?