Earlier this week Google started issuing their final notices about the need to upgrade to the Secure Socket Layer HTTPS protocol, telling webmasters if they don’t secure their websites by the end of September pages in their sites will be prefaced with a security warning in the Chrome browser. The Chrome browser, which is made by Google, is used by 44.47% of Canadian web users. Naturally, most webmasters and site owners want to avoid such a warning given the chilling effect it would have on web traffic.
Wanting to avoid a problem and knowing what to do about it are two different things. This post is meant to explain the basics of HTTPS, what it means, why Google is forcing the update, and the steps a website owner can take to comply. If you already understand the process, stick around for the word play. If you don’t, this post should make the explanation your IT person will offer somewhat easier to understand. Either way, please do not use this post as a how-to guide as it most certainly is not.
The order itself is rather cryptic unless you’re already conversant in geek-speak.
To the owner of : https://websitename.com,
Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as <input type=”text”> or <input type=”email”> that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive
The new warning is part of a long term plan to mark all pages served over HTTP as “not secure”.
Here’s how to fix this problem:
Migrate to HTTPS
To prevent the “Not Secure” notifications from appearing when Chrome users visit your site, only collect user input data on pages using HTTPS.
This warning comes in three parts. The first is the threat which tells us we have until October 2017 to successfully migrate to HTTPS or Google’s Chrome browser is going to display a “Not Secure” notice. This notice will be displayed on pages that require or prompt site visitors to enter information into a form. The notice doesn’t say when in October so prudence dictates we assume “Not Secure” warnings will begin on October 1st.
The second part of the warning is a description of content that will trigger the Chrome “Not Secure” warning found on your website. In this case it is a series of contact forms the business uses to better communicate with potential clients. Google politely points out these forms are indicated by lines in the source-code that include <input type=“text”> or <input type=“email”>. It then lists where all pages that carry the trigger code might be found, in this case throughout the entire domain.
The third part is the solution, which in this case is to upgrade or migrate to HTTPS which means, HyperText Transfer Protocol Secure, indicating the presence of a SSL or Secure Socket Layer certificate. This warning notes that HTTPS need only be used on pages that actively collect user input data, or information input by site visitors.
What it doesn’t say is said a couple lines above, “The new warning is part of a long term plan to mark all pages served over HTTP as “not secure”.” HTTPS is going to have to be applied to all pages in a website sooner or later and, since Google is forcing the securing of some pages, webmasters might as well go all in and secure all sections of their sites.
The SSL certificate is a guarantee backed up by a handshake. It is essentially a third party verification system that has to be purchased for periods of time, 1 year, 2 years, 5 years, etc…. The guarantee is a randomly generated encryption code. The handshake is the process of verifying the certificate against the randomly generated code. If the two match every time a request is made to the server, the certificate is valid. This ensures a malicious hacker can’t worm their way between the user and website to record information or somehow manipulate the user’s experience.
There are several types of SSL certificates available, some far more expensive than others. What your website needs is dependent on the size of your site, the image you want to convey to users, and the actual level of security necessary to protect user information transmitted via forms on your site. Obviously Amazon, eBay, and your personal or business bank require a higher level of security than a magazine publisher or small e-tail store might require.
Interestingly, each ISP or domain registrar can offer slightly different SSL packages but they boil down to the same set of guarantees and handshakes. One well known discount ISP offers three packages. To protect one website (domain) costs start at $87.99/yr (CDN). To protect multiple websites or domains costs start at $195.99/yr. To protect a website and multiple sub-domains sees costs start at $391.95/yr.
By the way, did you note I said that was what a discount ISP offers? Google’s requirement that all websites implement SSL protocols is going to prompt the spending of an enormous amount of money. Try to calculate the overall cost (and perhaps benefit) to the economy if every small business with a website needs to pay between $100 and $400 per year on a series of SSL handshakes and guarantees in order to be displayed without a “Not Secure” warning. I think we’re thinking about hundreds of millions of dollars spent annually on SSL certificates in the US alone.
More often than not, your ISP or domain registrar will sell SSL certificates. They’re easy to obtain and easy to install at the ISP. If you can’t find a link for HTTPS or SSL on your ISP’s website, contact their support department and they’ll guide you through the process. Better yet, call a reputable SEO service to do the process for you.
Once the certificate is installed on the ISP, your website will start with the preface HTTPS instead of HTTP. This has a few implications you should be aware of. HTTPS://yourwebsite.com is a different URL than HTTP://yourwebsite.com is. All links from other websites were written to direct traffic to http and just because you’ve updated it doesn’t mean those links have. You either have to get everyone who has linked to you to change the links on their pages (which is never going to happen), or use a handy webmaster technique called a 301-redirect to seamlessly move traffic from the old URL to the new and secured HTTPS version. Writing the 301s can be tedious but it’s relatively easy or there are tools that will write the bulk of them for you. The 301 redirects are then placed in the .htaccess file which is uploaded to the root level of the server. Once that’s done, all traffic to the old page addresses will automatically go to the new ones.
You’ll know if the site is secure by the symbol or note in the top left corner of the address field. If you see the word secure, or a green locked padlock, your website is considered secure. If, however, you see an “i” or information symbol, you have issues with the SSL certificate. More often than not, the site will be totally secure. If not, a problem might be found in certain plug-ins or applications used on the site. If they are not secure, Google might not consider your website fully secure. An evaluation of plug-ins and apps against their usefulness and replace-ability would be warranted.
Assuming the website is secured. Don’t worry if you don’t have all that. If you don’t know what I’m writing, expect someone to say something like this if and when you ask about the site.
You’re not out of rough waters yet. Because you’re introducing a new set of URLs to Google, a short period of adjustment should be anticipated in which your website might lose positions. That will correct itself as Google figures out the new and secured URLs via the 301 redirects.
Google is imposing this virtual order on webmasters because so much of our Internet traffic is now conducted using mobile devices. Nearly 58% of all requests to Google in 2016 came across mobile devices. Consumers use their phones for as many personal and financial transactions as app makers can develop programs for. Therefore, there are more opportunities to hack mobile information and obviously there is a rising awareness among the low level criminals who become malicious hackers. By requiring a third-party guarantee and handshake, Google adds a relatively thick layer of security between data transferred on common web pages and bad folks trying to steal other people’s information or identities.
The bottom line is SSL has functionally been made mandatory by Google. It needs to be implemented in the next six weeks or Google is going to warn users of the Chrome browser to avoid your website. Getting it done is a tedious job that might take a few days, depending on the size and scope of your site. You’re going to get it done though. Google says you simply can’t refuse.