Last week Google announced that their popular web browser, Google Chrome, will display warnings to users who access non-HTTPS sites by strongly advocating that all websites adopt HTTPS encryption. Although all sites should be secure and run on HTTPS by default, there are still a proportion of sites that have yet to make the switch, which is why Google will now side with those that have taken the necessary steps in securing their site, rather than those that haven’t. But before we drilldown into these latest updates to Chrome, let’s first revisit what HTTPS is and why you need to run your site over its protocol.

What is HTTPS?

If you’re sat there thinking what is HTTPS, then there’s probably no better time than now to try to gain more of an understanding. Hyper Text Transfer Protocol Secure is essentially a secure version of HTTP, which is the protocol used to send and receive data between your web browser and the website you’re attempting to access. The fundamental difference between the secure version and the not secure version is that, when secure, all connections between browser and website are encrypted to protect the sending/receiving of sensitive data. As such, this heightened security reduces the chances of being a victim of cyber attacks where known web vulnerabilities can be exploited.

Why do you need HTTPS?

Alongside the fact that HTTPS ensures that your entire site is protected and far less susceptible to web vulnerability exploits – which is particularly relevant to those handling customer’s personal data – Google’s search engine actually favours secure sites over non-secure, simply because they’re ensuring that their users can browse their site in a safe and secure environment. As such, sites that run on HTTPS will generally feature higher up the search results for relevant search terms, than non-secure sites. Google have been actively encouraging webmasters to switch to HTTPS for the past couple of years as we navigate towards a more secure web, but last year’s progression was seen as a big step in the right direction with:

  • Over 68% of Chrome traffic on Android and Windows now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac now protected
  • 81 of the top 100 sites on the web using HTTPS by default

So, what’s changing in Chrome?

Whilst making the switch to HTTPS is no new initiative and Google’s core algorithm is known to already favour secure sites over non-secure, new changes to Google Chrome have been rolled out to identify all sites that have yet to migrate to HTTPS as “Not Secure” as shown in the below image.

Currently, Google Chrome identifies all sites that run on HTTPS as “Secure” with a green lock icon to indicate that the page you’re visiting is a secure page that’s encrypted and protected from cyber attacks. However, Google’s latest update (Chrome 68) is the first change that’s been initiated to identify all sites that are “Not secure”, which means that essentially all sites accessed through Google Chrome will be displayed as either “Secure” or “Not Secure”.

Google’s next planned alteration is scheduled for September 2018 in an update named Chrome 69, which will see them remove the green lock and label in the search bar and assume that all sites run on HTTPS as shown in the above image. As per the previous update (Chrome 68), all non-HTTPS sites will be identified with the “Not Secure” label.

Put simply, rather than assuming that a site is not secure – unless indicated with the lock and label – users can now assume that a site is secure, unless otherwise indicated by the “Not Secure” label.

Summary

Making the switch to HTTPS should be high up on your priority list if you own a website or online business and have yet to secure your website. As such, there is no better time than now so it’s advisable to take the necessary measures to find out whether your site is secure or not and better your understanding of what this means. Should you have any questions or queries as to how to make the switch to HTTPS or why you need to, then why not get in touch with us today to see how we can help to secure your site today to safeguard your website’s future.

2 weeks ago, I wrote a blog post suggesting that in 2016, we would see rankings increase for websites that run through HTTPS. Yesterday, we came one step closer to this happening when Google announced that it would now start indexing secure pages by default.

What this means is that if your website can run securely through HTTPS, then Google will rank the HTTPS version of a page and not the non-secure version. It will do this providing that some conditions are met (listed below) and it can detect an identical secure version of a non-secure page.

On the front of it, it seems like Google is trying to make the change so they put as little reliance on webmasters as possible. However, the below list of conditions will mean that Google probably won’t have a blanket success.

  • It doesn’t contain insecure dependencies.
  • It isn’t blocked from crawling by robots.txt.
  • It doesn’t redirect users to or through an insecure HTTP page.
  • It doesn’t have a rel=”canonical” link to the HTTP page.
  • It doesn’t contain a ‘noindex’ robots meta tag.
  • It doesn’t have on-host outlinks to HTTP URLs.
  • The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL
  • The server has a valid TLS certificate.

But, what if my website already has an SSL certificate?

Providing a website does already have an SSL certificate, there are 3 points for me that will stop Google ranking a lot of secure pages by default:

“It doesn’t contain insecure dependencies.” 

Lots of websites use lots of plugins, that use lots of libraries and external resources. A web page that links to an API or a library that isn’t running HTTPS will not automatically switch to HTTPS. I think a lot of the internet will fall foul of this, which will prevent Google ranking secure pages by default.

“It doesn’t have a rel=”canonical” link to the HTTP page.”

Webmasters have spent a long time putting canonical tags into their websites. If these have been done relative, then there shouldn’t be an issue. However, if it hasn’t, then many pages won’t default to HTTPS.

“The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL.”

Like the canonical issues, if the sitemap is relative to the domain, then it should be OK, but i don’t think this will be the case for a lot of websites. Generally. only websites that have intentionally got and linked to HTTPS pages would default to HTTPS which won’t be many.

What does this mean for Webmasters?

This means that most people will still need to put the work into making the change, which is a signal from Google that they are ramping up their efforts and I still think that we will see ranking increases in 2016.

At the moment, Google have not said they are ranking HTTP higher, they are just saying they will index the secure version over a non-secure version by default. This is one reason why website security should be your number one concern and is necessary for all website owners to take note of.