Lately there’s been a lot of speculation about Googles up-coming changes to how sites without an SSL are going to be treated. As January draws towards a close we have seen an increase in customers with concerns of how this will affect their site. Both in terms of people being able to see it and how it might affect their search ranking.
This article aims to clear up some of the confusion and to demystify the changes.
As early as 2014 Google’s Webmaster/Analytics team had begun openly pushing for the use of better security on the web. They began looking into the factors which affect site security and how they can improve. You can read Google’s ‘HTTPS as a ranking signal’ article to learn more on this.
To accomplish this huge goal the easiest target to take on is the usage of HTTPS over HTTP. When using HTTPS the connection between a server and client is secured and encrypted with an SSL/TLS. A requirement for supporting the HTTPS protocol is having a valid SSL certificate for your domain name.
Sounds easy enough? Get an SSL Certificate for your domain, install it, and now you have HTTPS support. That’s essentially what Google wants to do, but for EVERY website. From Google’s perspective there’s not a whole lot they can directly do to reach this goal.
Google’s Plan to Secure the Web
With those goals and challenges in mind Google created a multi-pronged plan of action.
In the article linked above, HTTPS as a ranking signal, the team talks about the state of HTTPS adoption in 2014 and details some basic information on adoption trends. Seeing an encouraging uptick in adoption rates around that time they began some testing on sites being indexed to track if they use HTTP or HTTPS. Using that data they experimented with using HTTPS usage as a factor for search rankings.
Currently usage of HTTPS as a factor only accounts for a very small percentage of search ranking.
Another way Google plans to help push the web to be more secure is through the Chrome browser. Starting when Chrome 56 is released the browser will now be marking all HTTP sites as ‘Not Secure’. This change will only affect pages that accept password or credit card input. This is a very important and commonly missed condition of this change.
How These Changes Affect Your Site
If your site has an SSL, then you will not be affected! You’re site is already secured with HTTPS!
If your site does not have an SSL, then you may be affected by these changes.
At this time, the only site pages that will be marked as insecure with these changes will be pages that accept sensitive user input. Things like credit-card information and passwords being the main concern. Google explains it best in their blog ‘Moving towards a more secure web’:
Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
Will my site be marked insecure without HTTPS?
- Does your website accept credit card information?
- Does your site require a login for users to access it?
- Does your site have user logins (even if they are optional)?
- Do you exchange any sensitive data through the website?
If you answer yes to any of the questions above your site may be affected by the changes in Chrome 56.
For example, if your site is Blog that doesn’t allow users to login and you never accept credit card information then you will not be affected. However, if you have a single page where you and Blog editors can login, then only the login page will be affected by the change.
On the other hand, if you have a login form in your sites main navigation then technically any and everypage on your site accepts sensitive data. Since this is on every page that means without HTTPS support all pages will begin showing as “Not Secure” in Chrome 56+.