If you don’t use HTTPS on your website, it will now be labeled “NOT SECURE” in Chrome.
Even if you haven’t considered using HTTPS (HyperText Transfer Protocol “Secure”) for your business website, you’ve probably seen it before. The history of this security protocol goes back many years to the beginnings of the commercialized Internet – And it’s about to get a big emphasis, thanks to upcoming changes from Google. If you haven’t thought about transitioning your website to HTTPS, now is an excellent time to start making plans. Here’s why.
HTTPS: The Security Format Ahead of Its Time
The HTTPS protocol was developed in the mid-1990s thanks to efforts by companies like Netscape and Spyglass (remember them?). The problem was, at that time, the Internet wasn’t very secure, and exchanging data for commercial transactions (payment and contact info) was a risky business. As a result, organizations developed SSL (secure sockets layer) security, encryption that could be used to verify their website’s authenticity and protect consumer information.
This quickly became a go-to security measure for large online retailers, especially once Microsoft officially adopted HTTPS. Rival protocols battled for a few years, but as SSL continued to evolve, global standards took hold. By the 2000s, HTTPS had become the universal way to protect data and assure individuals that a site was secure.
A Quick History of Google and HTTPS
As the Internet grew in the 2000s, HTTPS slowly expanded beyond commercial sites into other types of websites, including news and service organizations. It moved slowly because internet security was still relatively new. HTTPS was primarily relegated to website data behind logins, or data managed by particularly large organizations.
Google was surprisingly ambivalent about HTTPS for many years. It even refused to index HTTPS pages up through 2013. It didn’t see those pages as an appreciable, easily measured part of the Internet. But this soon changed as Google realized the role it played by encouraging internet security through page rankings, and how it assigned value to online content.
Google algorithm updates focused on improving the quality and safety of the Internet. They added a new algorithm in 2014 designed to factor in secure sites of all kinds. And, for the benefit of users, they started labeling secured sites more prominently in Chrome.
This new algorithm had one primary purpose: It improved rankings for sites that invested in HTTPS security, in real time. This meant that companies could basically get a ranking boost just by switching to the HTTPS protocol. However, there were difficulties in this approach. For one thing, while Google boosted HTTPS rankings, the company (probably unintentionally) made it difficult to change over to HTTPS with Google Webmaster Tools. Plus, the SEO boost that HTTPS provided was minuscule. This led companies to ask, “Well, why bother?” As a result, Google didn’t see the intended growth of HTTPS sites.
Google’s Latest HTTPS Change.
Fast-forward to the end of 2016: Data security has become more important than ever as security threats rise at an alarming rate. Today, Google has decided to take its HTTPS encouragement up several notches with a big upcoming change:
- Companies that adopt HTTPS will be designated as “SECURE” on Chrome browsers.
- Companies that don’t use HTTPS will now be labeled “NOT SECURE” when users open the site in Chrome. This will apply to all websites without HTTPS, no matter what other security measures they employ.
- This change will go into effect in October 2017 – a swiftly approaching deadline.
Google didn’t mention whether or not it would add more weight to HTTPS in its ranking algorithm. They’re under no obligation to tell anyone if they’re changing the algorithm, so this move could easily be followed by harsher SEO penalties for HTTP-only sites.
What Should You Do About HTTPS?
Fortunately, Google is good about giving companies advice on what to do to improve their sites. If you’re worried, the company breaks down the solution into two different steps.
First: Make sure that all forms associated with passwords and credit fields of any kind are provided via the HTTPS protocol. That means the entire page at the top-level must be HTTPS, as well as any iframe inputs. Don’t make the mistake of simply searching for, and converting all your iframes: Google specifically says this won’t work – you need to make the entire page HTTPS to avoid the “Not Secure” warning.
Second: The first step is simply a patch to treat immediate symptoms. Your long-term solution should be to convert your entire site, in all its various forms, to HTTPS. The “Not Secure” warning will still show up on other pages without HTTPS. Customers may be less likely to notice it on, say, content-only pages, but it will be there, and you need to get rid of it.
Remember, October 2017 is the cutoff date, so it’s important to make the change to HTTPS if you want to prevent the Chrome warning label from showing on your site. If your site is hosted, look at the services and packages provided by your host. Most will offer an upgrade to HTTPS that allows for a quick site conversion. Check to see if you have room in the budget for this upgrade.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.