May 2nd Update: Google has announced the next phase of the rollout detailed below - websites still on HTTP that accept any data input, and HTTP websites viewed in Incognito mode. Any data input includes site search and any kind form regardless of fields with sensitive information, which makes this expansion cover a much larger swath of websites that would benefit from setting up an SSL certificate for HTTPS.
Toward the end of 2016 Google announced its intent to begin labelling websites that collect personal information such as passwords and credit cards as “non-secure” if they do not have an SSL certificate installed, with the overarching goal to eventually label all websites (whether or not they collect personal information) that do not have SSL certificates as “non-secure”. Google is making good on its plan, starting with version 56 of the stable version of Chrome.
What’s an SSL? How do I know one’s there?
HTTP, or HyperText Transfer Protocol, is essentially the means by which servers pass along (or receive) the files and instructions necessary to or from web browsers (such as Chrome or Firefox), which then present that data in the form of a website. With the growing complexities of websites and hackers’ continued push to compromise them, personal information shared on the web needs to be more secure. To provide an extra layer of encryption, HTTP is paired with a Secure Sockets Layer (SSL) to form HTTPS (HTTP-Secure). This SSL certificate ensures the authenticity of your website and information passed.
Modern browsers including Chrome, Firefox and Safari will give visual clues, such as a lock icon or green message like the one above, to help users know and trust that their connection is safe. In addition to Chrome’s version 56 rollout, Google is also encouraging adoption of HTTPS by applying a very lightweight ranking boost over sites not using HTTPs.
What Does This Mean?
With these changes coming from Google, Daylight is encouraging the move from HTTP to HTTPS. Websites that collect personal information - usernames, passwords, credit card information, transactions - should be considered of the utmost priority to switch to HTTPS. It not only gives your users peace of mind that their information is secure but, too, you stay in the good graces of web browsers such as Chrome, which is by far the most popular browser in use. As Google will roll this non-secure label to all websites, those websites with a more general brochure-like presence should also move to HTTPS. If your team has the capability and resources to tackle independently, we’ve identified helpful resources and steps below:
- Review your website to determine if you have an SSL certificate set up
- Identify if your SSL certificate is only set up for a shopping cart or sitewide. If only for a shopping cart, you’ll want to expand to be sitewide.
- Identify if your website collects personal information or passwords. If your website collects this information, you’ll want to have it on your immediate radar to set up an SSL certificate.
- Plan ahead. If your website doesn’t have an SSL certificate and doesn’t collect personal information, that doesn’t mean you’re off the hook. Given Google’s announcement, they plan to roll out an update after the first roll out that will impact your website. So plan ahead - start the conversation with your IT team or your development partner and get an SSL certificate installation scheduled out.
This update started with the beta version of Chrome, which is generally used by enthusiasts who want the latest browser features in exchange for the occasional crash, first. After thorough testing it recently made its way to the stable channel of Chrome with version 56. For general internet use, it’s also helpful to remember that when Google starts tagging websites as non-secure, it does not mean that it’s been hacked or compromised in any way but only that there is no extra security layer in place.