The HTTPS Train is Leaving the Station

Shawna O'Neal, Web Engineer
Posted on Apr 16, 2018

Last summer my fellow engineer-at-arms, Dan Collins, blogged about the web wide push for HTTPS; including what it is, why it matters, and why you should hop on the train. Since then, our Client Services team has rounded up our clients for conversion over to the more secure protocol. We’re happy to report that the large majority of our HTTP using clients have made the swap. If you haven’t made the switch yet, now’s the time to get on board.

* This article was originally posted on January 25, 2018 and updated on April 16, 2018 to include new information regarding an announced update to Google Chrome, and to provide information from additional browsers.

Swapping tracks is rather painless, and simply requires a certificate request through a hosting provider or using third party resources such as Let’s Encrypt.

As you can see, there’s a lot going on with HTTPS at the moment. While these changes may not affect search results yet, it’s important to recognize that Google Chrome has become the most popular web browser in recent years. At least half of your web visitors will be on Chrome, and we’re certain this isn’t the end of Google’s push for a more secure web.

This makes one thing clear - remaining on HTTP will result in over half of site visitors seeing “Not Secure” warnings across your site. While it’s not a direct SEO penalty, being seen as unsecure by Google and site visitors is not the right track to be on. The best move you can make is to board the HTTPS train, before you get left behind.

Imarc is here to help you through the transition, and to make it as smooth as possible. Ready to hit the fast track? Contact Us!

The Story So Far

  • As of thisupcomingJuly, Chrome will tell users that any non-SSL site they visit is insecure.
  • As of this upcoming May, Firefox will tell users that any non-SSL site they visit is insecure.
  • As of thisweek, Chrome will not recognize older SSL certificates issued by Symantec and its resellers (such as Thawte, Norton, Verisign and others).
  • As of last October, Chrome has been telling users that non-SSL sites are insecure when they use any web forms.

What does this mean for unsecured HTTP websites? Let's take a look.

Beginning in July 2018, with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure.”

Google describes the changeover as “gradual,” but that's no reason to wait. Over 68% of Android and Windows traffic for Chrome browsers is already utilizing HTTPS, and 78% of iOS and Mac traffic is protected as well. Even for sites that don't utilize forms, there's no longer any reason or excuse for not making the switch.

It's Not Just Google.

Firefox has been marking non-HTTP forms as “not secure” since 2016, and has indicated built-in features will be available within its May 2018 release for marking non-HTTPS sites as insecure. Apple's Safari browser has been marking unsecured forms with its High Sierra release, and we suspect further security is not too far behind. While Google is cracking down far harder on sites without an SSL certificate, it's become evident that the push for secured sites is web-wide.

Already on HTTPS? We’ve got one more thing for you to consider - verifying your certificate sources.

On April 17, 2018, Google Chrome will no longer recognize Symantec SSL certificates issued prior to December 1, 2017, as secure.

There’s a lot going on in the world of Symantec lately. What you need to know is that having an SSL certificate from Symantec that was issued prior to December 1st is bad news, and getting them reissued should be your top priority. Google has been warning Symantec for years to clean up their certificates, and finally announced their plans to remove trust back in September. Firefox has announced a similar set of plans to remove trust as well, with May 2018 being the date to watch for.

This applies to Symantec-controlled brands too, including Norton, Thawte, GeoTrust, RapidSSL, Verisign and TC Trustcenter.

Digicert, the company that took over Symantec’s SSL business in December, will replace the bad certificates at no extra cost to existing customers. While you’re at it, you’ll want to avoid giving site visitors a bad impression by removing any prominent Symantec SSL “trustmarks.” Sadly, the badge has become more of an anti-trustmark.

These aren't as valuable as they used to be.

As of October 17, 2017, Google Chrome will now flag form containing pages over HTTP as “Not Secure”

Google warned it would do so on their Chromium blog (a site worthy of following) back in April, and made good on that promise. As you navigate the web, you’ll see the following indicators that forms may not be secure:

Images courtesy of

You’ll find a few details about this notice. First of all, when the visitor is using incognito (aka private) browsing, the “Not Secure” message will show on page load and on data entry. During normal browsing, it only shows on data entry. Additionally, including your form in an HTTPS iframe is not sufficient. This notice checks the domain for https://, and therefore not having it will trigger the notice regardless.

That said, trying to get around the warning is futile. Google has declared its intentions to promote a more secure web. Resistance is also ineffective, and with the swap taking a minimal amount of time and effort - it’s simply not worth avoiding. You should update your domain, subdomains, and marketing domains (such as Marketo, Hubspot, etc.) to HTTPS. If not, your pages are liable to break when the HTTPS enabled domain blocks the unsecured content you're trying to pull in. The same goes for any links, embeds, and dependencies - you’ll want to make sure you’re pulling them in as https:// to avoid any issues.

More Thoughts