Last summer my fellow engineer-at-arms, Dan Collins, blogged about the web wide push for HTTPS; including what it is, why it matters, and why you should hop on the train. Since then, our client services team has been rounding up the remaining stragglers for conversion to the more secure protocol. Swapping tracks is rather painless, requiring a certificate request through a hosting provider or using third party resources such as Let’s Encrypt.
We’re happy to report that 70% of our HTTP using clients have made the swap. For the remaining minority, starting 2018 on HTTP is going to be the equivalent of getting left on the tracks in a handcar. If you haven’t made the switch yet, now’s the time to get on board.
As of October 17, 2017 Google Chrome will now flag form containing pages over HTTP as ‘Not Secure’
Google warned it would do so on their Chromium blog (a site worthy of following) back in April, and made good on that promise. As you navigate the web, you’ll see the following indicators that forms may not be secure:
Images courtesy of https://blog.chromium.org
You’ll notice a few details about this notice. First of all, when the visitor is using incognito (aka private) browsing, the ‘Not Secure’ message will show on page load and on data entry. During normal browsing, it only shows on data entry. Additionally, including your form in an HTTPS iframe is not sufficient. This notice checks the domain for https://, and therefore not having it will trigger the notice regardless.
That said, trying to get around the warning is futile. Google has declared clear intentions to promote a more secure web. Resistance is futile, and with the swap taking a minimal amount of time and effort - it’s simply not worth avoiding. You should update your domain, subdomains and marketing domains (such as Marketo, Hubspot, etc.) to HTTPS. If not, your pages are liable to break when the HTTPS enabled domain blocks the unsecured content you're trying to pull in. The same goes for any links, embeds and dependencies - you’ll want to make sure you’re pulling them in as https:// to avoid any issues.
Already on HTTPS? We’ve got one more thing for you to consider - verifying your certificate sources.
On April 17, 2018, Google Chrome will no longer recognize Symantec SSL certificates issued prior to December 1, 2017, as secure.
There’s a lot going on in the world of Symantec lately. What you need to know is that having an SSL certificate from Symantec that was issued prior to December 1st is bad news, and getting them reissued should be your top priority. Google has been warning Symantec for years to clean up their certificates, and finally announced their plans to remove trust back in September.
This applies to Symantec-controlled brands too, including Norton, Thawte, GeoTrust, RapidSSL, Verisign and TC Trustcenter.
Digicert, the company that took over Symantec’s SSL business in December, will replace the bad certificates at no extra cost to existing customers. While you’re at it, you’ll want to avoid giving site visitors a bad impression by removing any prominent Symantec SSL “trustmarks.” Sadly, the badge has become more of an anti-trustmark.
There’s a lot going on with HTTPS at the moment. While these changes may not affect search results yet, it’s important to recognize that Google Chrome has become the most popular web browser in recent years. At least half of your web visitors will be on Chrome, and we’re certain this isn’t the end of Google’s push for a more secure web.
This makes one thing clear - remaining on HTTP will result in over half of site visitors seeing ‘Not Secure’ warnings across your site. While it’s not a direct SEO penalty, being seen as unsecure by Google and site visitors is never the right track to be on. The best move you can make is to board the HTTPS train, before you get left behind.
We’re here to help you through the transition, and to make it as painless as possible. Ready to swap tracks? Contact Us!