SSL and Google Chrome – Naming & Shaming

Dec 17, 2016 | General News, SEO

Google Chrome, SSL and the Green Padlock

From early 2017, Google claim they will start marking ALL unsecured websites visited using Google Chrome with a warning. This obviously could have serious implications for visitor traffic and custom.

The already signalled possible big change in SEO for 2017 is that the Google Chrome browser will start shaming websites not using SSL certificates and HTTPS.

Two years ago Google announced/suggested that they would give preference in their search listings to websites that used encryption. That means preferring websites with SSL certificates attached and show HTTPS at the beginning of the URL as opposed to HTTP. They see this as their major contribution to the wider industry campaign to try and make the web a safer place.

In reality this change has very little effect on search engine positioning. It is just one more on the long list of scoring items considered by the Google search algorithm. Seemingly too, not a factor to which they have given an especially strong weighting so far.

Google Chrome shaming unencrypted websites not using SSL certificates for https

Google are now preparing to take this one step further. Currently, if you use Google Chrome;

  • when you visit a properly secured HTTPS website you see a green padlock in the menu bar next to the URL.
  • If you see a red padlock with an x next to a URL, this is an indication of problems with a site’s security certificate.
  • A lock icon with a yellow triangle indicates an existing certificate but that the site has weak security.
  • With unsecured HTTP websites you will normally see just a plain icon representing a file or page. In future, this will be replaced by a warning symbol.

How could this affect traffic to your HTTP website?

Google intends to phase these changes in, starting with websites that ask users to input passwords or credit card information. Straight away we are dealing with eCommerce sites that require an account to be set up before or during purchasing. Also membership sites and forums, anywhere you may need to login.

What is currently unclear is whether all CMS sites will be immediately affected. You might have a site where you don’t allow general user registration but still require Admin user access. If Google are strict then these sites could be affected from the start of the rollout. Until the rollout is actually underway, all we have is speculation.

Other reasons for switching to HTTPS.

Lowered Costs

Lower-cost or even free SSL certificates have become available. For HTTPS to work, a certificate must be generated by a trusted authority and normally renewed once a year. These certificates cost money, which has been a deterrent for sites that are generating little or no revenue.

With the advent of Let’s Encrypt the cost problem has been somewhat reduced as they provide free certificates. The cost to maintain a site on HTTPS year in, year out has been removed leaving only the initial set-up as a cost factor.

Your Credibility

As web users are learning that HTTPS sites are more secure and therefore more worthy of their trust, will they discriminate against unencrypted websites? Will they trust your competitor more than you if they have a HTTPS secured site and you don’t?

It is worth noting that Google Chrome is currently two to three times more popular in usage terms than the next browser on the list so the majority of your visitors will see the warning.

What should you do?

This depends on a number of factors; on the type of site you have and thus affected immediately; do you depend on search engine positioning for attracting site visits; will your reputation suffer damage by having a warning sign against your website; how is your budget?

Do you need to act soon?

Here’s my take on whether you need to act soon;

  • if you have a plain, old school HTML website with no facility to gather user details then I’d suggest no need to take immediate action. Likelihood is that this is an old website so perhaps you should be considering having it revamped anyway. In this case I can integrate an SSL certificate at the same time.
  • If your website is on WordPress or similar but you don’t allow user registrations then I would suggest a wait and see approach. It will be obvious if the site gets a warning and the effect monitored in Google Analytics. That’s not to say you shouldn’t be pro-active if you want, if the site is also in need of a revamp it’s probably worth doing at the same time.
  • Membership and eCommerce sites are high on Google’s hit-list so you will want to act sooner rather than later.

The Options

As mentioned earlier, ‘traditional’ SSL certificates come in many shapes and sizes, with differing levels of encryption and extended validation of ownership. Dependant on type they can cover single domains, multiple domains and/or sub-domains. Add into the mix the new Let’s Encrypt certification and all the options you might possibly need are thoroughly covered.

The Next Step

I will be broadly offering two options for SSL/HTTPS for client websites. I can purchase traditional SSL certificates via Future Hosting and install these for individual websites or multiple websites that are under the same ownership. Although I haven’t finalised costings but a typical SSL is likely to be in the region of £50 per year per domain.

Future Hosting are in the process of setting up the Let’s Encrypt system on the server. This will allow me to easily issue their free certificates to single websites with no recurring fees.

Important Note: Whichever HTTPS solution you choose, there will be a fee payable to convert the site. As well as ensuring that all pages and links are now correctly configured, I will need to go through the admin of informing Google of the change in order that your search engine positioning is not unduly affected. This fee will vary on the size of the website involved and the complexity of the work involved. They are likely to range from £40-£80 per website. Of course, I will quote for individual sites before the start of any work on them.

Other reading on the subject at Vice [ external links ]

Worth noting that Vice are not themselves using HTTPS yet…

Here Are The Internet’s Top Websites That Still Don’t Use Encryption

Google Will Soon Shame All Websites That Are Unencrypted

Google Will Start Shaming Unencrypted Websites in January

Update: January 28th 2017

As of today I have had warnings from Google concerning this about two sites I manage. A brief message that with the Google Chrome 56 browser the warning would appear. So, it would seem they are taking it very seriously. Interestingly though, one site was not open to user sign ups. Only a couple of admin accounts existed so it does seem that Google won’t simply be concentrating on ecommerce sites at the start. With the second site I had already converted it to HTTPS, albeit only recently, but it would suggest that Google hadn’t updated their records. This despite me going through the process of adding the HTTPS version fully to their Search Console.