To help users browse websites more securely, Google has announced in January 2017 that the release of its Chrome browser will mark all unencrypted HTTP sites as “not secure” in the browser URL. This is part of Google’s plan to discourage use of sites that don’t use appropriate security measures and to transition web traffic from potentially insecure HTTP to the safer alternative HTTPS sites.
Chrome and other leading browsers indicated HTTP with a neutral indicator which does not reflect the lack of security for HTTP connections. This means that when users access a site using HTTP, a hacker could intercept login information, passwords or payment data, increasing the opportunities for fraud.
A recent Google study identified that the current neutral indicator in the web browser has little impact on users, and a “not secure” warning is more effective. In labelling HTTP sites more clearly and accurately Google aims to give users more reassurance when using certain websites. Ultimately, Google plans to label sites that continue to use HTTP with a red warning triangle to indicate that these sites are not functioning securely.
As of January 2017, Google’s Chrome 56 browser started labelling HTTP pages that include sensitive information, such as password or credit card fields, as “not secure”.
HTTPS ensures that when a user accesses a website, this data is encrypted using the Secure Sockets Layer (SSL) protocol or the more modern version, Transport Layer Security (TLS) protocol. In order to implement HTTPS, site owners must obtain trusted digital certificate for their entire website(s). Google reports that HTTPS usage is increasing substantially and that a significant portion of web traffic has transitioned to HTTPS to date.
HTTPS offers many advantages over HTTP, including powerful new features and performance including:
Browsers are looking at pages, so as pages appear they examine them for password or credit card fields. If these fields are present, the site will be flagged. If no fields are present, the site is not flagged. Any pages within the site that are flagged need encryption to prevent browser warnings indicating the page is not secure.
As Google Chrome marks all pages with the insecure warning, it leads to a negative impact on the user experience, whether or not encryption is needed in the same fashion as an ecommerce site. Considering this is a browser change that affects all types of sites, it’s not just for ecommerce.
This is a change controlled at the browser level, not at the user level. So, you’ll still have the error messages for internal sites lacking HTTPS, which could cause confusion for users within your internal environment(s).
At a minimum, start with password and credit card pages as we know these are pages that will be impacted by this change. Then, begin looking at other pages. A best practice for prioritization purposes would be to address the pages on your site with the highest traffic, as these will be visited the most and have the highest chance of a negative user experience when error messages are displayed.
Yes, sites with HTTPS are given preference in search rankings (which has been widely publicized), so it goes to show that using HTTPS is important for your SEO activities.
Asses pages internal and public: check that all pages request login or payment have an SSL cert, or are planned for one.
Work with a credible Certificate Authority like Symantec to discuss certificate types that offer functionality and flexibility to suit your environment needs.
Involve all stake holders internally: this may require additional budget that had not been factored into initial plans
Consolidate: work with your Account Manager to analyse opportunity for consolidation based on your environment and CA offerings
Speak with your account manager, or visit our content hub: https://go.symantec.com/be-trusted
Symantec World Headquarters
350 Ellis St. Mountain View, CA 94043 USA
+1 (650) 527 8000 +1 (800) 721 3934