Switch to HTTPS… Or Else!

Google wants to make the internet a safer place…and as of Feb. 1, it will begin displaying a browser warning (via the Chrome Address Bar) for any site that gathers sensitive information that is not encrypted with the HTTPS protocol. That’s right: if your site is not using HTTPS by the end of January, Google will mark your site as non-secure, which can factor into your search rankings as well.

Google’s New HTTPs Requirements – What Data are Considered Sensitive?

If your site collects data like credit card information, passwords, addresses, etc., it’s crucial that your site is secure anyway. HTTPS (which stands for HyperText Transfer Protocol Secure) offers an additional layer of protection for your site users, ensuring that the information that passes between your users and your server is encrypted (rendering it useless if captured in certain types of attacks). In other words, a standard HTTP connection gives unauthorized users an even greater chance of monitoring sensitive data.

With the release of Chrome 56 at the end of the month, Google is now making it a requirement that you switch to HTTPs by marking any pages with password or credit card fields with an HTTP connection as “non-secure”. This is just a first step in Google’s quest to make the internet a safer place for private and sensitive data.

What’s at Stake by Not Switching to HTTPs

A number of things are at stake if you refuse to make the switch to HTTPs.

User trust. All users want their most valuable and sensitive data to be secure when they visit or use a site. HTTPs better protects user data; simple as that. Since HTTPs is becoming the standard, NOT having HTTPs is a red flag to users who are more-often recognizing that HTTP is not secure.

Search rankings. As early as 2014, Google started to incentivize site owners to encrypt their sites by making site security an SEO signal. But, in true Google fashion,  they are upping the ante – and fast – by (all but) forcing HTTPs. This means that they will essentially penalize you if you don’t make the switch. Your search rankings may not suffer dearly on day 1, and Google may offer some SEO guidance related to the new requirement, but we are not waiting, and you shouldn’t either. We are securing all domains in our portfolio straight away.

Your load time. Secure sites load faster than non-secure ones. A faster-loading site ensures greater user satisfaction. Page load time is also becoming an important ranking factor. All other things being equal, a slower site will rank lower.

How to Know if Your Site is Secure

Look for the lock! If you see a green lock icon or some other messaging that indicates “secure”, your site should already protected by HTTPS. If not, you may see a red warning or yellow triangle indicated that the site is not secure. How this messaging is displayed depends on your browser (Chrome, Firefox, Internet Explorer). Right now, this update solely affects Chrome. Keep in mind, however, that Chrome leads the market. Whatever it does, the other browsers are sure to follow.

What You Can Do to Make It Secure

If your site is still HTTP, you’ll need to update your sever with a valid Security Certificate ASAP. Start with obtaining an SSL Certificate from a Certificate Authority or use a server that support the Let’s Encrypt standard. This will encrypt and protect your users’ data on your site. An SSL Certificate also acts as a stamp of approval from a trusted source that says your domain and/or company is legit and secure. You can buy your certificate directly from producers like GeoTrust, Verisign and Comodo. You can purchase buy a cert from your host, ensuring perfect compatibility with their servers or from a domain layer service like CloudFlare.

We are fans of Let’s Encrypt which is supported by our host WP Engine.

This step-by-step guide lays out all the steps for migrating to HTTPS, but be aware: this process requires thorough link redirects and external link updates. If you’re uncomfortable doing this process on your own, contact a trusted web developer who can do all of this for you.

Closing Thoughts

Frankly, there is no reason why your site shouldn’t already be secure. Google’s release of Chrome 56 signals their deeper commitment to this new secure era where transparent security measures are the standard, not the exception. If your site is not using HTTPS, the time is now. Give your users the security they deserve and protect your search rankings in the process.