Google’s strong arming to shape a secure web everywhere just took another twist

At the beginning of 2016 Google announced that they would begin warning Chrome users that they were accessing non-secure websites. Now pages without HTTPS that collect sensitive information such as passwords, payment info, or any other personal information, will from the end of January 2017, receive a visual warning within the Chrome 56 browser. Further, Firefox has announced that version 5, set for release around the same time as the Chrome update, will also start marking insecure pages with a broken padlock warning.

The rationale behind this latest update is to draw attention to websites that are potentially insecure. Many publishers fail to realise that websites served over HTTP are open and therefore able to access the sensitive information that is shared between the site’s server. This information can be accessed if the network is hacked which could result in the threat of a user’s private and sensitive information stolen or compromised.

Google’s plan for https everywhere is to clearly raise awareness amongst their users of “http” security issues. Websites that have a “https” URL have an added layer of security that ensures the user is visiting the website they intend to and have an extra level of protection.

As the update draws nearer, SEO agencies, publishers and marketers have already started receiving emails from Google notifying them of warnings which will trigger for their websites in Chrome 56.

The sudden notification via Search Console to publishers is actually something Google has been warning about since Sept. of 2016 and whilst it was previously thought to only affect pages that collect passwords or credit cards, it’s now clear this affects pages which trigger pop-ups or dialogue boxes which in turn collects this kind of information and eventually will affect all non-https pages whether they contain sensitive input or not.

So what action should publishers take, what are the timelines and the urgency needed?

Chrome 56 (due for stable release on the 31st of January 2017) will only display a moderate visual warning in the first planned iteration. Instead of an ‘Information’ icon, this will be supported by the grey text ‘Not secure’. Eventually however, and there are no timescales given, we will likely see a more visually powerful indicator of red text with a red triangle.

We can expect in January 2017 to see this rather weak visual indicator of insecure pages requesting passwords, payment info, or any other personal information.

Google plan to label all HTTP pages as non-secure at some future stage, and change the HTTP security indicator to the red triangle that they use for broken HTTPS.

Knowing that the visual indicator of this insecure content is fairly moderate, for now, and may even be blind to most users, should allow publishers to rest slightly easier if they’re unable to meet Google’s timelines. Further, whilst Chrome’s UK market share is high at 42% this isn’t indicative of users likelihood to update to the latest versions. For many websites Version 54 holds around 30% of total browser usage with Chrome version 55, the current version, only holding around 15%. This information should further ease concerns around the urgency publishers need to prioritise https on some or all pages of their site. Firefox 51 however has around 10% market share in the UK and will show a broken padlock with red colouring to users for the same pages flagged by Chrome 56.

In summary, whilst a full https migration is advisable and does have a high priority there are currently more pressing things within the industry for publishers that need attention. For example, Google’s Interstitial penalty which launched on January the 10th or Google’s mobile first indexing switch which is expected to happen in the coming months.

So although publishers are increasingly becoming pressured to change to https, they can afford to take a ‘backseat’ approach on moving for the time being. Warnings to users of insecure and unprotected pages will start off slowly but will gradually over time get stronger and more apparent. However, if publishers are going to put HTTPS on hold for the time being, they do need to be aware that Google and other browsers are serious about HTTPS everywhere and they could find themselves at risk of further, more aggressive updates sneaking up on them.

In 2017 we could very well also see HTTPS as a ranking signal for SEO being given far more weight than its current tiebreaker impact.

Join over 4,000 other subscribers to the Blue Array SEO Newsletter.