Starting in October, 2017, Google’s Chrome browser will display warnings on any web pages that contain an unencrypted webform. These include website login pages, blog comment forms and contact us forms. The change is slated to take effect with the release of Chrome version 62. This is another step in Google’s initiative to secure the internet. In 2014, Google announced that website encryption would become a ranking signal, factoring into Google search results. In January, 2017, Google Chrome began warning users when an HTTP (non-encrypted) web page contains credit card or password fields by displaying “Not Secure” in the address bar. What’s significant in the upcoming Chrome 62 release is the expansion of this warning to include pages with ANY data fields – not just credit card or password fields.
In other words, any webform on your site can trigger a warning if you’re not using encryption. Additionally, a “Not Secure” warning will be displayed in-line on webform fields served on non-secure web pages, which is likely to reduce form submissions, blog comments, white paper downloads, etc. In short, if your website contains a webform of any sort you will likely want the site delivered over HTTPS (encrypted).
Alphabet Soup: What is HTTP, HTTPS and SSL?
Answering this question is a matter of protocol – Hypertext Transfer Protocol – commonly abbreviated HTTP. This is the standard way your web browser communicates with websites on webservers across the internet. It’s why URLs, when formally written, include “http://”. Encrypting the communication between your browser and a webserver requires the website have a Secure Sockets Layer (SSL) certificate. Certificate authorities ensure certificates are only available to those who can verify they are who they claim to be. This makes it less likely that a hacker can pretend to be your bank, for example. With an SSL certificate in place on the webserver of the website you visit, HTTP becomes HTTPS, or HyperText Transfer Protocol Secure. Encrypted URLs begin with “https://”.
Is Your Website Affected by Google's Push for HTTPS?
Is your site already running full time HTTPS? If you answered “yes” to this question, then you will not be affected. If you don’t know, then it’s likely your site is not encrypted and you will be impacted by the change in Chrome. If you have an e-commerce site, then the answer depends on whether you have encrypted all traffic, or just shopping cart checkout traffic.
If you use Drupal, then by default your site will be impacted. The question is, how significant is the impact for your visitors? At a minimum, your login form for the Drupal admin section will be labeled “Not Secure”. At a minimum, this poses a training issue for your website administrators. The example below shows the Drupal login page for the same website in two browsers. Chrome (left) displays a prominent “Not Secure” message in the address bar, while FireFox (right) displays a more subtle broken padlock. With the release of Chrome 62, there will be additional “Not Secure” messaging in-line on the form fields themselves.
Pros of Encrypting Your Website with HTTPS
- Security - It really is more secure for your visitors to connect to your website over HTTPS/SSL. Encrypted connections can’t be read by a third party, which prevents hackers from stealing data as it flows between a visitor’s browser and your website.
- Search Benefit – There is a small, but real search engine optimization (SEO) benefit to securing your website using HTTPS. HTTPS is a ranking factor for Google. That means, all other things being equal, if your site answers a searcher’s question exactly as well as a competitor’s site, Google will favor the site using HTTPS, ranking it above the other.
- Verification – An SSL certificate tells your visitors that they have connected to you, not someone pretending to be you. This can be very important when trust is paramount, such as in financial or medical industries.
Cons of Encrypting your Website with HTTPS
- Expense – There are small expenses associated with adding HTTPS/SSL. There’s the annual cost of the certificate itself, along with associated costs of managing it. These tend to be affordable unless your website serves a specialized market, demanding the highest levels of security.
- Implementation – Getting a certificate takes some effort. There are hoops you must jump through to satisfy the issuing certificate authority. Then once you have your SSL certificate, it takes effort to get it in place on your webserver. Once SSL is working, troubleshooting is frequently required to make sure all elements of the website load over SSL as intended. Often there are little issues to clean up with tracking scripts, Google fonts, chat plugins, etc. A good webhost can solve these issues on your behalf.
- Performance – There is a small performance degradation associated with a website in full time HTTPS. HTTPS uses a little more CPU and bandwidth than non-secure web traffic. This used to be a significant issue for websites many years ago. However, this will continue to be less and less of a concern as servers get more powerful. On its own, the performance issue does not justify avoiding encryption.
In summary, Google is not likely to abandon their quest of making the web more secure.
“Eventually, we plan to show the “Not Secure” warning for all HTTP pages, even outside Incognito mode. We will publish updates as we approach future releases, but don’t wait to get started moving to HTTPS!,” says Chrome Security Team member, Emily Schechter.
Features that advance the HTTPS agenda will continue to become more prominent in future versions of Chrome. And, as with Google’s search engine, it’s likely we’ll see these features make their way into competing browsers. In fact, FireFox already shows a security warning on webforms served over HTTP. Whether it’s today, or a year from now, make sure you have HTTPS on your short list of features to add to your website.