Following several years of communiqué, Google has pushed the button and decreed all websites must become “secure” and adopt https. If your site visitors use Chrome, pay attention.
You have, no doubt, used websites displaying the padlock icon in the top left of the browser.
This means the website has installed an SSL or TLS certificate to create a secure connection, and data exchanged between the website and the visitor cannot be deciphered by a third party even if it is intercepted.
These sites also display the https protocol in the address bar. Http stands for “hyper text transfer protocol” and the “s” on the end stands for “secure”.
Typically, it’s for protecting credit card details on eCommerce sites, yet in a world where privacy is climbing the social and tech agenda, any type of website collecting any type of data needs to be secure.
Creating a generally improved internet experience is Google’s agenda (so they say) but as usual, there’s more to it than selfless tech philanthropy.
What Does TLS Do For a Website?
Before we discuss what you need to do to secure your website, here’s a few quick points on what SSL/TLS does:
- Verifies that you are communicating directly with the server that you think you are communicating with
- Ensures that only the server can read what you send it and only you can read what it sends back
- Adds a “secure” padlock icon next to the website address
An SSL or TLS certificate is essentially a text file claiming a particular identity.
Anyone can set one up but it is the digital signature from the certificate authority which allows a party to verify that another party’s claim to an identity is legitimate. Then the so-called “handshake” between server and client can take place.
Someone else with a greater understanding of security certificate technology than I published how does https actually work?
Chrome Will Show Website Security Warnings
Search engine success is loosely tied to https, but how much the provision of an SSL or TLS certificate will move the needle for website ranking is unclear.
It shouldn’t be viewed as a silver bullet that would catapult your site into pole position in search engine results pages, but rather a minimum requirement for helping your site appear trustworthy.
And that’s the bigger picture here: trust.
In September 2016 the Chrome Security Team published a blog about the impending browser updates in which warnings about non-https sites would begin displaying warnings to users.
As stated at the Chromium Project website “The goal of this proposal is to more clearly display to users that HTTP provides no data security.“
I’ve already seen explicit warnings in Chrome alerting me to errors about broken TLS certificates on certain sites. In these cases, the https was present in the address of the site but disputed by Google.
In January 2017, Chrome began gently cautioning users about plain old http websites.
Clicking the symbol reveals the message, “Your connection to this site is not secure”.
Eventually, users will begin seeing a warning symbol for http sites that have not switched over to https.
At the time of writing this article, it’s May 2017. In 2016 Google said these https changes will occur gradually:
Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria.
Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature.
In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.
If you’re planning to build a website or improve your existing one in some way, get a security certificate added to your site to display the symbol.
Update 2019: Chrome is showing the following message for http websites:
The other browsers are implementing a similar warning policy. As of May 2017, Opera and Firefox are displaying the “soft warnings” so we should probably expect those to eventually become explicit too.
Google Produced a Study
Google’s think-tank Chromium organisation produced a study asking 1,329 people about indications of trust or lack of in their normal browsing activity.
Most of the respondents had a basic understanding of https (secure) but knew less about http (non-secure).
One of the concerns cited in the study was the number of new users coming online for the first time via mobile, where the screen labels are reduced in size and number. This minimisation of mobile web design makes it harder for narrower screens to accurately communicate the level of risk.
Is It Worth It?
How much of a problem this website security issue is for small business websites remains to be seen.
How much the use of a security certificate will improve your business is unclear.
I’ll say this though: a terrible site with poor content, few or no backlinks and no reputation isn’t going to suddenly rank well because of a security certificate.
That said, once the Chrome browser warnings are cranked up, the lack of a certificate might seriously deter someone from using your site.
Look at https as entry-level criteria when building your site. If your site is live and you haven’t already done so, make it a priority to secure your site.
Let’s Encrypt Offers Free TLS
There’s a new certificate authority offering free TLS called Let’s Encrypt, a project driven by Google, Mozilla and the Linux Foundation.
This means you can add https relatively easily at no charge.
I’ve already added Let’s Encrypt for free to some of my own websites and client websites, which was fairly straightforward since I happen to use Dreamhost, who are partnered with Let’s Encrypt.
Better still, if you’re using Cloudflare (also free), you have the extra layer of protection since it is compatible with Let’s Encrypt.
You can go ahead and buy a TLS certificate through your current webhost if you want to but if you use an LE partnered webhost you won’t need to spend anything.
Use a Let’s Encrypt Partner Webhost
Sadly, GoDaddy is not a partner host. SmallBizGeek is currently hosted on GoDaddy and uses Let’s Encrypt, although I have to manually renew it every 90 days.
The advantage of using one of the partner hosts is that they take care of reissuing your certificate automatically, taking away the worry of a broken security certificate and the browser warning messages we’re so keen to avoid.
You could always move your site to a web host supporting Let’s Encrypt if you really want to save the money on the SSL/TLS certificate.
Analysis: Security Matters
Even if you’re running a simple site, go for https. It doesn’t matter that you’re not making electronic financial transactions through the site.
Think about email enquiry contact forms, user login credentials and members’ area data. When a user submits their personal information to your site, they want to know that it’s encrypted.
If you’re in a competitive niche, and your rivals have already added https to their site, arguably, they’ve got an advantage over you, however small, not only from a search engine ranking perspective but a peace-of-mind-for-visitors perspective.
The inevitable gold rush mentality of marketers trying to get any and all SEO advantages means that https is often added to a site with some naive assumptions. Don’t fool yourself into thinking this will make a huge ranking difference.
Consider https a minimum requirement in a world where hacking is the norm and security concerns are high on the agenda for consumers.