Google is on a righteous and relentless drive to make the web a more secure place and The Google Chrome Security Team’s announcement has taken another step in that direction. From January 2017, websites that transmit passwords or credit card details will need to be HTTPS or they will be labelled “non-secure”. It doesn’t stop there – this is the first part of a long-term plan to mark all HTTP sites as non-secure as Google cracks down security.
When a website is loaded over HTTP, it is possible that someone else on the network can look at or modify the site before it gets to you. With HTTPS the “S” represents SSL (Secure Socket Layer) which basically means the link between your browser and the server is encrypted.
Studies have shown that users do not perceive the lack of a secure icon as a warning, but also that users become blind to warnings that occur too frequently. Chrome displays a green lock icon in the address bar for sites that are secure and currently indicates HTTP connections with a neutral indicator.
Chrome 56, due January 2017, will be the first release that marks HTTP pages with password or credit card form fields as insecure. Future releases will include HTTP warnings for Incognito mode and eventually all HTTP pages will be marked as non-secure with the same red triangle it currently uses for broken HTTPS sites.
HTTP / HTTPS Usage
A significant proportion of web traffic uses HTTPS now, and HTTPS usage continues to rise. Already more than half of Chrome desktop page loads are now served over HTTPS.
WordPress is following suit and starting from 2017, HTTPS will be the default for all websites powered by WordPress. Expect to see features in WordPress which require hosts to have HTTPS available, such as API authentication.
SSL was hard to implement, and could be pricey or slow. Today’s browsers, along with the success of projects like Let’s Encrypt have made HTTPS easier and cheaper than ever before.
It’s been 2 years since HTTPS was included as a ranking factor in Google’s algorithms. Although the gain you get in rankings is marginal, the costs of not having a secure domain are clear and are set to escalate in 2017.
Website owners who want to avoid having their HTTP sites labeled as not secure must act now. It may have been something you’ve not considered or been putting off but if your website is not running on HTTPS yet, then now is the time to change or risk being left in the past.
If you would like to find out more about this then our friendly experts are here to help. So drop us a line! Atelier is a web development agency in Hampshire