Reading Time: 4 minutes
If you have a website that uses the regular HTTP domain protocol AND requests login credentials or credit card details on one or more pages AND has said site registered with Google Search Console, you would have recently received one of these warning emails from Search Console:
This is part of Google’s “quest” to create a more secure internet experience, by encouraging websites to move to HTTPS.
Google initially announced this update in September 2016, advising that from
“January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.”
They are now about to step this up a notch, and as of October 2017,
“Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.” Source.
While this update only affects visitors browsing your website from Google’s Chrome browser, it raises an important point about protecting your website and users’ data.
Google is often a front-runner in these situations as well, with the potential for other search engines to follow their lead.
What is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user’s computer and the site. Users expect a secure and private online experience when using a website. We encourage you to adopt HTTPS in order to protect your users’ connection to your website, regardless of the content on the site.
Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:
- Encryption—encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages, or steal their information.
- Data integrity—data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
- Authentication—proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
Why move to HTTPS?
HTTPS provides a secure, private online user experience
Regardless of Google and Chrome’s warnings, as Google advise in the above explanation:
“Users expect a secure and private online experience when using a website.”
While there are many of us who know to look for secure signals such as HTTPS when entering login or credit card details, there are many who don’t. And unfortunately, there are many who also look to exploit this.
With more and more information being shared more frequently online, it is important for those of us who manage websites to do what we can to make the internet a better place.
HTTPS provides a minor search engine ranking boost
Prior to these more recent warnings, Google also publicly shared that websites with HTTPS receive a minor search engine ranking boost.
Although small, this Search Engine Optimisation (SEO) incentive provides another reason to make the change.
So what should you do?
Sign up with Google Search Console
If you haven’t already registered your site with Google Search Console, do.
It’s another useful free tool from Google that provides a “health check” of how your website appears and performs in search engines, and that’s always a good thing.
Review your website for non-secure pages
If you haven’t received a warning about your website collecting protected information on non-secure pages, you can still do a manual review of your site to determine if there are any areas you are asking people for login or credit card details. Even if it is something as simple as a basic member section with extra downloads. These will still be penalised.
Review your Google Analytics for Chrome users
Did you know you can find out how many people are actually visiting your website from Google’s Chrome browser in your Google Analytics?
Simply visit Audience > Technology > Browser & OS
This will help you understand the priority for updating your website based on actual user behaviour.
Purchase a security certificate (SSL)
Purchase a security certificate (also known as SSL) from a reliable certificate authority.
Your existing domain registrar or website host may resell SSL certificates, and are often a good option as it can keep your paperwork down by keeping your digital assets in one place, and may also ease implementation of the security certificate.
Plan your HTTP to HTTPS update
The implementation of your security certificate will vary from site to site, and is relatively easy, but also shouldn’t be rushed.
Work with your website developer/digital agency/search engine optimiser to plan when and how to implement the update.
Important factors include:
- 301 redirects: Redirect users and search engines to the HTTPS page or resource with server-side 301 HTTP redirects
- Verify that your HTTPS pages can be crawled and indexed by Google
Read more best practices for implementing HTTPS here.
Be prepared for some traffic changes
When moving your site from HTTP to HTTPS, Google views this as a website move with a URL change. This can temporarily affect some website traffic numbers.
Read more about site moves here.
Add your new HTTPS site to Google Search Console
As mentioned above, Google views a move from HTTP to HTTPS as a website move, so this new “version” of your website should be added to Google Search Console and verified to assist with site indexing, and understanding the search engine health of your “new” site.
It might sound like a lot, but it isn’t something that should be seen as scary, rather an opportunity to improve the online experience for your website and its users.
If you have any queries about how to move to HTTPS, please don’t hesitate to contact us.