At the beginning of 2016 Google announced that they would begin warning Chrome users that they were accessing non-secure websites.
Now pages without HTTPS that collect sensitive information such as passwords, payment info, or any other personal information, will from the end of January 2017, receive a visual warning within the Chrome 56 browser.
Further, Firefox has announced that version 5, set for release around the same time as the Chrome update, will also start marking insecure pages with a broken padlock warning.
The rationale behind this latest update is to draw attention to websites that are potentially unsecure.
>See also: Google has killed off PageRank
Many publishers fail to realise that websites served over Http are open and therefore anyone is able to access the sensitive information that is shared between the site’s server.
This information can be accessed if the network is hacked which could result in the threat of a user’s private and sensitive information stolen or compromised.
Google’s plan for https everywhere is to clearly raise awareness amongst their users of “http” security issues. Websites that have a “https” URL have an added layer of security that ensures the user is visiting the website they intend to and have an extra level of protection.
As the update draws nearer, SEO agencies, publishers and marketers have already started receiving emails from Google notifying them of warnings which will trigger for their websites in Chrome 56.
The sudden notification via Search Console to publishers is actually something Google has been warning about since September 2016 and whilst it was previously thought to only affect pages that collect passwords or credit cards, it’s now clear this affects pages which trigger pop-ups or dialogue boxes which in turn collects this kind of information and eventually will affect all non-https pages whether they contain sensitive input or not.
So what action should publishers take, what are the timelines and the urgency needed?
Chrome 56 (due for stable release on the 31st of January 2017) will only display a moderate visual warning in the first planned iteration.
Instead of an ‘Information’ icon, this will be supported by the grey text ‘Not secure’. Eventually however, and there are no timescales given, there will likely be a more visually powerful indicator of red text with a red triangle.
Knowing that the visual indicator of this insecure content is fairly moderate, for now, and may even be blind to most users, should allow publishers to rest slightly easier if they’re unable to meet Google’s timelines.
Further, whilst Chrome’s UK market share is high at 42% this isn’t indicative of users likelihood to update to the latest versions.
For many websites Version 54 holds around 30% of total browser usage with Chrome version 55, the current version, only holding around 15%. This information should further ease concerns around the urgency publishers need to prioritise https on some or all pages of their site.
Firefox 51, however, has around 10% market share in the UK and will show a broken padlock with red colouring to users for the same pages flagged by Chrome 56.
In summary, whilst a full https migration is advisable and does have a high priority there are currently more pressing things within the industry for publishers that need attention. For example, Google’s Interstitial penalty or Google’s mobile first indexing switch.
So although publishers are increasingly becoming pressured to change to https, they can afford to take a ‘backseat’ approach on moving for the time being.
Warnings to users of insecure and unprotected pages will start off slow but will gradually over time get stronger and more apparent.
However, if publishers are going to put https on hold for the time being, they do need to be aware that the update is inevitably coming otherwise they could find themselves at risk of the updates sneaking up on them.