Originally posted: August 28, 2017
New 'Browser Warning’ Impacts Websites Without SSL
Google’s August announcement demonstrates a heightened initiative to protect online visitors:
“In January, we began our quest to improve how Chrome communicates the connection security of HTTP pages. Chrome now marks HTTP pages as “Not secure” if they have password or credit card fields. Beginning in October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”
What to expect this Fall…
Effective this October, the latest Chrome (62) web browser will again expand warning to visitors as being ‘Not Secure' when it doesn't have an SSL (secure socket layer) certificate installed on info-request pages. The same warning will appear on any web page visited using Google’s Incognito mode.
Browser tests will search for the presence of two form fields, text or email, to determine when to warn visitors by displaying a subtle 'Not Secure' label beside website's address bar - but only when the web page isn't protected with SSL encryption. Since January 2017, pages that request a password to login, such as those needed to access restricted content such as admin or members portals, display the 'Not Secure' statement only if the site isn’t transmitting content over SSL encryption. Alternatively, websites with a valid SSL certificate notify visitors that it’s 'Secure' as indicated with a comforting green padlock.
The trend has been established…
This is just the beginning. Google's 2017 initiative alerts the online industry that near-future releases of Chrome won’t be limited to just info-request forms and password fields. Google intends to trigger the 'Not Secure' label on ANY page of a website that doesn’t have an SSL certificate installed. While the exact date of the higher qualification isn’t known, there’s little question that Google intends to continue their trend of alerting Chrome customers when directing them to a website that doesn’t offer SSL encrypted protections.
Are all browsers affected - what if I use Firefox or other browsers?
The implications of this new industry standard are far reaching. Google Chrone, while it retains the lead as the dominant browser being used by over 60% of online visitors, aren’t the only ones in the quest to make visitors more informed. Mozilla's Firefox browser now also hold website owners and their web designers to the higher website security standard, and the trend is expected to continue across all browsers in the immediate future.
How will this notification affect your business?
All website owners want site visitors to be confident in their browsing experience. Some degree of visitor confidence is needed before many of us will (or should) complete an ‘Information Request’ form on a website, provide their email address for a newsletter, to get an online quote, or purchase products. While SSL certificates remain the minimum standard requirement for e-commerce transactions, doing so on all websites – even those that don’t have forms and online shopping – should now be valued by your businesses as an easy, low-cost means to demonstrate your respect for visitor's privacy while instilling trust online – all long before asking your visitors to share their personal information.
Will an SSL certificate make our website safe?
While Chrome, and other browsers, will soon quickly confirm and label the visitor experience as 'Secure' (or display padlock) – the label ‘Secure’ is probably a bit misleading. What’s really happening is that the contents of the webpage have been scrambled via a complex encryption process, using a certificate issued to your company, or your web provider. Varying level of organizational and domain-level authentication are available when an SSL certificate is issued – usually annually, and which help inform the visitor as who the organization is that’s doing the scrambling. While this process makes it virtually impossible for others using your network to 'capture' and read your online transmissions, it’s a bit of stretch to imply that it alone will make the entire visitor experience entirely secure. Any data captured online may still be transmitted via email, stored in databases, and possibly distributed in raw text form. However this new step is a bold move in the right direction and makes it even more difficult for others to use and abuse network traffic to capturing data from unsuspecting website visitors.
Visitors who enjoy Chrome's Incognito browser will also start seeing a warning on every non SSL website they visit beginning this Fall. The incognito window does a nice job of not retaining your browsing history or your form field data in the browser, nor does it allow others that use your computer to see your browsing history when they log in under their own profile. However, just like any other web visit, traffic is still communicated across a network, and if that traffic isn't encrypted - it can be easily seen by others with watchful resources. Google has therefore alerted the industry that all website visited using the Incognito window without an SSL certificate will be labeled as 'Not Secure' on all pages of the website - not just pages containing forms with passwords, email, or text fields.
Soon, we can expect to see this as the new standard applied to all website traffic, Incognito or otherwise. While these changes initially will affect over 60% of online visitors in October, we can expect to see others follow and make SSL encyption the baseline of online safety, not unlike seatbelts and airbags in our car.
Will our SSL decision affect our ranking on Google?
While we haven’t seen any announcement from Google that not having SSL negatively affects a website’s rank, it is expected. Google doesn’t just provide the Chrome browser, they’re fairly involved in the search industry too! Since they hold the reigns of both visitors searching and the tools the visitors use for their search, it’s to be expected that they’ll award website owners/providers who follow their recommendations (and if all other ranking measures are equal) with a higher position when demonstrating SSL protection is provided for site visitors.
Is SSL now mandatory – do I have to add it to my website?
No. This is an industry-wide security change in browsers, but having SSL on your website is not mandatory. Website owners and their providers can opt to ignore the new SSL initiative – and hope their visitors do to, but doing may have some negative consequences that could be far more costly than an annual SSL certificate:
Actions to take…
Proactively, check with your web provider to determine if adding SSL to your website is the right choice for you, chances are they will agree. The cost of SSL varies, and while the issuance of the certificate can range from inexpensive to hundreds of dollars, installation of the certificate on the website server is also needed.
Proactively, we continue to encourage all ISADEX clients to join us with a domain-validated SSL certficate on their website using 256-bit encyption. Not only will this help protect your visitors experience online, it will go a long way to share your appreciation for their security and confidentiality. What do you think about Google's new initiative? While adding some cost to a website, do you feel the annual cost is justified by the increased security it provides? Please let me know by sending an email to firstname.lastname@example.org. I'll also try to include your comments in follow-up articles and addendums.
Tim Miller, President
ISADEX Web Design and Marketing
Madison | Stoughton | Wisconsin