Google: Move from HTTP to HTTPS or Become Irrelevant!

Website Security

by Peter La Fond

Posted on January 19, 2017

Don’t Let Google’s HTTPS Plan Disrupt Your Digital Presence

The following questions may get you to re-think your digital marketing priorities.

What if Google Search only showed HTTPS-enabled websites in their results?

What if a ‘This site is Not Secure’ notice was pasted on every page of your website?

Would either of these scenarios affect your business? Be prepared. Google is pursuing these ideas and it will disrupt the natural order of rankings on the web.

What is HTTPS?

Answer: HTTPS is a security protocol that encrypts the Internet connection between a web browser and a web server from eavesdropping. Learn more about HTTPS.

Turning Up the Heat on non-HTTPS Websites

If your website doesn’t use HTTPS, then now’s the time to get it. Google Search is actively pushing non-HTTPS websites to the second and third results pages. Additionally, Google announced that as early as January 2017 the Chrome browser will start to show “Not Secure” notices if a webpage isn’t HTTPS compliant.

What the URL address in Chrome will look like for non-HTTPS pages.

How HTTPS Affects Google Search Engine Optimization (SEO)

2-year increase in HTTPS-sites on Google Search Results Page.

Google stated in 2014 that HTTPS became a ranking factor for their Search Engine Results Page (SERP). Since 2014, Google Search has gradually placed HTTPS-compliant websites on the first page of Search while pushing traditional HTTP sites downward in rank. Today, about 33% of the first page Search snippets are from HTTPS pages. We expect the 50% threshold for HTTPS to be reached by Q4 2017. If your website isn’t yet HTTPS-enabled, it’s safe to say you’ve lost a measureable amount of search engine traffic on non-branded keyword searches.

30JAN2017 UPDATE: According to Let’s Encrypt, a major security milestone was reached. As of January 2017, over 50% of all loaded webpages are now encrypted with HTTPS.

Lets Encrypt Announces 50 percent of pages now HTTPS

As of 2017, 50% of all webpages loaded employ HTTPS

New Chrome Security Warning on HTTP Websites

In September 2016, Google dropped an HTTPS whopper announcement on website owners. Google said they plan to label HTTP websites as Not Secure more clearly in the Chrome browser. This Chrome program will initially start with an explicit ‘Not Secure’ label on HTTP pages having a password or credit card field. And eventually, they plan to mark all HTTP pages as Not Secure with a red warning triangle.

Why is Google doing this?

The Google security team says they’re implementing this program because the solitary padlock in the address bar is misunderstood and Chrome users ignore unclear warnings.

Fortunately for website owners, Google is slowly rolling out this security strategy across three-phases, providing everyone time to plan.

Here are the three phases of Google’s SSL security plan…

Google Chrome’s planned security message for non-HTTPS sites.

Phase 1 – Present a subtle informational icon

This step has been in play for some months. Currently, when one visits a HTTP web page a circled-i icon is displayed in Chrome’s URL address bar. When the icon is clicked, a message pops with the written notice “Your connection to this site is not secure”.

The phase 1 example below is from RollingStone.com

Phase 2 – Present an added written warning

This phase begins sometime in January 2017. Chrome browsers will display a “Not secure” written message next to the circled-i icon when a visitor lands on an HTTP page having a sensitive information form. As of this writing, Google defines a ‘sensitive form’ as one that collects passwords or credit cards. Google may broaden the type of forms they deem ‘Sensitive’ before implementing phase 3.

Phase 3 – Present a visually compelling warning

For this phase, every HTTP webpage will have a prominent red alert icon in the address bar. Customers visiting your website will have 100% assurance they’re not visiting an HTTPS secured website. Although Google hasn’t announced the time-frame for this phase, we’re confident it will happen.

Now is the Time for an HTTP to HTTPS Migration

Here at My Internet Scout we’ve seen a flood of interest about HTTPS. Since November 2016, about half of our clients have either deployed HTTPS or they’re on our calendar for deployment. And, our firm isn’t the only one witnessing this rapid adoption-rate. We’re hearing about high rates of SSL/HTTPS signups from other agencies as well. With this remarkable interest in SSL/HTTPS, we’re certain to see disruption in non-branded Search rankings by the end of Q1 2017.

More About SSL/TLS Certificates and HTTPS

The following provides a deeper understand of HTTPS and SSL so you make an informed decision for your website.

HTTPS vs HTTP?

Hypertext Transfer Protocol is what’s known as HTTP. In short, it’s an application layer protocol within the Internet protocol suite that allows us all to experience the World Wide Web (WWW). Information transfers on HTTP are not encrypted. This lack of security exposes users to what is known as man-in-the-middle attacks (MiTM Attacks), which can let hackers eavesdrop on connections and get access to sensitive information.

HTTPS (also known as HTTP over TLS, HTTP over SSL or HTTP Secure) is basically HTTP communication within an encrypted connection using a technology known as TLS (Transport Layer Security), the successor to SSL (Secure Socket Layer). HTTPS provides bidirectional encryption between a user and server to protect against MiTM Attacks, including eavesdropping and forging of contents within the user/server communication.

As of December 2016, 88% of all WordPress websites lack Google’s HTTPS requirement.

What is SSL/TLS?

In order to get HTTPS set up on a website, a SSL certificate from a trusted Certificate Authority (known as a CA) needs to be purchased and installed on the web server. This certificate is the key component for initiating HTTPS. All certificates have a hard-coded expiration date and need to be renewed after a specified time period. All modern browsers are SSL-ready so there’s no additional setup for web visitors. They just need to be directed to the HTTPS URL.

SSL and TLS are different Cryptographic protocols and both can enable HTTPS on a web server. True SSL (Secure Socket Layer) is the original encryption technology used for HTTPS. However, after security experts discovered a major SSL vulnerability in 2015, the use of SSL (versions 3.0 and earlier) is NOT considered safe. SSL has been replaced by the TLS (Transport Layer Security) protocol for setting up HTTPS. If you ever shop for a public key certificate for your web server, it can get a little confusing because the two terms are used interchangeably. Because TLS is the successor to SSL, it’s still referred to as “SSL” or “SSL/TLS”. Most CAs and certificate resellers continue to market the certificates as “SSL Certificates”, so don’t be surprised if “TLS” is absent from the marketing verbiage on their websites. All SSL certificates today are TLS compliant.

SSL Certificates: The Options are Plentiful

What is a Certificate Authority?

First, let’s establish who issues SSL certificates. All SSL certificates are issued by a trustworthy entity called a Certificate Authority (CA). Webmasters have the choice of purchasing the certificates directly from a trusted CA or from an authorized trusted CA reseller. The top five CAs (Comodo, IdenTrust, Symantec, Godaddy and GlobalSign) hold over 90% of the SSL certificate issuance market. A larger list of trusted SSL certificate authorities can be found here.

Preparing for a SSL Purchase

Specific SSL certificate features need to be decided upon before the certificate is purchased. The following describes the characteristics that need to be determined prior to purchase. These SSL features cannot be added after purchase, so be sure you know what you need in a certificate before it’s purchased.

To Wildcard Certify, Or To Not Wildcard Certify? You Decide!

Would you like to have HTTPS on your primary domain and sub-domains? If so, purchasing a Wildcard SSL certificate is likely to save you money. Most small businesses only need HTTPS for their main domain – usually because they only have one website. However, there you may have more than one website running and need to have HTTPS on your sub-domain sites (for example… blog.domain.com, helpdesk.domain.com or member.domain.com). This is where a Wildcard certificate can help. A normal (non-wildcard) SSL certificate only protects the primary domain and its www- counterpart. A Wildcard SSL certificate on the other hand will protect the primary domain and all associated sub-domains.

There are other multiple domain options as well. For example, if an organization would like to protect a series of domains that are basically the same except the suffix is different (e.g., domain.org, domain.com and domain.biz), a UCC/SAN SSL certificate can be purchased to protect all of those domains.

What Level of SSL Certificate Assurance Do You Need?

After the wildcard decision has been determined, you should have an idea of what the certificate’s “Assurance Level” should be. The assurance level provides your visitors a certain level of confidence that…

The website has a protected connection.
The entity that applied for the SSL certificate is real and operational.
The paperwork submitted for the certificate matches official public and/or private records.

Levels of SSL/TLS Certificate Assurance

The most common levels of assurance are presented in these primary certificate types…

Domain validation (DV) – Low or medium Assurance Certificates

DV certificates are the least expensive and most common of SSL certificates. The CA verifies the certificate requestor’s control of the specified domain by one of two ways. Either the verification is done by confirming the registered email address associated with the domain’s WHOIS record, or by verifying domain-control by having the owner upload a verification file to the website server.

Organization Validation (OV) – High Assurance Certificates

OV certificates provide more trust than DV certificates by having more validation requirements. For this type of SSL certificate, the CA will vet both the identity of an organization and its location. For example, providing articles of incorporation or having a Dun & Bradstreet record. As a result of these higher validation requirements, OV-level SSL certificates are more expensive than DV.

Extended Validation (EV) – Highest Assurance level Certificates

EV certificates are seen as having the highest level of trust of all certificates. They are easily recognized in the browser by the green address bar. For a CA to fully validate and issue this type of certificate, an EV usually requires the applicant to sign an agreement. Then, the CA will verify the legal/operational existence of the organization and physical location, validate domain ownership, and verify the person involved with the certificate request. The EV certificate can be expensive for a small business budget.

SSL Certificate Costs

The price of a SSL certificate varies based on the combination of features chosen and other factors (such as the needed level of insurance or the number of years it’ll last before expiration).

What about Free SSL Certificates?

Yes, free DV SSL certificates are issued by an organization called Let’s Encrypt. These are real SSL certificates and they do create bidirectional encryped communication; however, there are caveats.

First, your web hosting company needs to have adopted the peculiarities of how Let’s Encrypt issues, installs and renews the certificates. Because their certificates expire every 90 days and renewing certificates at that frequency is burdensome, the hosting company needs to have an auto-renewal system and a customer support system in place to offer this service. Therefore, many hosting companies still don’t offer this service to their customers or allow it on their servers.

Second, these free certs are no frills. No options beyond a DV certificate for an individual domain are offered. Wildcard and SAN certificates are not available for issuance. High assurance validation certificates (OV and EV) cannot be purchased. And, the certificates are not warrantied or insured.

Finally… The use of HTTPS, in part, is to provide assurance to website visitors that they’re working with a legitimate organization and their connection is secure. It wouldn’t be surprising for the assurance-level on no-cost SSL certificates to become downgraded in some way because they are free. The no-cost and automated certificate renewals provide almost no barrier for illegitimate entities to create trust with visitors.

Free SSLs are Controversial. What’s the future for them?

Whenever free Internet tools are introduced, there always seems to be unintented consequences. This appears to hold true with HTTPS. Acknowledging that free SSL applicants do not go through a true identity cross-check, Brian Kenyon, the Chief Strategy Officer at Symantec, predicts there’ll be longterm negative consequences in the marketplace. He states that organizations like Let’s Encrypt make SSL certification too easy for malicious players. And that longterm misuse of free SSLs could dimish vendor trust in DV certificates and overall consumer trust in HTTPS.

“Secure Sockets Layer (SSL) abuse will lead to increased phishing sites using HTTPS. The rise in popularity of free SSL certifications paired with Google’s recent initiative to label HTTP-only sites as unsafe will weaken security standards, driving potential spear-phishing or malware programs due to malicious search engine optimization practices.”
– Brian Kenyon,Chief Strategy Officer, Symantec Corporation, on topic of 2017 security trends

The SSL Certificate Purchase is Only the Beginning of the HTTPS Setup

Once the certificate is purchased and provided by the CA, additional steps are required for a proper HTTPS web server/website install. These final steps include:

Correcting mixed media (where the page is HTTPS enabled, but images or links on the page are not). If not corrected, mixed media on an HTTPS page will prevent the padlock from showing and your page isn’t secure.

Forward all HTTP traffic to the HTTPS pages. And, correct all redirect chains that regularly arise when HTTPS forwarding is set up.

Identify and correct all website software that conflicts with HTTPS. Be sure to confirm all functionality of the website after the HTTPS setup. Sometimes older website software isn’t HTTPS-friendly.

Make proper adjustments in third-party services (such as Google’s Search Console and Google Analytics) to let those services know the website is now running HTTPS.

Do You Need Help with an HTTPS Deployment?

The team at My Internet Scout can help!

Written by Peter La Fond

Having lived most of his life in Northern California, Peter consults for organizations of all sizes on Internet marketing engagement, strategy and execution. He regularly speaks on website design techniques and WordPress. Peter is a graduate from California State University, Sacramento, and practices the ancient art of eating sushi with nose-hair-curling wasabi.

About My Internet Scout

Based in Wilmington, North Carolina, My Internet Scout, LLC is an Internet Marketing firm for small- and medium- size businesses. We specialize in WordPress website design, marketing and related services that include e-commerce, event registration, maintenance, content creation and search engine optimization (SEO). We service a variety of clients across the United States.