Switch over to HTTPs by 2017 or risk losing customers

Google announces it will start warning Chrome users that a site is 'insecure' if it uses HTTP. Due to begin in January 2017, are you ready to switch over to HTTPS?

It’s common knowledge that Google have been pushing HTTPS sites for a while now, and gives extra ranking juice to sites that have implemented this.

But it’s been recently announced that Chrome will start flag up warnings and point out sites that use insecure HTTP connections for credit cards and log-ins as insecure.

A provisional January 2017 date has been pencilled in for this warning to start appearing within Chrome – telling users that any personal information submitted isn’t secure.

That’s fair enough you’d think, but the idea is to eventually roll out this warning to all HTTP pages. We did not see that coming.

What should you do if your site requires a log in?

Some eCommerce sites still don’t use a Secure Sockets Layer (SSL) to transmit personal information. If you’re one of those websites, you have til January 2017 to get one. Otherwise, visitors to your site will get a warning that states your site may not be secure.

Will it affect me if I don’t use HTTPS?

Most probably it will. When a visitor that uses Chrome lands on your page and sees a warning that any information entered is "not secure", most people will hammer away at the back button.

Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure.

Google (Sept. 2016)

If you run an eCommerce store using platforms such as Magento or osCommerce but don’t use SSL, imagine the number of abandoned carts? When Chrome tells the buyer that the card details they’re about to enter isn’t in a secure environment, you will lose customers.

You’re going to need to make your moves if you run a site using WordPress, Ghost, Wix, Weebly – basically any Content Management System (CMS) that requires a login.

Just so you're aware, the time for first byte to be parsed by the browser is slower with SSL than without. Everyone should be affected by this 'issue' in theory – assuming everyone listens to Google and implements HTTPS.

Linked News
Google Security Blog: Making the move from HTTP to HTTPS. https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

The THREE best ways to get a cheap SSL certificate

We have SSL implemented across all our sites. We have a way of doing it for free, but it is a bit of a workaround which we’ll explain towards the end.

Hosts can sometimes be a pain in the backside and some may try and claim that you need to open a dedicated IP account with them. Or they may and try to charge you for it. eHost and iPage tried to charge us around $40 to $50 for an SSL. We said no thanks.

Unless your hosts have got some kind of freebie offer, then you can use something like Let’s Encrypt, which is trusted and it’s free. With the free SSL certificate, your site’s content becomes secure.

A tried and trusted SSL layer is using the free Comodo certificate, but is limited to 90 days free use per site.

We use CloudFlare on our sites where possible. The reason behind this is dual:

Firstly, we CloudFlare distributes our content from local servers to the user and secondly, we get a free SSL certificate. Bonus!

It does require a bit of site management and configuring at the beginning, but it's totally worth it. We'll be happy to show you how to implement this method on your site. Just leave a comment below or get in touch using the contact page.

Free SSL Certificates
Lets Encrypt: Free SSL encryption provider. https://letsencrypt.org/

Comodo: Free SSL encryption provider. Limited period usage. https://ssl.comodo.com/free-ssl-certificate.php

CloudFlare: Free SSL layer as part of the service. https://www.cloudflare.com/ssl/

Will this affect Google Chrome negatively?

Is this Google yet again trying to dictate and enforce its market domination? Perhaps you might say, but we’re strong advocates of security, so we’re going to give them a pass on this one.

Some suggest that site visitors are going to get seriously irritated when there are messages popping up all over the place giving them warnings about the security – especially when there the site doesn’t require any personal information.

Will site visitors start ignoring these warnings like ads or background noise and is there a risk of users going off Chrome and switching to other browsers?

We definitely do plan to label all HTTP pages as non-secure eventually.

Google (Sept. 2016)

A little too melodramatic perhaps, but unless other browsers such adopt a similar stance, then this may not work out as well as Google hope.

Further thoughts

What about HSTS? Will Chrome eventually make this mandatory?

Let’s say you’re already using HTTPS and are reaping the SEO benefits of having this. What can give you bonus points in the eyes of Google? While we don’t want to get into the technical aspects of it, HSTS  (HTTP Strict Transport Security) is the next layer above that and is something that you could implement.

In fact, we wonder if or when Google will look to enforce HSTS as they have done with HTTPS.

Linked News
We will be happy to hear your thoughts

      Leave a reply

      Font Resize
      Login/Register access is temporary disabled