While I have whined that HTTPS:// is not super secure, it is certainly way more secure then not using HTTPS. Technically known as SSL or more correctly TLS, when you type HTTPS://, it signals the web browser to work with the web site to encrypt all of your information.
For the last year or two, Google has been waging a quiet war to encourage web site owners to use TLS on every page of every web site.
The way they are doing this is by changing how Google’s Chrome browser and Google’s search results handle non HTTPS-protected web sites. Since Chrome is now the majority browser out there, having a more than 50% share and Google itself is and has been the predominant search engine forever, how Google treats non HTTPS-protected web sites is important.
So what, exactly, is Google doing? There are a couple of things they have already done and more to come.
First, and pretty important for folks that depend on customers finding them through Google search results, if your website does not support HTTPS, Google will lower where you show up in the search results. That’s right, If you don’t support HTTPS, you will show up farther down the list. For people who depend on search results, even if you buy ad words, you are going to show up lower on the list if you do not support HTTPS.
Next thing they have already done is to pop up a red warning in the address bar that says NOT SECURE, if your web site asks for a userid and password and it doesn’t do that over an HTTPS connection. That probably makes sense – after all everyone wants their userid and password to be protected, but there are still many web sites that don’t use HTTPS to protect your login.
Come this October, Google is going to label all web pages that request ANY INPUT AT ALL as not secure if it is not done over HTTPS. That means that if all you have is a brochure web site and you have a search box on your web page, Google will flash up that red NOT SECURE warning in the address line.
Finally, the last announced phase of this effort is to label ALL WEB PAGES that are not using HTTPS as NOT SECURE. This is the exact opposite of what they were doing a few years ago when they labelled those pages that did use HTTPS as secure by displaying the padlock icon.
The plan here is to sort of shame web site owners into using HTTPS and I think it is a plan that is working. We are seeing many more web sites using HTTPS than ever before.
And, what Google’s Chrome does is usually done by Firefox sooner or later, in some cases, at the same time. Microsoft’s browsers typically lag way behind, but between Chrome and Firefox, you cover the vast majority of the user base.
Sooooooooo, if you do not currently support HTTPS, now is the time to start handling that. It really is not that hard to do, is not very expensive and sends the right message to your customers and visitors. After all, who wants their web site visitors to be greeted by NOT SECURE?
One last thing, there are two types of HTTPS, domain validation (DV) and extended validation (EV). With DV, which is, by far, the predominant type of HTTPS in use, your traffic is encrypted, but you have no assurance that who you think is the owner of a web site is, in fact the owner. With EV, you get an extra level of assurance that you are really talking to your bank and not someone masquerading as your bank. But, EV certificates are more expensive than DV certificates, so most sites just use DV. More about this in a future post.
If you have questions about setting up HTTPS on your web site, please contact us.
Information for this post came from ZDNet.