Google’s strong arming to shape a secure web just took another twist

At the beginning of 2016 Google announced that they would begin warning Chrome users that they were accessing non-secure websites.

Now pages without HTTPS that collect sensitive information such as passwords, payment info, or any other personal information, will from the end of January 2017, receive a visual warning within the Chrome 56 browser.

Further, Firefox has announced that version 5, set for release around the same time as the Chrome update, will also start marking insecure pages with a broken padlock warning.

The rationale behind this latest update is to draw attention to websites that are potentially unsecure.

>See also: Google has killed off PageRank

Many publishers fail to realise that websites served over Http are open and therefore anyone is able to access the sensitive information that is shared between the site’s server.

This information can be accessed if the network is hacked which could result in the threat of a user’s private and sensitive information stolen or compromised.

Google’s plan for https everywhere is to clearly raise awareness amongst their users of “http” security issues. Websites that have a “https” URL have an added layer of security that ensures the user is visiting the website they intend to and have an extra level of protection.

As the update draws nearer, SEO agencies, publishers and marketers have already started receiving emails from Google notifying them of warnings which will trigger for their websites in Chrome 56.

Chrome 56 warning
Chrome 56 warning

The sudden notification via Search Console to publishers is actually something Google has been warning about since September 2016 and whilst it was previously thought to only affect pages that collect passwords or credit cards, it’s now clear this affects pages which trigger pop-ups or dialogue boxes which in turn collects this kind of information and eventually will affect all non-https pages whether they contain sensitive input or not.

So what action should publishers take, what are the timelines and the urgency needed?

>See also: How will Brexit impact Google’s ‘Right to be Forgotten’?

Chrome 56 (due for stable release on the 31st of January 2017) will only display a moderate visual warning in the first planned iteration.

Instead of an ‘Information’ icon, this will be supported by the grey text ‘Not secure’. Eventually however, and there are no timescales given, there will likely be a more visually powerful indicator of red text with a red triangle.

We can expect in January 2017 to see this rather weak visual indicator of insecure pages requesting passwords, payment info, or any other personal information
We can expect in January 2017 to see this rather weak visual indicator of insecure pages requesting passwords, payment info, or any other personal information

 

Google plan to label all HTTP pages as non-secure at some future stage, and change the HTTP security indicator to the red triangle that they use for broken HTTPS
Google plan to label all HTTP pages as non-secure at some future stage, and change the HTTP security indicator to the red triangle that they use for broken HTTPS

Knowing that the visual indicator of this insecure content is fairly moderate, for now, and may even be blind to most users, should allow publishers to rest slightly easier if they’re unable to meet Google’s timelines.

Further, whilst Chrome’s UK market share is high at 42% this isn’t indicative of users likelihood to update to the latest versions.

For many websites Version 54 holds around 30% of total browser usage with Chrome version 55, the current version, only holding around 15%. This information should further ease concerns around the urgency publishers need to prioritise https on some or all pages of their site.

Firefox 51, however, has around 10% market share in the UK and will show a broken padlock with red colouring to users for the same pages flagged by Chrome 56.

>See also: Google unwraps its first ever smartphone: the Pixel

In summary, whilst a full https migration is advisable and does have a high priority there are currently more pressing things within the industry for publishers that need attention. For example, Google’s Interstitial penalty or Google’s mobile first indexing switch.

So although publishers are increasingly becoming pressured to change to https, they can afford to take a ‘backseat’ approach on moving for the time being.

Warnings to users of insecure and unprotected pages will start off slow but will gradually over time get stronger and more apparent.

However, if publishers are going to put https on hold for the time being, they do need to be aware that the update is inevitably coming otherwise they could find themselves at risk of the updates sneaking up on them.

 

Blue Array

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Google