In a push to further secure and better encrypt the internet, Google has been making changes to how their various products and services treat SSL certificates. The new default for Google’s outlook on the internet includes encryption – a secure connection (HTTPS) is required, no longer a feature only for online banking and shopping sites.
This decision is arguably the right move for the internet, in an age of privacy concerns and 3 letter agencies doing mass surveillance with bulk data collection, but it can be harmful to your business if your website remains insecure. If your website is available over HTTP but not HTTPS it’s possible that you may see a loss in traffic, user trust, and likely a negative impact your conversion rates.
Chrome Listing Websites As “Not Secure”
Google made an announcement on their security blog in early 2018 about the changes coming to Google Chrome and the changes they were making to alert web surfers that they are browsing an insecure site. A previous announcement in October 2017 stated that these changes were coming, but at that time it only applied to HTTP (non-secured) pages where users were asked to enter personal information.
Starting in July 2018 Google launched the change in Chrome that any websites loading over HTTP would now carry a “Not secure” warning in the browser’s address bar by default. This was a big shift, treating unsecured websites neutrally (except in scenarios where personal data was being entered) to now looking at them in a negative light at all times. These changes also brought a shift to how HTTPS encrypted sites were treated as the new default. Previously a secure site would show a green padlock icon in Chrome, but now only are identified with a gray padlock icon.
To make things even worse for unencrypted sites, 1 year after the original change to alert users entering information into HTTP sites, in October 2018 Google changed that gray “Not secure” warning to a bright red warning with an alert icon. This means that if you have an email signup form, a contact form, or anything on your site that requests information from your visitors – those visitors will now see a red warning when they try to give your their details.
What is an SSL Certificate?
An SSL certificate is a security certificate that allows a secure connection between a computer and a web server. Utilizing a public and private key pair, a website you’re connecting to is able to both send data privately to your browser and receive data privately that you enter into the site. It prevents prying eyes sitting anywhere on the internet between you and the site from intercepting or copying the data in plain text and being able to read things you may enter into the site.
Encryption is the main purpose of an SSL certificate, but it also allows for authentication. Not just anyone can create an SSL certificate that loads perfectly fine, your computer will only allow connections to sites who have an SSL certificate signed by a trusted certificate authority. Certificate authorities verify that the SSL certificate someone is requesting be validated actually belongs to the company or website requesting it.
You’ve probably seen “This website is not secure” warnings from your web browser before while going across the web. These are normally a result of an expired SSL certificate (certificates are only valid for a set period of time, typically 3 months to 2 years) but other times they are an alert that the website you’re visiting was not authenticated by the certificate they’re presenting or that the certificate was not signed by a trusted certificate authority.
Impact of Google SSL Requirements for Website Owners
Google Chrome is the most popular web browser in the world, and continue to gain market share
With the widespread use of Google Chrome, currently holding about 63% of the web browser market share, the changes to how SSL-secured websites are treated is extremely important for website owners to pay attention to. Seeing a “Not secure” notice next to your domain name can elicit a negative response from your site’s visitors. An SSL certificate is a simple but important trust factor on the internet and if you don’t have your users’ trust it can seriously impact your bottom line.
If you’re doing any business through your site and collecting user information, even through something as simple as a contact form, the red ‘Not secure’ warning is enough to turn some users away. If you have a website in 2019 you need to be using an SSL certificate.
Google SSL Requirements Impact on SEO
Starting in 2014, Google rolled out algorithm updates that favored HTTPS websites over HTTP sites. It was never the only or biggest ranking factor, the information put out there by Google employees stated that it would effectively only be used in tie-breaker scenarios. This meant if there were 2 websites that were exactly the same in terms of links and content quality, if one site utilized an SSL certificate it would win out over the unsecured site.
The tie-breaker analogy for HTTPS websites and SEO still seems to hold true to this day. It is nowhere near the biggest ranking factor for a website but it can give a slight edge over a competitor whose site isn’t secure. Despite the minimal ranking boost, with Google now treating SSL-secured sites as the default state in Chrome, it isn’t impossible to imagine a future scenario where an unsecured site actually creates a negative impact on rankings by default.
With the cost of SSL certificates dropping to Free in recent years, thanks to the creation and promotion of projects like the Let’s Encrypt certificate authority, there’s no good reason for your website to be unsecure in 2019. Besides Let’s Encrypt, the most popular web hosting panel in the world, cPanel, has been providing free certificates as well. There’s a good chance your web host uses cPanel and if they do then it’s a very simple process to generate a secure, signed certificate for your site (it’s typically enabled by default).
Bad SSL Implementations Can Ruin Your SEO
The process of acquiring a signed SSL certificate in 2019 is very easy, most hosts now provide them by default in an automated setup (just try loading your site over HTTPS to see if it works). However, the real problem always comes down to implementation. It’s not always as simple as just having your host install an SSL certificate on your website, there are many technical aspects to hosting a secure site that require attention to detail. A poorly implemented SSL certificate can continue to show ‘Not secure’ warnings to your visitors or even completely tank your SEO and search rankings.
SSL Mixed Content Warnings
Mixed content warnings are a sign to your visitors that the website isn’t completely secure and can cause just as many issues for trust and conversions as the ‘not secure’ warnings. These warnings are fairly easy to fix if you have some technical knowledge. Fixes vary depending on what exactly is being pulled onto the page via HTTP instead of HTTPS, but generally a few minor changes to theme files will fix this. If you’re utilizing WordPress you can try something like the Really Simple SSL plugin which will rewrite the links on your page to utilize HTTPS.
Duplicate Versions Of Sites, Missing or Bad Redirects
Another common problem when people try to implement SSL certificates is they don’t use 301 redirects or implement them incorrectly. If you install an SSL certificate, the way most websites and hosting environments are setup will cause you to have 2 functioning versions of your site – one secure, and one insecure. This means that depending on the link your visitor clicks they can end up on either version, or if you have hard coded links to the unsecured version in your website’s content then they will jump between secure and insecure and receive browser warnings about this.
Google will typically pick the HTTPS version of the site if it sees 2 versions, but may default back to HTTP if your HTTPS version has mixed content errors or isn’t loading correctly.
To prevent these sorts of duplicate site issues, once you’ve properly configured your SSL certificate you need to make sure that you correctly 301 redirect traffic from the insecure version to the secure version of your site. Meaning visitors who visit http://yourwebsite.com will be automatically forwarded to httpS://yourwebsite.com.
While implementing redirects you also need to be mindful of the URLs the user is visiting and make sure your 301 redirects send them to the same page they requested, just the secure version. Bad redirects can create problems like redirecting all users to the homepage by default. This is bad user experience but also extremely detrimental to your SEO.
Using a Professional SSL Migration Service
You may already know that you need to install an SSL certificate and make your website secure but the technical requirements can seem a bit daunting. We saw a lot of problems over the last couple years with sites moving to HTTPS but doing so horribly, causing huge losses in search traffic and errors for visitors. Last year we launched our SSL migration service to help our clients make the shift to a secured website by having our team of SEOs and web developers who take care of the process. The end result is a secured website that hasn’t lost search traffic or rankings and includes monitoring to make sure no problems arise after we’re done.
If you’re not confident in your technical abilities to properly move your website to HTTPS, we strongly suggest you work with a trusted web developer or SEO who has the technical experience to smoothly transition your website. If you’re looking for some help with your SSL certificate installation and all of the technical changes that come with it, feel free to reach out to see if our team can help with your website.