Over the past several years Google has been working hard to migrate all of their properties to work over SSL (Secure Socket Layer).
In 2014 Google announced that adding an SSL certificate to your website would give you a minor ranking boost. This is because Google takes security very seriously and wants to make the Internet safer for everyone.
Google’s HTTPS Initiative
In fall 2016 Google began pushing for an encrypted web by requiring websites that collected login or password information to convert to HTTPS by January 2017.
The reason for this was to protect the sensitive data that you collect from your visitors such as credit card data, membership logins, passwords, and more.
By converting to HTTPS, site owners could protect the sensitive data visitors were submitting from “man-in-the-middle” attacks.
New Google Penalty for Non HTTPS Sites Effective October 2017
In an effort to step up web security, Google set out with another round of penalties in October 2017 for sites that were non-compliant.
In August 2017 Google sent email notifications to these site owners via Google Search Console to remind them to convert to HTTPS.
Site owners were warned that effective October 2017 Chrome would show the “NOT SECURE” warning to visitors who entered sensitive data in a form on an HTTP page or who visited HTTP pages via incognito mode.
Sites collecting this sensitive data that had not converted to HTTPS would now show a “NOT SECURE” warning in the browser.
Third Google Penalty Slated for July 2018 for All Sites
In the latest push for an encrypted web, Google has set a final deadline of July 2018 for all sites to be converted to HTTPS. Whether or not your site is accepting sensitive data from your visitors, sites should be converted or risk being penalized by Google in a few ways.
1. Your site will rank lower than HTTPS sites
2. Your site will show a “NOT SECURE” message in a visitor’s browser
For a complete breakdown of the various phases on the HTTPS initiative, please refer to this excellent post by our friends at R & R Web Design.
Google Chrome to Block Mixed Content Effective December 2019
So we’ve been warned time and again and Google has given us plenty of time to get our sites converted to HTTPS.
But what about sites who are still delivering mixed content? That is, these sites deliver secure web pages that contain images, scripts or other resources that are still served through HTTP.
This creates a security risk for both your website and any site visitors.
An attacker can hijack the entire page, not just the resources that are being served insecurely.
So what exactly is Google going to do about this?
Starting in December 2019, Google will handle mixed content in two ways:
- Google will try and upgrade the insecure content to HTTPS if that content exists on HTTPS.
- Google will give Chrome users the option to unblock insecure resources blocked by Chrome.
Most likely, visitors will abandon a site that displays any type of security warning.
Then in January 2020, Google will take away the blocking option and completely block mixed content web pages.
Now let’s take a look at what HTTPS is and how it works.
What Exactly is HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) ensures a secure communication between a browser and a web server through the use of a Secure Socket Layer (SSL).
This stops “man-in-the-middle” attacks from intercepting sensitive data such as password and credit card information that visitors submit from your website.
When Chrome 56 rolled out in January 2017, websites that had an SSL certificate installed and configured properly began to show visitors a secure connection in the browser bar:
This notation builds customer trust and assures your visitors that their information is protected and secure as it transmits from their browser to your server.
But if you collect sensitive data on your website and your site had not been converted to HTTPS when Chrome 56 rolled out, then your visitors began seeing the NOT SECURE warning in their browser bar:
Seeing the NOT SECURE warning would understandably alarm and cause a visitor to leave your website.
This in turn decreases conversions, increases bounce rate, and affects your SEO (search engine optimization).
By now I’m sure you can see why it’s so important to encrypt your website pages and protect your visitors’ data.
Now that you understand why it’s important to convert to HTTPS, the rest of our post will look at the following:
- What is an SSL Certificate?
- Where can I Get a Free SSL Certificate?
- What are the Additional Benefits of HTTPS?
- What about CloudFlare Users?
What is an SSL Certificate?
Per GlobalSign Certificate Authority:
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser.”
You’ve probably noticed the padlock when you’ve made an online purchase and checked out of a big-brand store such as Amazon. Or if you use online banking or paid a credit card online, you have probably seen the padlock. That padlock assures you that the organization has an SSL certificate installed and is protecting your data as you use their site.
If you’re running a WordPress website and have wondered about adding SSL, you might want to read our earlier post to learn more.
Where can I Get a Free SSL Certificate?
For many years the cost of encrypting a website has been expensive and complicated for small business owners.
They had to purchase a dedicated IP and a certificate from a Certificate Authority and then pay to have that dedicated IP and certificate renewed each year.
But the Let’s Encrypt initiative has changed all that. Let’s Encrypt began offering free SSL certificates a few years ago, and small business owners have been able to encrypt their websites without incurring extra expenses. And an added bonus is that a dedicated IP is not necessary under Let’s Encrypt.
As HTTPS becomes the standard protocol, most hosting companies are offering and installing Let’s Encrypt certificates for free, too.
For many small businesses, this is the perfect (and affordable) solution to encrypting their site.
Our hosting company, A2 Hosting (affiliate), automatically installs Let’s Encrypt SSL certificates on client accounts for free. That includes requesting and installing the Let’s Encrypt certificate on our behalf, then updating it automatically every three months.
Other hosting providers have a configuration setting that you need to enable. And still other providers automatically request and install certificates for all their customers.
What are the Additional Benefits of HTTPS?
Historically, websites running under HTTPS experienced slower page loads due to the SSL negotiation. This caused website owners to think twice before they made the decision to convert to HTTPS.
But HTTP/2 has resolved many of those issues. HTTP/2, the latest update to HTTP, brings more efficiency, security and speed to the web. Now these same sites running under HTTPS can take advantage of HTTP/2, which improves performance and overall user experience.
And we can’t forget about Bing. In 2015 Microsoft announced their plans to also standardize HTTPS for web traffic encryption.
What about CloudFlare Users?
Many small businesses take advantage of CLoudFlare’s free plan. CloudFlare users will still be able to use the free plan with the Full (Strict) SSL option.
Unfortunately, this is an area of confusion for lots of site owners and web hosts.
Many clients are under the impression that they have to upgrade to the paid plan to use CloudFlare under SSL. This is simply not true.
You can still use the CloudFlare free plan and a free SSL certificate while reaping the benefits of both!
Convert to HTTPS Now
If your site still runs under HTTP, you have no choice but to convert to HTTPS now. It is a Google requirement.
And if your site isn’t completely converted to HTTPS, you risk your site being blocked due to mixed content.
All of your resources including scripts, styles, images, and linked content must be served securely.
If you’re a do-it-yourself website owner, you might want to refer to our earlier post on adding SSL to your WordPress site.
Or you might want to check Matt Banner’s detailed and resourceful post on How to Switch from HTTP to HTTPS for further information.
To further clarify the difference between HTTP and HTTPS, you might want to refer to this helpful infographic from our friends at First Site Guide:
Convert to HTTPS Now
But for those of you who don’t have the time or knowledge to convert to HTTPS, it’s time to get help with converting your site .
Have questions? Please feel free to post them in the comments below!