Last year, changes to the Google Chrome browser (the browser of choice for most of the world) meant websites that hadn’t been converted to HTTPS started to display this next to the website url in the browser bar:
If an insecure website had a contact form on it, the website visitor would see this message when trying to submit an enquiry:
A little off-putting! And a disaster if you rely on your website’s contact form for enquiries.
The 2017 changes to the Chrome browser were just a warning shot, however. In July 2018, their newest update will mark non-secure websites more clearly:
So it’s time. If you’ve not yet converted your website to HTTPS, you must do it now.
Why is Google forcing this onto the internet?
Because it provides people browsing websites with three key layers of protection:
- Authentication – prevents ‘man-in-the-middle’ attacks and provides a guarantee that the user is communicating with the exact website that was intended.
- Encryption – provides privacy by encrypting the exchanged data. This ensures that conversations won’t be eavesdropped and information can’t be stolen.
- Data integrity – prevents data from being modified or corrupted during the transfer.
The right way to make your website HTTPS
Contrary to what many people think, it goes beyond simply installing an SSL certificate on your domain. There are a whole range of aspects that need to be considered when migrating to https, to ensure there are no issues with your website, or how Google sees it. These include:
- Updating website code to remove any instances of ‘HTTP’ from every page
- Setting up redirects to force all traffic to HTTPS
- Updating Google that these changes have been made
- Ensuring social media share numbers are transferred
- Configuring a new sitemap
- Updating Robots.txt
- Updating canonical tags to make sure they are pointing to HTTPS
- Confirming all website pages are displaying correctly
And these are just the basics.
We also recommend that the following protocols are implemented to make sure your site is running optimally after the change
- Enable HSTS. (This tells the browser to request https pages automatically, even if the user enters HTTP. This protects your website against downgrade attacks and cookie hijacking.)
- Enable OCSP Stapling. (Speeds up your website by reducing the time the browser needs to cross reference the Certificate Authority.)
Note: Your website will also benefit from being HTTPS in a number of other areas as well, as detailed in a previous post here.
There is a lot to consider there, however there is no getting away from it – if you have a website, it MUST be fully HTTPS compliant by July 2018.