Serving any content on a non-secure line will slowly kill your business
Google is pushing for all websites to serve all content on a secure connection only, using HTTPS. Google are backing this currently, through up-ranking sites that are running on HTTPS only and downranking sites that are using all or even some HTTP (not secure). Read more about this here.
Sometime during 2016, Google are changing their browser Chrome, to make it harder to achieve the “Green Lock” icon, thereby ensuring higher security. If not all of your content, including scripts, images, adverts etc, is served on HTTPS, you will not get the “Green Lock” icon that users know, that indicates that the site is safe.
These changes translates into: If your website is not running HTTPS only, you will not be at the top of the list in Google searches and your users on Chrome could be scared to use your site.
Expect other browsers such as Edge, Internet explorer or Firefox to implement similar functionality soon.
A green lock icon is what you want
Chrome is going to classify your content in 3 groups: “Secure”, “insecure” and “mixed content”.
Secure means that all of the content on a page is served over a secure connection. This will give your page the pretty green lock icon seen below:
Insecure could mean that there is no https, that there is https but the certificate is invalid or compromised in some way, that there is insecure script from another site loaded on the page which is always blocked by chrome and a few other things. This will result in “The red slashy lock icon of doom” (Google’s own term, I swear!).
Mixed content means that some of the content is secure but other parts is not. This could be that the text is served on a secure line but the images are not.
An important change that Chrome is bringing is that Mixed Content is now considered unsafe and will not have the Green lock icon, thereby not appearing to be entirely safe. This is important to understand! Websites that might appear OK in Chrome today, might, when Chrome Version 48 is pushed, appear to be unsafe.
Google Chrome version 48 introduces the “Security Panel” which lets the user drill down into where the content is coming from. I will talk about this in a later post, to avoid being too technical in this one.
Why Google are pushing HTTPS
Google are pushing for all websites to use HTTPS for all content, simply to make the World Wide Web a safer place for everyone. As simple as that. The disadvantages of using HTTPS over HTTP, is now so small, that the advantages outweighs the disadvantages.
Advantages of HTTPS
Not using HTTPS means that it is possible to capture and read data sent from a server to a user. For example, this could be the “Session cookie” that the ASP.NET framework, which almost all Microsoft based website uses, could be captured and read by a hacker. This cookie contains a readable key which could enable a hacker to impersonate a user, thereby gaining access to the users information on the website or even allow the hacker to buy items on the users creditcard. Using HTTPS completely eliminates this threat and many others, by encrypting all data, sent to and from the user, including cookies.
There are other advantages, such as it makes it impossible for ISP’s or wifi providers to inject adverts into the datastream, which can look like you are heavily using adverts on your website, even though you might have an entirely advert free site.
Lastly, using HTTPS identifies your website, through the SSL certificate, as actually being your website and not some other site that might have captured the users request.
Disadvantages of HTTPS
The main disadvantages to why not the whole world are already using HTTPS is simple: Performance. There is a performace hit on using HTTPS as the server and the client has to perform a “TLS handshake” and share security information in order to be able to encrypt and decrypt the data. Also the encryption/decryption itself is a slight performace hit.
Most of the performace hit is in the handshake. Once the connection is established, the encryption itself does not have a very large impact. There are ways to fine tune this however.
There a some hard-to-kill myths about using HTTPS, which is debunked here: http://blog.httpwatch.com/2011/01/28/top-7-myths-about-https/
HTTPS becomes a requirement for HTML5 features in Chrome
Google Chrome is also going to require HTTPS to allow key HTML5 features to be available to the user and server. Features, such as using the users Camera, Microphone or even location data which many websites already use now to pinpoint the users location on some map oriented service, for example to guide the user to the nearest shop, will require full HTTPS. If your user’s security and privacy or your sites integrity does not convince you to serve HTTPS only, access to HTML5 features will.
How to handle the changes
First of all, don’t panic. Chrome version 48 is available now, but is not being pushed to users yet. So you do have time to create a battle plan.
What you need to do is to identify what changes are needed for your site to be able to run in HTTPS only. If you have a website that is already focusing heavily on security, you might not need to change anything. If you have a very simple site, you might get away with just flipping a HTTPS switch on your webserver.
But most likely you need to do an analysis of your website, to determine what action to take. Get started now, because the change for Chrome is coming and the change for Google search is already in effect.
I will create more blogposts on the subject in the not too distant future, so make sure to subscribe to the blog and follow me on Twitter @Troels79.
For more in-depth information, please have a look at this presentation from Google: https://developers.google.com/web/updates/2015/12/security-panel