Will Your Customers Feel ‘Safe’ When They Visit Your Website?
IMPORTANT: Secure Your Website
UPDATE June 21, 2018: Google’s July 2018 deadline for having your website secure is fast approaching. If you’re still asking the question do I need to make my website HTTPS compliant? The short answer is yes. Read on to find out why…
With everything that’s been going in the past few months with Google clamping down on crypto currency ads, preparing for the European General Data Protection Regulation (GDPR), and more stringent community guidelines coming into force almost every other day, you’d be forgiven if you’ve forgotten about Google’s July 2018 deadline for having your website secure…
Or maybe you weren’t even aware that the new Chrome interface will warn users that all HTTP sites are not secure.
So, what does this mean?
Back in October 2017 Google began marking HTTP sites with an email input field as non-secure, including any HTTP pages visited during an incognito browsing session as non-secure.
Google announced more policy changes relating to how Chrome handles HTTP websites in February 2018, and May 2018, which I will discuss in more detail, here.
However, if you are still asking at this point “Do I need to make my website HTTPS compliant?” Then the answer is a resounding ‘YES’.
Google HTTPS Policy Changes – Timeline of Events
At the beginning of 2017, Google began their quest to improve how their Chrome browser communicates the connection security of websites. More specifically, HTTP pages. At the start of 2017, Chrome marked HTTP pages as “Not secure” if they have password or credit card fields.
In August 2017, Google began sending notices to site owners that were not HTTPS compliant through Google Search Console. They also announced that October 2017 was when their new changes would come into effect. Those changes meant Chrome would show the “Not secure” warning in two additional situations: when users enter data on a HTTP page and on all HTTP pages visited in Incognito Mode.
That “Not secure” warning was minimal. It was a faded information sign that tells the user the site isn’t secure when clicked on.
In February 2018 Google declared that come July 2018, it will mark all HTTP websites as “Not secure.”
Time will tell how much impact the July changes will have. It may be minimal as the warning is going to be the same colour as the URL.
However, in May 2018, Google announced that they will remove the green ‘Secure’ sign for HTTPS sites in September, and come October they will begin rolling out a change that will have a very big impact on non–HTTPS sites.
Here’s the green secure sign that will be removed come September:
With the rollout of Chrome version 70 in October, Google will start changing the colour of the “Not secure” warning to a red warning in the browser when a user inputs an email address or credit card information on a non–HTTPS site. Here’s an example:
Is this really such a big deal?
Do you collect email addresses & credit card information on your website, or fulfill your products through your website?
If your answer is ‘yes’ to at least one of those questions, then these changes will certainly affect you.
In fact, it’s already affecting you if you’re collecting credit card information, email addresses, or if your users need to enter a password to login on your website.
But this only affects Chrome, right?
Right now, that’s correct…
However, Chrome is by far the most popular browser. As per April 2018, it has nearly 60% market share according to W3Counter.
And since Google Chrome has such a global presence, a prominent warning that your site is not secure may affect how safe users feel when they browse your site. This may cause some visitors to leave your site, which will negatively impact your site’s bounce rate, advertising impressions, affiliate clicks, and e–commerce sales.
How do I make my site secure?
To make your website secure, you need to add an SSL cert to it. If you want to know more about how an SSL cert works, watch the short video below (ignore the GoDaddy sales pitch).
In July 2017, we checked over 50 websites. We found that 26% had no SSL cert installed. We checked again in May 2017, and found that this number has reduced to 16%.
Now, that’s still too high. All sites that don’t have an SSL certificate, should install one in the coming weeks.
In July last year, we also found that of all the sites that had an SSL cert installed, 33% of the certificates weren’t configured correctly. Both the http:// and https:// version of the site were visible. That number is down to 19% this year.
Having two or more versions of a website visible causes duplicate content issues, and splits your ranking authority across the two versions.
Although it has improved over the past 9 months, HTTPS deployment is still clearly an area where businesses can improve.
If you’d like to quickly test if your site has issues then here’s a quick and easy way to test your site. It shouldn’t take longer than a few seconds. Try it out.
Open a page on your website. If your site shows https:// in the URL bar, look at A. If your site shows https:// in the URL bar, skip to B.
A: Does your site show as https:// in the URL bar?
If it does, then remove the s from https:// and press enter.
Does the URL redirect back to the secure https:// version?
Or does the URL show you a http:// version of your website?
If it shows the http version, you have an SSL certificate installed but it isn’t configured correctly and is causing duplicate content issues, and hurting your visibility in search engines.
B: Does your site show http:// in the URL bar?
If it does, then add an s https://, to make it https:// and press enter.
Does the URL redirect back to the http version or do you get an error?
If it does either, that’s OK. It means you don’t have an SSL cert set up. You should put it on your web developer’s radar to get one installed in the coming weeks, ideally before July, definitely before September.
If your site is showing a http:// and a https:// version, consider fixing it. It’s causing duplicate content issues and is affecting your search engine visibility.
If your website passes the quick and easy test above, you now need to delve a little deeper, and make sure your site’s SSL cert is fully implemented correctly.
To do this, you’ll need to use two tools: Screaming Frog’s SEO Spider, and SEMrush. Both are paid tools. Screaming Frog is relatively inexpensive while SEMrush has a free trial which you can use to perform these checks, you don’t have a SEMrush account already.
If you’d like us to conduct these checks for you, please reach out. If you belong to The Agora companies, we’ll check your site, for free.
If you’d like to check these yourself, read on.
Check if all your pages are redirecting correctly
It’s important to make sure all pages are redirecting correctly.
To do this, a good tool to use is Screaming Frog’s SEO Spider. You can get more information, and purchase it, here.
In Screaming Frog, run a site crawl. Once it’s finished, go to the protocol tab and filter by HTTP.
In the search box, enter your website name. In our case it’s ReadyFireAim. Also, filter by status code. Filtering by your website name means that you’ll exclude external links.
Are some of your HTTP pages showing a 200-status code? If so, these pages aren’t redirecting to their HTTPS version. Get your web developer to take a look. A force redirect is a relatively easy fix to implement.
Auditing Your HTTPS implementation
Once you know all pages are redirecting as they should, you should run an audit on your HTTPS implementation. Here at AIM, we use SEMrush to help us do this.
Here’s a snapshot from an audit that we ran recently.
With our help, the client was able to eradicate virtually all mixed content issues, and all issues with links on HTTPS pages leading to HTTP pages.
Mixed content? Links on HTTPS pages leading to HTTP pages? What the hell are they?
The three most common issues we see when auditing HTTPS implementation are as follows:
- Mixed content
- Links on HTTPS pages leading to HTTP pages
- Subdomains not supporting HSTS
If your website contains any elements that are not secured with HTTPS, this may lead to security issues. Moreover, browsers will warn users about loading unsecure content, and this may negatively affect user experience and reduce their confidence in your website.
Eradicating mixed content after your install and configuring your SSL cert correctly is vital. If you don’t, you still run the risk of seeing the not secure warning even though you have an SSL cert installed.
Links on HTTPS pages leading to HTTP pages
If any link on the site points to the old HTTP version of the website, search engines can become confused as to which version of the page they should rank.
The end result is neither version ranks as highly as it should, and your search engine visibility decreases.
Subdomains not supporting HSTS
HTTP Strict Transport Security (HSTS) informs web browsers that they can communicate with servers only through HTTPS connections. So, to ensure that you don’t serve unsecured content to your audience, we recommend that you implement HSTS support.
This response header tells user agents (e.g. the Googlebot crawler) to only access HTTPS pages even when directed to a HTTP page. This eliminates redirects, speeds up response time, and provides extra security.
The Final Word on HTTPS Compliance
The bottom line is this: if you’re serving content over an unsecure connection, you need to be planning how you’re going to go HTTPS by default, now.
It was confirmed last year at SMX Advanced that Google also offers a minor SEO boost to sites with HTTPS installed. This backs up with Gary Illyes of Google said back in April 2017.
As of May 2018, 84% of all pages loaded through Google Chrome are HTTPS pages.
In April 2017, Moz and SEMrush published data showing over 50% of all pages in the top 3 results in Google are HTTPS compliant pages. That’s up from 30% in mid-2016, and is likely to be even higher now.
Here at AIM, we also highly recommend installing an SSL cert ASAP.
If you do install one, make sure to check it’s implemented correctly as it can cause some issues for your website if it isn’t.
Also, instead of just going HTTPS, consider going HTTP/2. HTTP/2 future proofs your website. It adds a secure connection as well as making your website super-quick.
If you need some help, have any questions on HTTPS, or would like AIM to audit your HTTPS implementation, please reach out.