In a push to further secure and better encrypt the internet, Google has been making changes to how their various products and services treat SSL certificates. The new default for Google’s outlook on the internet includes encryption – a secure connection (HTTPS) is required, no longer a feature only for online banking and shopping sites.
This decision is arguably the right move for the internet, in an age of privacy concerns and 3 letter agencies doing mass surveillance with bulk data collection, but it can be harmful to your business if your website remains insecure. If your website is available over HTTP but not HTTPS it’s possible that you may see a loss in traffic, user trust, and likely a negative impact your conversion rates.
Chrome Listing Websites As “Not Secure”
Google made an announcement on their security blog in early 2018 about the changes coming to Google Chrome and the changes they were making to alert web surfers that they are browsing an insecure site. A previous announcement in October 2017 stated that these changes were coming, but at that time it only applied to HTTP (non-secured) pages where users were asked to enter personal information.
Starting in July 2018 Google launched the change in Chrome that any websites loading over HTTP would now carry a “Not secure” warning in the browser’s address bar by default. This was a big shift, treating unsecured websites neutrally (except in scenarios where personal data was being entered) to now looking at them in a negative light at all times. These changes also brought a shift to how HTTPS encrypted sites were treated as the new default. Previously a secure site would show a green padlock icon in Chrome, but now only are identified with a gray padlock icon.
To make things even worse for unencrypted sites, 1 year after the original change to alert users entering information into HTTP sites, in October 2018 Google changed that gray “Not secure” warning to a bright red warning with an alert icon. This means that if you have an email signup form, a contact form, or anything on your site that requests information from your visitors – those visitors will now see a red warning when they try to give your their details.
What is an SSL Certificate?
Put simply, an SSL certificate is a text file with encrypted data that you install on your server. This allows you to secure/encrypt sensitive information and communications between your website and your audience. Many think of it as their electronic passport.
SSL stands for ‘Secure Sockets Layer,’ and when a website owner has one, all data passed between web browsers and servers remains private and encrypted.
Without valid certificates, websites cannot establish a secure connection with web servers, meaning that users will not be digitally connected to a cryptographic key. This puts your company’s and your customers’ information at risk, especially considering current cybercrime trends. As a result, the lack of SSL and HTTPS could potentially damage your brand image.
People will avoid purchasing from you or even signing up to your newsletter through fear of having their details stolen. Your conversions will plummet.
One of the most important things in business is to make customers feel like they are visiting a trusted, reliable website where making purchases is safe. SSL establishes a secure connection which then reassures your visitors using visual cues.
Seeing the lock icon or green bar when visiting a site can automatically make a visitor trust your company and take the next step in making a purchase.
How Does a SSL Certificate Work?
When a browser accesses a secured website, the browser and the web server establish a connection. The process is called an ‘SSL handshake,’ but this handshake cannot be seen by the user and happens within a few seconds. What you can see as a user is a green padlock in the URL address bar of your browser which signifies secure data transfer.
Three keys are used to set up a secure connection: public, private, and session keys. Anything encrypted with the public key can only be decrypted with the private one and vice versa. Encrypting and decrypting using the private and public keys can take a lot of power. Because of this, they are solely used during the SSL Handshake.
When this action takes place, this creates a symmetric session key, which is then used to encrypt all data transmitted from the sites once the secure connection is established.
Here is a better idea of how SSL policies work in simple terms:
- The browser connects to a web server via a secured connection. The browser requests that the server identify itself.
- The server then sends a copy of the SSL Certificate, including the server’s public key.
- The browser checks the root against a list of trusted authorities. It looks to establish that the certificate is unexpired and that the common name is valid for the site it is connecting to.
- If the browser trusts the data it received, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
- The server decrypts the symmetric session key using its private key. It then sends back an acknowledgment encrypted with the session key to begin the encrypted session. This happens instantaneously.
- Both the Server and Browser now encrypt all of the transmitted data using the session key.
The three keys mentioned above work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the website owner. It holds the following information:
- Name of the holder
- Serial number and expiration date
- Copy of the holder’s public key
- Digital signature of the certificate-issuing authority
Knowing how SSL works can further help you understand why they are so important.
Impact of Google SSL Requirements for Website Owners
Google Chrome is the most popular web browser in the world, and continue to gain market share
With the widespread use of Google Chrome, currently holding about 63% of the web browser market share, the changes to how SSL-secured websites are treated is extremely important for website owners to pay attention to. Seeing a “Not secure” notice next to your domain name can elicit a negative response from your site’s visitors. An SSL certificate is a simple but important trust factor on the internet and if you don’t have your users’ trust it can seriously impact your bottom line.
If you’re doing any business through your site and collecting user information, even through something as simple as a contact form, the red ‘Not secure’ warning is enough to turn some users away. If you have a website in 2019 you need to be using an SSL certificate.
Google SSL Requirements Impact on SEO
Starting in 2014, Google rolled out algorithm updates that favored HTTPS websites over HTTP sites. It was never the only or biggest ranking factor, the information put out there by Google employees stated that it would effectively only be used in tie-breaker scenarios. This meant if there were 2 websites that were exactly the same in terms of links and content quality, if one site utilized an SSL certificate it would win out over the unsecured site.
The tie-breaker analogy for HTTPS websites and SEO still seems to hold true to this day. It is nowhere near the biggest ranking factor for a website but it can give a slight edge over a competitor whose site isn’t secure. Despite the minimal ranking boost, with Google now treating SSL-secured sites as the default state in Chrome, it isn’t impossible to imagine a future scenario where an unsecured site actually creates a negative impact on rankings by default.
With the cost of SSL certificates dropping to Free in recent years, thanks to the creation and promotion of projects like the Let’s Encrypt certificate authority, there’s no good reason for your website to be unsecure in 2019. Besides Let’s Encrypt, the most popular web hosting panel in the world, cPanel, has been providing free certificates as well. There’s a good chance your web host uses cPanel and if they do then it’s a very simple process to generate a secure, signed certificate for your site (it’s typically enabled by default).
Bad SSL Implementations Can Ruin Your SEO
The process of acquiring a signed SSL certificate in 2019 is very easy, most hosts now provide them by default in an automated setup (just try loading your site over HTTPS to see if it works). However, the real problem always comes down to implementation. It’s not always as simple as just having your host install an SSL certificate on your website, there are many technical aspects to hosting a secure site that require attention to detail. A poorly implemented SSL certificate can continue to show ‘Not secure’ warnings to your visitors or even completely tank your SEO and search rankings.
SSL Mixed Content Warnings
For a page on a website to be secure it needs all assets to be loaded over HTTPS. This means not only the HTML on the page itself, but also all of the images, css, javascript and other embedded items being used to make the site look beautiful or add functionality. If you’re using something like WordPress to run your site, many themes and plugins out there pull from external sources over HTTP by default.
Mixed content warnings are a sign to your visitors that the website isn’t completely secure and can cause just as many issues for trust and conversions as the ‘not secure’ warnings. These warnings are fairly easy to fix if you have some technical knowledge. Fixes vary depending on what exactly is being pulled onto the page via HTTP instead of HTTPS, but generally a few minor changes to theme files will fix this. If you’re utilizing WordPress you can try something like the Really Simple SSL plugin which will rewrite the links on your page to utilize HTTPS.
Duplicate Versions Of Sites, Missing or Bad Redirects
Another common problem when people try to implement SSL certificates is they don’t use 301 redirects or implement them incorrectly. If you install an SSL certificate, the way most websites and hosting environments are setup will cause you to have 2 functioning versions of your site – one secure, and one insecure. This means that depending on the link your visitor clicks they can end up on either version, or if you have hard coded links to the unsecured version in your website’s content then they will jump between secure and insecure and receive browser warnings about this.
Google will typically pick the HTTPS version of the site if it sees 2 versions, but may default back to HTTP if your HTTPS version has mixed content errors or isn’t loading correctly.
To prevent these sorts of duplicate site issues, once you’ve properly configured your SSL certificate you need to make sure that you correctly 301 redirect traffic from the insecure version to the secure version of your site. Meaning visitors who visit http://yourwebsite.com will be automatically forwarded to httpS://yourwebsite.com.
While implementing redirects you also need to be mindful of the URLs the user is visiting and make sure your 301 redirects send them to the same page they requested, just the secure version. Bad redirects can create problems like redirecting all users to the homepage by default. This is bad user experience but also extremely detrimental to your SEO.
How Does a SSL Certificate Work?
When a browser accesses a secured website, the browser and the web server establish a connection. The process is called an ‘SSL handshake,’ but this handshake cannot be seen by the user and happens within a few seconds. What you can see as a user is a green padlock in the URL address bar of your browser which signifies secure data transfer.
Three keys are used to set up a secure connection: public, private, and session keys. Anything encrypted with the public key can only be decrypted with the private one and vice versa. Encrypting and decrypting using the private and public keys can take a lot of power. Because of this, they are solely used during the SSL Handshake.
When this action takes place, this creates a symmetric session key, which is then used to encrypt all data transmitted from the sites once the secure connection is established.
Here is a better idea of how SSL policies work in simple terms:
- The browser connects to a web server via a secured connection. The browser requests that the server identify itself.
- The server then sends a copy of the SSL Certificate, including the server’s public key.
- The browser checks the root against a list of trusted authorities. It looks to establish that the certificate is unexpired and that the common name is valid for the site it is connecting to.
- If the browser trusts the data it received, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
- The server decrypts the symmetric session key using its private key. It then sends back an acknowledgment encrypted with the session key to begin the encrypted session. This happens instantaneously.
- Both the Server and Browser now encrypt all of the transmitted data using the session key.
The three keys mentioned above work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the website owner. It holds the following information:
- Name of the holder
- Serial number and expiration date
- Copy of the holder’s public key
- Digital signature of the certificate-issuing authority
Knowing how SSL works can further help you understand why they are so important.