Chrome Browser to Flag non-HTTPS Sites as Insecure

Share Button

Chrome version 56 which is scheduled for release in January 2017 will be announcing to the world whenever it visits a webpage that transmits password or credit card information insecurely.  So what does that mean for you?

It means if you allow people to log into your website or you collect credit card information, you need to get an SSL certificate before that change goes into effect.

Here’s what the change is going to look like:

Google had previously announced in 2014 that HTTPS (SSL secured HTTP connections) was a minor ranking factor in search engine results.

For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

Back then in 2014, we were only recommending getting an SSL if you were accepting credit cards on your website because the rankings affected less than 1% of sites. However, with this new push to

However, with this new push by Google’s Chrome to start flagging sites as insecure, we are now strongly recommending anyone who has visitors logging in and anyone who does eCommerce to get an SSL certificate by January. 

Many of the WordPress managed hosting companies like Flywheel and WP Engine are providing free SSL certificates from Let’s Encrypt to their users. So we recommend anyone on those services to go ahead and get a certificate now, as it’s just a matter of time until Chrome starts to flag all websites with any form fields as insecure.

I expect other hosting companies to start coming out with free SSL certificates from Let’s Encrypt or to start including SSL certificates in their hosting plans soon. In fact, WordPress has announced that they will start to only promote hosting companies which include SSL certificates.

How do you get an SSL certificate for an HTTPS connection?

If you are using a hosting company like Flywheel or WP Engine which is offering the free Let’s Encrypt certificates it is extremely easy. Here are some screen shots of just how easy it is as Flywheel:

First, go to Add-ons and click on “Add SSL”. Then leave the Simple SSL selected and click on Configure SSL.

lets-encrypt-ssl

Then enter your information and click on “Complete SSL Setup”.

lets-encrypt-ssl-2

Once the form is completed, I see most certificates ready to use in about 5 minutes. After you have gotten your certificate, go to the advanced options and turn on Force SSL. Force SSL sends all requests coming in as HTTP to HTTPS.

force-ssl

Now check that your site is properly delivering HTTPS.

To do so, enter your URL into Why No Padlock. If everything is properly setup, you’ll see a list of green check marks indicating that everything is good.

why-no-padlock-results

If you see red error messages, then there are some items on your website which are being called insecurely and you’ll need to find and fix these. How to fix those errors will depend on the details of your website — you should contact a qualified web developer to assist you.

How to get a paid SSL certificate

If you need a wildcard SSL (an SSL which applies to more than one URL) or your hosting company doesn’t offer free Let’s Encrypt SSLs, you will need to purchase an SSL certificate.

If your hosting company offers SSLs, it is frequently less hassle to just get your SSL from them. If not, you may need to purchase an SSL elsewhere, such as your registrar.

I’ve purchased SSL from various sources before and have received vastly varied processes. For example, SSL certificates from GoDaddy normally issue in 1-2 hours, whereas when purchasing an SSL from Network Solutions it took over a week.

Your hosting company may also have other requirements when installing an SSL — for example, many low cost shared hosting plans do not even allow SSLs to be installed. You need to upgrade your plan and/or purchase add-ons before the company will even allow an SSL to be installed.

The typical cost for a basic SSL is $40-$100 depending on where you purchase it. This is normally a yearly fee. If you need a wildcard SSL, it will cost more.

You also need to keep an eye on your certificate once you have it.

If your certificate is not setup to auto-renew or your certificate is not through your hosting company then when the certificate expires you may suddenly get a lot of flags on your website about the site being insecure. Many browsers are now displaying large warning notices if an SSL certificate expires.

What if I don’t get an SSL now?

If your website doesn’t upgrade to an SSL now and it does accept passwords or credit cards, you’ll be losing business in January when the Chrome update rolls out. People are getting far more cautious about internet security and leaving sites to never return if their browser gives them a warning.

If you don’t have any password or credit card fields on your website, you can hold off for now but you’ll need to keep an eye out for future updates from Google to start flagging more sites for being insecure. Google is making a very strong push to make the entire internet over HTTPS and it’s just a question of when the next update will come out.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *