What Google’s new SSL policy means for your website.
You’re probably already familiar with SSL certification from looking at URLs in your address bar. Secure websites are those that begin with HTTPS rather than the standard HTTP. As you can probably surmise, the “S” stands for “secure.”
Meanwhile, SSL stands for Secure Sockets Layer, and is the standard security technology for encrypting data as it passes between your browser and your web server. It helps guard your website against “man in the middle” attacks, which happen when a hacker manages to intercept your data on its way to or from your browser and the page you are visiting. SSL encryption means that, even if that data is captured, the hacker won’t be able to read it.
However, without SSL certification, that encryption procedure can’t take place. This is because your SSL certificate is what contains the necessary information about the certificate holder and their public encryption key that the web server needs in order to establish the secure connection.
Without that encryption in place, and personal information that you enter into your browser is at risk. That can mean anything from your credit card information to your email address.
Google has promoted the use of HTTPS as the standard for all websites. However, in 2017 they decided it was time to make a stronger push. Here’s how their new rules could affect your business. But first, let’s answer a more basic question: do you need it?
Is SSL certification required for my business?
Many e-commerce businesses already use SSL Certification, because they need it to comply with Payment Card Industry (PCI) security requirements. Any website collecting credit card information must have SSL certification. If they don’t, they are putting their customers at severe risk for identity theft, which can have legal ramifications for their business.
However, many websites only use SSL encryption on pages where sensitive information is being submitted. You can follow this strategy, but it has some flaws. The biggest is that it’s easy to overlook places where you’re asking users to submit information.
Credit card data is obvious. But what about login and password information? Any login or registration page must be SSL secured, and on any site that keeps a login portal in the top navigation bar, that means every page.
What if users don’t need to login to your site? They still have your forms to contend with. As we’ve covered in much of our content marketing posts, one of the key ways to attract leads in any good marketing campaign is through downloadable content. And to get that content, we ask for your email address. That means that page where you’re asking users to download your e-book, sign up for your mailing list, or otherwise enter their email address into a contact form needs SSL certification.
There’s one final risk of leaving your website uncertified: hackers can intercept and modify data on the way to your users. They can then use this to obtain secure information from your users.
What does Google have to do with it?
Back in 2014, Google stated that HTTPS was a factor in ranking results. Not a major factor, as Moz has shown, but not one to ignore. Essentially, Google wanted to incentivize users to make the switch, and decided to link SSL certificates and SEO more closely.
Their latest move, however, is to deliver a stronger warning to their Chrome users as they browse the Internet. The current warnings look like this:
But by the end of the year, Chrome is expected to update their display to a warning like this:
Their concern was that users either didn’t notice their previous signal, or else didn’t treat it seriously enough. They also expect the new update to provide extra motivation to site owners to buy SSL certification.
While these changes only affect Chrome users, at least one other web browser is following suit. FireFox has announced their own updates, which include a grey padlock with a red strike through it in the URL box, and an extra warning in password fields.
“But it’s my website, how can Google tell me what to do with it?”
It may be your website, but it’s your customer’s data. And Google isn’t forcing you to do anything: you don’t want to put SSL certification on your website? Fine. But if you expect Google to rank you, then you have to play by Google’s ranking rules. If you don’t like it, enjoy your traffic from Bing.
No, but seriously: putting SSL certification on your website is what’s best for your customers, and that makes it best for you, too. Google has strong and compelling reasons for encouraging web owners to make the transition to HTTPS. And web owners have fewer excuses not to. You can even find free and credible SSL certification from sources such as Let’s Encrypt.
Will you still have to set it up and take some extra precautions to ensure that you don’t do any damage to your SEO? Yes. But it’s well worth the effort to ensure that all your Chrome users don’t see a giant red “Not secure” warning every time they come to visit your site.
You’re no longer an early adaptor.
It used to be that having an SSL certificate on your website was a small way to signal that your website was ahead of the crowd—going the extra mile in the service of your users. This is no longer the case. With their announcement of the coming changes, Google also stated that more than half of Chrome desktop page loads are now served over HTTPS.
This means that, the longer you wait, the worse it will look from an end-user perspective. It seems like every day we see a new story break about some hacking attempt or security breach that has compromised the personal information of millions of users. This is one small step you can take to show your users that you are doing your best to make sure you are not responsible for their data ending up in the wrong hands.
Isn’t it worth taking?