Google’s Not-So-Subtle Shaming of Unencrypted Websites Begins

A few years ago Google announced that it was going to lead the charge towards an encrypted and more secure web. They followed that by announcing a slight search engine boost for encrypted sites and more recently announced that they would start more aggressively pushing websites towards encryption. With the latest update to Google Chrome, the world’s most widely used web browsing software, that push is starting to show.

The New “Warning” Icon

The screenshot below shows the most recent Chrome address bar for an encrypted and unencrypted website. Note that the encrypted site (google.com) shows a Green padlock and the https:// prefix on the address. The unencrypted site (bing.com) shows only an “i” information icon that at first glance looks more like a warning sign.

Chrome Browser showing encrypted and unencrypted sites.
Chrome Browser showing encrypted and unencrypted sites.

So what should website owners do?

Quite simply, it’s time to make the switch to “Encryption by default”.

When you connect to a website your communications with that site can either be secure and encrypted via HTTPS or sent as plain text via HTTP. Initially, HTTPS was used only where a website was transferring or collecting sensitive information or conducting business online, and many websites still only use encryption in these cases. Google’s “HTTPS everywhere” campaign calls for ALL websites, regardless of the content or activities, to use strong encryption by default.

“Encryption by default” ensures that all communications with a website are encrypted even if a user tries to access a site using a non-secure HTTP link. This requires additional configuration of the web servers.

Certificate Options

Internet Explorer SSL
The wikipedia website is encrypted by default. In this screenshot from Internet Explorer the black padlock on the right indicates a validated certificate and encrypted communications with wikipedia.org

Activating HTTPS for a website involves the purchase and installation of an “SSL” Certificate from a trusted Certificate Authority (CA). Modern web browsers (Such as Chrome, Internet Explorer, Safari, Firefox) are designed to trust the major CA’s so your browser will recognize a valid certificate issued by a trusted CA and show users the little green or black padlock on their web browser to indicate a secure connection.

In some cases valid and secure connections will also show “green bar” with the company name. “Green Bar” certificates, also know as “Extended Validation” or “EV” certificates require more extensive company-level validation and are more expensive as a result, but the level of encryption they offer is no better than the regular Domain-Level certificates. Domain-Level certificates require only that the website owners prove that they control the website domain name- generally through e-mail. EV certificates can cost from $100 to $600 per year, while Domain-Level certificates can cost from $5-$50 per year.

The PayPal website uses an Extended Validation or EV certificate which identifies the company associated with the website.
The PayPal website uses an Extended Validation or EV certificate which identifies the company associated with the website.

Other Considerations

Once you installed and activated HTTPS on your website it’s a good idea to run some tests (links at the end of this article) to ensure that your server’s software is up to date and unsecure connection attempts are properly redirected to a secure one.

Using a proper server-side “301 redirect” to your secure site will ensure that search engines record the change as your new default address.

Make sure that your website is properly coded to avoid “mixed content” errors. If your web page includes any content from unsecured HTTP sources, the entire connection will be considered insecure.

Useful Resources

SSL/TLS Deployment Best Practices (PDF)

Google HTTPS Best Practises (Link)

Qualsys SSLLabs SSL Server Test (Link)

How to Get Help

Need some help updating your website? Please e-mail [email protected].