Recently, Google announced that it has started considering HTTPS as a metric when deciding the pagerank of a given website. Thus, all other elements being equal, HTTPS websites get preference over HTTP ones.
However, Google has also decided to go a step further: pretty soon, it will mark HTTP websites as “unsafe”, and warn users about websites that are not using HTTPS.Â
An upcoming change proposed to the Google Chrome web browser will ensure that when a user visits a non-secure website, a red X mark will be displayed in the address bar: as of now, Google Chrome uses this mark when the SSL certificate of a website is incorrectly configured, thereby warning user that there is a problem with the SSL certificate of the active website.
However, after the new change is in effect, even otherwise safe websites that have no malware, say your photoblog or a casual blog, will be marked as “unsafe” in Google Chrome.
This change, though being promoted as something to safeguard the web, is being viewed as more of a monopolistic move by Google. By “forcing” webmasters to use HTTPS, Google may or may not make a safer internet, but it surely is making life difficult for the average user who just wishes to have a generic blog or website.
You can find related details on the Encrypt All The Things campaign site as well.
What do you think of this development? Have you started using HTTPS on all your websites? Share your views in the comments below.
HTTP Dead!
Source? Link to the announcement mentioned? All I can find are a proposal from the Chromium securtity team and articles dating from 2014. Thank you!
It has been announced for a while and the long notice period was given to allow people to transition to TLS.
Cite your sources. I need something from Google to take this to my manager.
This is definitely not a good move for education sites. I have multiple sites that push information to students. No advertising, just straight content. Now I have to go learn how to implement https in addition? Please google, no.
It’s not that bad, an SSL cert costs less that £7 for a single domain for a year, it’s extremely inexpensive, and a must for any website today, not only will it make your site faster by allowing you to use HTTP/2, but it will also secure your users, which is incredibly important for any website, especially if you are handling user data.
If you are serious about your website and your users, then you should use HTTPS. If you use dedicated hosting you can now also use a service called Let’s Encrypt for free certificates.
You shouldn’t be forced to use HTTPS if your website only displays content and at no point requires any users to enter any sensitive material.
£7 per year may not be a lot of money,but consider the impact for a non-profit that has multiple websites and no advertising income whatsoever. Also, consider the additional cost of developers unfamiliar with HTTPS having to learn to how reconfigure a website.
SSL certs and in fact hosting is free for non-profits from a wide array of services, and those who are not a charity or organisation can sign up to Cloudflare, that provides free SSL certs with no install required, and it’s extremely simple to install an SSL cert if you don’t go with CloudFlare, most hosting companies will do it for you.
So why should anyone pay the £7 per year you mentioned before, if there are a free alternatives?! What’s the advantage of paid SSL certs versus the free ones offered by Cloudflare?
Nothing apart from the fact that it is yours, Cloudflare uses new technology that allows many sites to get certificates easily, using something called SNI, which allows for multiple certificates from one IP and thus allowing Cloudflare to offer certs for free, the future would be that your web hosting provider would provide this as standard, something which Google will be enabling with this as more sites will pressure them to do so, as they should.
The only real problem with this is that it is not full security, however for most sites it should suit them fine.
Thanks.
The problem with your SSL for everyone is now everyone will need a dedicated IP to run the certificate. A lot of basic shared hosting sites do not offer this option without paying extra. Thus, it is not $14 for a basic SSL certificate (don’t trust the ones that are free with shared hosting because they are not secure but only point back to the host — you’ll get alerts each time you open the site), you’ll have to pay for the IP address. This will cost non-profits and schools a lot of money because they run multiple domains and each one has to have this. Yikes.
Your answer to that is Cloudflare, which offers free SSL to all of their customers, and it works perfectly fine for shared hosting, without the need of a dedicated IP, and it does that with security features, and HTTP/2 compatibility.
Also you will find there are a lot of services that will set-up complete SSL packages for non-profits, at no cost.
Obviously you aren’t keeping up.
SNI has been available in almost every supported OS and browser for quite a while. With this you don’t need a dedicated IP address for TLS.
Obviously, I’m not. It’s not my typical work. Thank you for the information.
No. SNI isn’t available in Windows XP which is still the most popular OS in many organizations.
First off its a big lie and they will be sued by the website that is perfectly safe and they label as unsafe, committing slander. Not all websites are handling money transactions and the ones that do are expected to be using HTTPS already. But that does not mean an information only site needs HTTPS and Google will need to say how its unsafe or face a class action lawsuit.
How about blogs with a login section such as WordPress, Joomla!, Drupal? Potentially passwords being intercepted could lead to viruses being uploaded.
> But that does not mean an information only site needs HTTPS
That is only if you don’t consider spread of false information (by Man-in-the-middle-attacks) a security risk
With HTTP there are all kinds of security risks that will mean you are not only transmitting personal info to the website you access, but you are also transmitting data to anyone on your connection, all they need to know is how to code, and they can access all of the information from what websites you go to, and what you do, HTTPS stops this.
HTTPS also stops something called a man-in-the-middle attack, where a hacker can spoof the website the user is visiting, making them think that they are accessing the website they want to, but in actuality they are visiting one that has been manipulated by the hacker.
HTTPS is extremely important, and it should be on every website on the web, I suggest you watch a video on YouTube from Google I/O 2014 called HTTPS Everywhere, it might help you understand.
HTTPS is totally irrelevant for websites that only display content and at no point require ANY users to enter ANY sensitive material.
It actually isn’t as I explained above, if you want to leave your user’s left unsecure then that’s your thing however, you’re gonna lose out a lot from doing so, you won’t get HTTP/2, you won’t be able to access some features within the browser, you won’t get the SEO boost from Google, and you won’t be able to take advantage of some of the latest technologies without HTTPS.
And tbh, there’s no excuse for not using a HTTPS connection anymore, aside from laziness the previous barriers that existed no longer do. If you can afford hosting, you can definitely afford an SSL certificate, they are even free from a number of services, and they are simple to install, with plenty of tutorials on the net.
The concept “unsecure” is totally meaningless for websites where you can’t even log in.
There is no “secure” or “unsecure” for websites where you can’t even log in. In such a context, the concept “unsecure” is totally meaningless.
Of course there is, you obviously don’t understand the concept of security, your computer and information can be accessed through an insecure website, do you understand that? It doesn’t matter if they can log in, via an insecure connection a hacker is able to do whatever he/she wants, they can install malware on your computer, get you to type in information on forms you thought were secure, but are received by the hacker, or literally anything else.
HTTPS is the future of the internet, one day it will be standard for all the web, Google may be the first to do something like this but everyone will follow soon after, and with HTTP/2 requiring HTTPS, HTTP is dead.
“Your computer and information can be accessed through an insecure website, do you understand that?”
I’ve always thought of HTTPS as just HTTP, but encrypted. I really don’t see how HTTP makes it easier for hackers to access my computers than using HTTP if I’m not sending any sensitive info to the server.
So how is a hacker able to access my computer when I visit a website that uses HTTP and how does HTTPS prevent that?
So basically when you access a website via HTTP, all of the communication between your computer and the server is transferred in plain text, if a hacker was to sit themselves between you and the server they would be able to see this text, and manipulate it to their needs.
And it also shows cookies in plain text meaning that if you log into a HTTP website (even if that website uses a HTTPS login, but not for the rest of their site) they can access that website as you, without knowing your login details
HTTPS stops this by encrypting all of this text and data, the only way to decrypt it is to have both the public key and the private key of the certificate (the browser provides the public key, the server has the private), thus a hacker can no longer see your data or manipulate it, and you are 100% safer.
“meaning that if you log into a HTTP website”…
I get THAT. However, I’m talking about websites WITHOUT a login, WITHOUT cookies, etc.
I’m talking about display-only websites that require NO sensitive date to be entered at ANY time.
And as I said, ALL data is transferred in plain text on HTTP, that means ALL data can be manipulated to do anything, literally anything. For example WebDesignLedger is a HTTP website, it doesn’t have a login, but because it uses HTTP if a hacker was to access the connection between your computer and the server they could load scripts that for example install malware on your computer, thus allowing them to access sensitive data from anything on your computer, or even change the actual content of the site to anything they want, such as making a giveaway post for example, where they could also collect sensitive data from you.
This has been done in mass in the past, and is the main reason why Google is being so hard on HTTP.
HTTP basically allows a hacker to do anything they desire, HTTPS stops that.
Exactly why we’re working on implementing HTTPS ourselves, it matters. We might need to do an article discussing the ways that an non-HTTPS site is susceptible to attacks, even if no sensitive information is entered. We personally use getcloak.com on our computers to minimize some of the risk in public places.
I think an article would be a great idea, as a lot of people really don’t know why HTTPS is important, even for sites that don’t use a login form, and sure a VPN is a great option, depending on how much you trust them anyway.
A stupid move if Google goes ahead with such thing.
A website using https is not safe since they can easily store or transmit your personal data in a malicious way without your consent. so using https does not make the website safe and https does not make a website unsafe!
This is ridiculous. And it won’t mean a thing when 90% of all sites out there are labeled unsafe, it will become moot. So basically labeling all sites unsafe will make it impossible to tell which sites ARE unsafe. Good call, Google. {{{Morons.}}}
I understood when Google implemented changes to their algorithm regarding mobile accessibility but this one seems like a bit much. I’m all for keeping users safe but if this change is really going to happen then they should give a much longer official notification period to webmasters.
Just an FYI. Letsencrypt will essentially provide all sites with a free opportunity to secure an SSL. If you are too lazy or stupid to learn how to use it, or pay someone to use it for you, then you speak for the value and quality of your ideas more than Google. Stop being lazy, go get a cert
How will this rule impact other search engines?
While I agree SSL is the way to go…moving an existing WordPress site to SSL is a NIGHTMARE!!! Sure Cloudflare give you a “Flexible SSL” cert but it doesn’t enforce SSL so you’re not REALLY getting SSL. until you force your sites URLs to be https. That part in WordPress is something anyone without a lot of SQL and php experience isn’t going to be able to do.
So while Nicholas Griffin is technically correct, Cloudflare offer “free SSL”…if you’re not a web developer don’t even bother.
Of course, installing an SSL certificate is neither difficult nor terribly expensive. If it helps with SEO, why not just get one?
This doesn’t sit quite right with me. Yeah I get that financial and secure sites should have HTTPS and there is a technical and security need to protect and define those types of sites, but all websites? Even those websites and blogs that are someones slow cooking blog, photos of their cats or the local band showing off what they can do down the local pub? Surely this cannot be right to label the last three sites as “unsafe” and then to warn users not to go to those sites? It will make a mockery out of determining which sites are actually “unsafe” and users will just end up clicking through to all sites whether they see a warning or not.
I have a cheap hosting deal where I can add URLs for a few bucks and forward them to subfolders on my site. I have about 20 or so personal web sites I set up as vanity sites for my friends and family. Simple, content only sites that usually don’t change for years. Just got a call from GoDaddy asking to buy certs for them. They quoted me something like 1600 dollars a year. I said I’ll deal with Google blacklisting me. Ridiculous.
Will Google only be able to enforce this on the Chrome browser?