Close

April 26, 2017

White-paper: The “Not Secure” Google Warning

google chrome secure message in url bar

As you may (or may not) know, my day job is working as a ‘Search Account Manager’ for an award winning digital marketing agency in the UK.

Outside of the usual day-to-day activities, I also try to share some of the knowledge we have inside the building with others. This can be in the form of video content presenting the occasional “Giant Thursday”, or writing white-papers.

I wrote one not too long ago, about the ‘new’ warning that Google will be enforcing in 2017 for sites that are not utilising HTTPS. If that’s the kind of thing that keeps you up at night…you’re in for a treat. If you get scared at acronyms like CRO, SEO, PPC and GMT, go read something else, this post is not for you.

New updates to Chrome highlight all HTTP web pages as ‘NOT SECURE’

Google’s Chrome browser will be updated this January, the update will see the term “Not Secure” appear in the URL bar for any http sites, which could have a dramatic impact on number of users visiting the site. If you are running a site on http, read on to find out how you can avoid this potential usability issue.

As one of Google’s ever evolving missions, safe and secure browsing is going through another development. Google released an update to their blog post back in December 2016, where they announced that the new Google Chrome browser will now mark non-secure pages containing password and credit card input fields as ‘Not Secure’ in the URL bar. This is all part of a long-term plan to mark all HTTP sites as non-secure.

Studies show that the lack of ‘secure’ signage isn’t reflecting a realistic browsing experience, as users are unfazed by a neutral indicator, when in fact a site loaded via an HTTP connection can be intercepted, viewed and modified before it reaches the user.

Considering Chrome accounts for almost 56% of the global browser market share, this change could potentially have an impact on the way users view a site. Not only that, but Google also takes HTTPS into consideration when ranking your site. Hopefully, this white paper will give you the information you need to update your website or one you have worked on and keep it in tip-top order.

How to preview the warning

This update is scheduled to take effect at the end of January 2017, enabled by default for all users on Chrome 56.

If you want to preview this update before it rolls out, install the latest version of Google Chrome Canary and follow the procedure below.

  1. Configure Chrome to show the warning by opening: chrome://flags/#mark-non-secure-as
  2. Set the option: Mark non-secure origins as non-secure to display a verbose state when password or credit card fields are detected on an HTTP page
  3. Now relaunch your browser.

When the ‘Not Secure’ warning is displayed, the DevTools console shows the message:

This page includes a password or credit card input in a non-secure context. A warning has been added to the URL bar.

How to resolve the warning

To ensure your pages don’t display the ‘Not Secure’ warning, all of your forms must contain: <input type=password> coding and any credit card field inputs must be available through secure sources. Your top-level page will therefore need to be HTTPS (If the input is in an iframe, that iframe must also be sourced through HTTPS.).

Warning! You can’t just rely on the iframe being HTTPS to remove the warning, the top-level page must also be secure.

Ideally, you’ll want to change the entire site to use HTTPS or alternatively, you could redirect the browser to an HTTPS page containing the login form.

Where do we go from here?

Eventually, Chrome will display ‘Not Secure’ warnings for all HTTP pages, so even if you do implement one of the more targeted setups, it’d be wise to plan to migrate your entire site to use HTTPS.

The crucial point here is to ‘plan to migrate’. Without a migration plan, your site is prone to significant SEO implications, such as traffic loss.

You don’t have to navigate this migration minefield alone. Make sure you’ve got the support of an agency that already has a detailed migration plan ready to implement, just like we do at Sleeping Giant Media.

If you want to read the full white paper in it’s full form, with pretty pictures and illustrations, then you can do so here!

April 26, 2017 Tech

Leave a Reply

Your email address will not be published. Required fields are marked *