Google Chrome Will Start Marking HTTP Sites "Not Secure" In July: How To Migrate Your Site

In July 2018, Google will release Chrome 68, which will significantly change how many websites are displayed in the popular browser. Google Chrome 68 will start displaying a “Not Secure” warning for any webpage that isn’t secure (HTTPS).

Google Chrome is the desktop browser of choice for about 67% of internet users worldwide, so any change Chrome makes impacts a lot of users.

How Browsers Display HTTP vs HTTPS Sites

All browsers currently mark HTTPS pages (urls that start with https://) as “Secure” with a marker that looks something like this:

Google Chrome and Mozilla Firefox currently mark HTTP pages (urls that start with http://) as “Not Secure”, but only if the page collects passwords, credit cards, or other confidential data. Here’s an example from the ESPN login page:

If the HTTP page doesn’t ask for confidential data, Google Chrome and Mozilla Firefox currently don’t show any security marker:

What Google Chrome Is Changing

Starting in July, Google Chrome will show an explicit “Not Secure” message on all HTTP webpages, whether they ask for confidential data or not. HTTP pages will be displayed like this:

Only about one-quarter of small websites use HTTPS by default, so users will see a “Not Secure” message on most websites starting in July (unless many websites switch to HTTPS before then). Most users will probably just ignore the “Not Secure” label, especially if they aren’t entering financial information. (The ESPN login page has been showing “Not Secure” in Chrome and Firefox for quite awhile now, but millions of people still visit the site every month.)

But some users will likely be concerned and/or start avoiding websites with the “not secure” label. Additionally, Google has explicitly stated that they’re making this change because they want webmasters to make the switch to HTTPS. When Google says they want webmasters to do something, it’s usually a good idea to do it because Google has a significant influence on your website’s success. Fortunately, it’s not too difficult to make the switch to HTTPS.

Why Is Google Making This Change?

Google explains that this change is designed to make “the web safer for everyone”. There are a couple ways that HTTPS improves safety online:

• Using HTTPS helps make websites more secure by protecting passwords from being intercepted by hackers.
• An HTTPS web also improves privacy by making it harder for entities such as ISPs to track users’ web activities.

There’s another important reason Google is making this change: moving the entire web to HTTPS stops ISPs from changing the ads that users see on web pages. (Some ISPs display their own ads to their customers as an extra revenue stream.) Google made over $95 billion of revenue from ads in 2017, and an encrypted web will block ISPs from siphoning off bits of Google’s ad revenue.

Why HTTPS Is Just The First Step

It’s important to remember that HTTPS only serves to protect the connection between the user and the website. Many users assume that the “Secure” label means all security factors have been taken care of. Not really. HTTPS doesn’t protect users from hackers or malware spying on their computers, and it doesn’t protect the website itself against hackers, data breaches, or other threats. For users and site owners alike, HTTPS is just the first step towards good web security.

What Website Owners Need To Do To Prepare

This change is a great opportunity to go ahead and switch your entire website to HTTPS. Your site will get several benefits from making the leap:

1. Google rankes HTTPS sites higher
2. HTTPS protects website passwords against interception
3. Your site visitors will see your site labelled as “Secure” instead of “Not Secure”

To make the switch, you’ll need to install an SSL certificate on your website, then switch all your URLs from HTTP to HTTPS.

How To Migrate To HTTPS Without Losing Traffic

If you’re like most marketers, the idea of changing your website URL is about as scary as jumping off a 30’ cliff without knowing if there’s water or rocks below. Visions of lost SEO rankings and crashing visitor counts probably fill your head as you contemplate the possibility.

While there’s always a small risk involved in changing URLs, following these steps will dramatically reduce the risk of any negative side effects:

1. Ensure all content is referenced by the HTTPS URL. If your website uses absolute URLs to insert images, CSS stylesheets, Javascript, or other files in your HTML code, update the URLs to use HTTPS. For example, change:

   <http://en.ryte.com/_themes/default/imgs/magazine/ryte_mgzn_wg.svg" alt="RYTE Magazine" id="mgzn_logo">

   to

   <https://en.ryte.com/_themes/default/imgs/magazine/ryte_mgzn_wg.svg" alt="RYTE Magazine" id="mgzn_logo">

   If you don’t make this change across all files on your site, visitors will get an insecure content warning. Ryte makes it easy to identify HTTP pages. In the “What is indexable?” tab HTTP pages are marked with a red crossed out padlock.



Figure 1: "What is indexable?" in Ryte Website Success

Configure your site to use HTTPS by default. Most CMSes (such as WordPress) allow you to change your default site URL from HTTP to HTTPS very easily.

Setup 301 redirects for all HTTP URLs. You’ll want to setup permanent (301 redirects) for every HTTP page on your site, pointing to the same page on HTTPS. You can usually use one redirect rule (for example in your .htaccess file) to redirect all HTTP URLs to HTTPS. No need to add a separate redirect for every page. Tip: Ryte can crawl your website and check your redirects.

Update meta tags. Check your canonical tags and hreflang tags to ensure they all point to the correct HTTPS URLs.

Update all links that you can. Update all your internal links (and any other links you control, such as links on your social media profiles) to point directly to the HTTPS version of your website. With Ryte, you can check for internal links with HTTP in just seconds. Use the link overview and filter for HTTP to easily find all internal links that still point to HTTP.



Figure 2: "List of all Links" in Ryte Website Success

2. Set up Google Search Console for HTTPS version. Create a new Google Search Console property for your HTTPS website URL. You can submit a change of address (from HTTP to HTTPS) but that’s optional.
3. Submit a new HTTPS Sitemap. Once your new Google Search Console property is set up, submit the HTTPS version of your XML Sitemap (double check that every URL in the Sitemap is HTTPS). With Ryte Website Success, you can check your XML sitemap to see all of the URLs that are not found or redirected.
4. Monitor for issues. Use Google Analytics to monitor for traffic drops or changes, and Google Search Console to monitor for any errors. Tip: Ryte can help you easily monitor your website’s performance. Website Success continuously monitors your search performance so that if there is an issue, like a drop in traffic, you will automatically receive an alert.

Conclusion

Google has given website owners plenty of time to prepare for this update, and being 100% prepared for it will only take a couple hours for a typical site. With just a bit of preparation, webmasters shouldn’t notice any big impacts when Google Chrome 68 rolls out!