Important Security Changes Coming for Google Chrome

UPDATE: In Chrome 68 (July 2018), the Not Secure message goes into effect. Expect lots of gnashing of teeth as insecure websites now flash “not secure” in the URL bar. This was about 18 months late, but it is finally here. Get your SSL now.

Important News from Google Security

Google Chrome (the most popular web browser in the world) will be implementing a user interface change in 2017 that will notify users that a website form that has a password or credit card field is insecure. This will be a default setting and eventually feature a red alert to notify users.

First change: Note how the “Not secure” message will prefix the web link in the address bar.

image from 4.bp.blogspot.com

The eventual treatment of non SSL/HTTPS websites will add a red alert triangle with an exclamation point:

image from 3.bp.blogspot.com

This is a big deal. I think it may be bigger than the mobile-friendly “apocalypse” that was mostly a non starter for many who have actively been using a mobile theme. Once Apple’s iOS starts to change their user interface in Safari  on mobile devices, we forecast SSL becoming much more important on all our customer sites. This change will sort of slipstream into our Chrome updates in 2017 and by end of 2018 we believe customers will be clamoring to secure their sites. With that in mind we have added SSL setup services to our Silver and Gold service plans.

So the question remains — what’s the least painful way to setup SSL on WordPress? Here are a few recommendations:

0. Install SSL certificate (letsencrypt.org for a free certificate!) and configure WordPress. We can help you do this.

1. Ensure all your internal links point to the new HTTPS URLs.
Ensure any external links and new social shares point to the new HTTPS URLs, if you’re still getting links to the old HTTP version of your website Google can become confused and you won’t see the benefit that these new links have the potential to pass on to your website structure. Google won’t be able to decipher which is the most authoritative page that deserves a higher ranking.

2. Ensure that all rel=canonical tags within your HTML don’t point to the old HTTP version. Once you move over to HTTPS these tags must be changed to the new HTTPS URLs, as this helps Googlebot understand which version of the page should be used to rank. Again, if you still point to the HTTP version then Google will once again become confused over what page should be ranking in the SERPs.

3. Ensure that you’ve mapped out the new HTTPS URLs on a page-to-page level – you basically want an exact duplicate URL structure the only thing that is changing is that ‘http://’ will become ‘https://’. Once you’ve got these in place you then want to implement a permanent 301 redirect on a page level. Do not 301 redirect everything (either via global or via a wild card redirect) to the home page as this will kill all your rankings overnight.

4. You need to watch your Webmaster Tools account post go live and monitor for any issues Google may be having with your new HTTPS website. You can really drop your traffic overnight by doing this wrong.

5. Test any embedded SSL content from different domains on your website (images, forms, any other content). Make sure there are not any cross-site SSL issues when loading these forms.

These changes are best done on a staging server for any highly traffic sites that cannot afford to be down for any extended period.

About the author

Alex is a pioneer in using the cloud to meet the needs of small and medium sized business (SMBs) and membership-based organizations. He has a BSc in computer science from the University of Michigan and has worked as a product manager at two Internet startups. Alex is a father of 2 and plays the trumpet for fun. He is the founder and the president of the University of Michigan Alumni Club of Toronto.