Google’s move to make the web more secure

In the words of General Melchett, “Security isn’t a dirty word, Blackadder” – and that’s a view to which Google clearly subscribe, as they are gently nudging the entire internet to move from the non-secure http:// protocol to using the secure https:// protocol.

Historically, https:// was always much slower than https://, so it was used only where it absolutely had to be (login forms, customer account areas, checkouts, etc., because people didn’t want to take the SEO hit. Over time, however, https:// came to be deliverable at the same speeds as http://, so there was no SEO downside to serving an entire site securely. Simultaneous with that there started to appear free SSL certificates. Whilst the high-level validation certificates (Extended Validation certificates, for example, which actually check and verify the identity of the company concerned) remain expensive, the rise of organisations such as Let’s Encrypt, making standard SSL certificates available at no cost and at low hassle, a further reason not to use https:// went out of the window.

And then Google started nudging – through the medium of Chrome, its web browser which has 60% market share (a figure which doesn’t include Chromium-based browsers such as Opera). Since Chrome, unlike traditional browsers, constantly keeps itself updated, it’s easy for Google to roll out tweaks, and the first tweak it rolled out on this front was back in late 2016 / early 2017 to add a warning to pages where the user looked like they were being asked to enter secure information (username, password, credit card details, etc.) on a site which wasn’t using https:// to encrypt the communication between the user’s browser and the web server.

Then, at the start of this month, they rolled out the next phase. For secure sites, rather than show the traditional green padlock along with the word “Secure”, like so…

…it will simply show a grey padlock to indicate that the site is secure. Then, in October 2018, Chrome will start labelling non-https sites in red with a “Non secure” warning, thus flipping things around – this creates a presumption of security

With the advent of free SSL certificates, and the ease with which they can be installed, then really there’s little reason why any site, particularly an e-commerce one, should not already be entirely served over https://, but if site owners were waiting for a kick to make the change, then this should serve as it.