Two years ago, Google made a pledge to name and shame websites with unencrypted connections as part of a strategy to get domain owners to embrace HTTPS. In the past few months it appears that many brands have heeded this threat. But first…
What exactly is HTTPS?
A good explanation is given on GitHub: ‘HTTPS, or HyperText Transfer Protocol (HTTP) + Secure Sockets Layer (SSL), is a TCP/IP protocol used by web servers to securely transfer and display content over the internet. While traditionally used mostly for websites hosting online transactions and customer banking data, HTTPS is now being deployed across a wide variety of websites even if no such sensitive data is involved, mainly for authentication purposes. HTTP is less secure as it transmits data as unencrypted plaintext, which can be viewed by anyone spying on the network traffic and is also vulnerable to a variety of malicious attacks.’
The Google pledge was realised with the release of Chrome version 68 which places a ‘Not secure’ warning in the URL bar when any website is not HTTPS-enabled. When the Google ‘deadline’ of 24th July 2018 was reached, I noticed then that many websites I was using or visiting had the ‘Not secure’ warning. I checked more sites and found that many eCommerce websites were being labelled by Google as insecure. Scroll forward two months and now, it’s hard to find many that are. Today (8th October), after a 10 minute search of eCommerce sites, I can only find Argos with the ‘Not secure’ label.
To potential shoppers, this should be a real deterrent to purchase. After all, we’ve all heard of recent, huge data breaches such as those at British Airways and Vodafone as well as past disasters such as the one at Talk Talk in 2015 which is said to have cost the firm £60m and 100,000 customers. So this naming and shaming strategy has worked. The reality though is that it is likely that eCommerce sites such as Argos will be secure on the pages or sections of the website that involve customer transactions in data. (A quick check on Argos confirmed this – it is secured). But it’s a shame that their brand managers and PR agencies don’t seem to have much influence over their colleagues that manage the website because this can only damage the brand.
If you look outside of ‘typical’ eCommerce however, you do find more examples of apparent HTTP-only sites. This website you are reading this blog for instance, is not HTTPS – yet. Neither are the websites for Private Eye, The Week, or my local shopping mall in Newmarket, The Guineas.
However, both Private Eye and The Week do sell subscriptions and when you do click thru to that section of their sites, you find that the pages are HTTPS-enabled. So it’s only laggards such as my site and The Guineas who need to get their act together and switch to HTTPS.
But how easy is it? There is definitely a technological barrier to overcome. My website is a WordPress site and there many sites such as The SEO System and Search Engine Journal which offer guides on how to do this, something that I will try shortly. Other platforms will have other guides but the reality is that many small businesses or citizens with websites with legacy HTTP coding will be unable to do this themselves. So a barrier exists in terms of funding and finding the right skilled web developer to apply the fix.
Why you should fix the problem
According to Wired.com, ‘under an unencrypted HTTP connection, any information that you send across the web can be intercepted by a hacker. The use of HTTP has privacy implications as well… If you’re browsing on an unsecured connection, your internet provider and any bad actors can hypothetically see not just which site you’re on, but what specific pages. Not so with HTTPS’.
Zfort give four reasons why you need to go HTTPS-enabled:
- Data security – protect your and your customers’ data.
- Brand positioning – if you don’t you could damage your reputation.
- Improve SEO rankings – Google now has made HTTPS a ranking factor.
- Website speed.
So like me, you need to fix this soon.