Last week’s article on the Register: http://www.theregister.co.uk/2016/09/08/chrome_to_shame_non_https_sites/ unveiled plans for Google Chrome to start shaming / punishing sites that send secure data of HTTP rather than HTTPS. The plan is that in January 2017 Chrome will label a site as “insecure” if it transmits password or card details over HTTP instead of HTTPS.
This in itself is a no real surprise, sites should not be sending secure information non-HTTPS anyway so it’s a good thing. What is new is that Google have decided to, in the long term, mark all HTTP sites as insecure. Regardless of the on page actions.
HTTPS site wide has been a factor Google have been rewarding with a positive page ranking boost for a while now but this means that it will become all but mandatory for all sites.
This isn’t much of an issue for most ecommerce sites but there will be a small cost attributed to this. Not just for the SSL but for managing the move to full HTTPS.
Google have stated that “Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,”
It’s probably better to get this updated sooner rather than later in the new year as despite it only being a warning I would imagine this will have a negative effect on consumer confidence in your website when you do start showing a warning.
On a lighter note despite this being classed as recent news we see this as a re-unveil since it got announced around 6 months ago. It was unfortunately rather embarrassing for Google when the New Yorker posted their reaction to it:
“…reason I can’t switch The New Yorker website to HTTPS is because of ads – which I’m getting from Google DFP which allows non-secure ad assets. In short; Google will penalize me because I use Google. The universe has a sense of humor.”
Looks like that might have been resolved now so it is probably actually on it way.