Google’s “Not Secure” Warning and How to Avoid It

by Kelly Hays | September 21, 2017

Antique lock and key sitting on a blue illuminated keyboard.For over a year now, Google has been pushing sites to move to https/SSL and has rolled out waves of “penalties” for sites that hadn’t made the transition. The last wave happened January 2017 and penalized sites that collected certain types of sensitive information over an unsecure connection by placing a warning in the address bar.

The next wave happens October and will place a warning on all sites that do not use SSL. cj Interactive is very aware of the rollout, and we have a plan in place to transition all sites to SSL before the upcoming deadline. But what exactly is SSL? Why is Google pushing for it and what kinds of penalties will sites face if they don’t move over?

What is SSL? What is https? Are they the same thing?

SSL stands for Secure Sockets Layer. It’s a layer of encryption on data exchanged between an end user and a website. The current protocol used for this is technically TSL (Transport Layer Security) but this style of encryption is still commonly referred to as SSL.

How do I know if a site uses SSL?

In Chrome, SSL is identified by a little green lock and the word “secure” on the left side of the address bar. 
Google secure SSL address bar indication

In Internet Explorer, it is indicated by a little grey lock on the right side of the address bar.

Internet Explorer SSL indicator

How does SSL work?

SSL is installed by purchasing and validating a certificate from a distributing authority. Often, this authority is the hosting provider of the site. The certificate is sort of like a notarized document proving you are who you say you are. The site administrator (or in cj’s case, our hosting provider, WP Engine) must provide some real-world proof and verification of identity. This is important because you need to verify who is collecting the sensitive information in order to assure end users the site is actually secure.

All websites are hosted on a computer somewhere—whether it’s at Amazon, WP Engine, or in someone’s basement. When you visit a website, you’re basically connecting to that computer (or a couple different computers) to look at its files. Once you have an SSL certificate, you can direct browsers to connect to the hosting computer via a different socket—a secure, encrypted one. All urls will then be transitioned from http://www.example.com to https://www.example.com.

What is this horrible Google SSL warning everyone is talking about?

In October 2017, Google will slap a “not secure” warning with a little red lock on sites that don’t use SSL. It will look like some variation of this. 

google chrome not secure penalty
Some users may also get a “your connection is not secure” message, depending on how they try to access the site. This particular “not secure” warning will only show up in Chrome, but Chrome has a huge share of the browser market (around 60%) so that’s a lot of users.

It’s definitely not ideal; however, it isn’t the doom-and-gloom some companies are making it out to be. Your site won’t crash or be taken down. Many third-party SEO and SSL service providers have inundated website owners with calls and emails to tell them the sky is falling. They want to whip people into a panic to sell them on something.

Do I really need SSL on my site?

Any data sent over the internet that isn’t encrypted can be intercepted and viewed by anyone who might want to “snoop” on your activities. Think of it like two cheap toy walkie-talkies your kids might play with. Anyone in the area who owns the same brand or tunes into the same channel can overhear your kids’ conversation— if they happen to stumble across it or for some reason are actively looking to snoop on their game of tag.

Unsecure website analogy

For the vast majority of sites, this wasn’t a concern because they don’t ask users to transmit sensitive information through unsecure channels (and no one wants to listen in on information that is already publicly available… most of the time).

When there was a need to send sensitive information (such as a credit card number or password) then it was done over a secure connection. This has been common practice on the web for some time now.

cj clients’ sites only collect publicly available information, such as name, phone number, email, or mailing address, and we even warn users not to send anything personally sensitive via the web form. Prior to the google mandate, SSL was an unnecessary expense and complication for most websites, analogous to giving your kids encrypted walkie-talkies for their game of tag.

Our primary reason for transitioning the sites to SSL was initially to take advantage of Google’s small preference for SSL sites in organic search ranking. Their October 2017 “shaming” penalty just pushes the deadline up for us (using both carrot and stick).

Why is Google pushing sites to use SSL?

In short: it’s more secure. 

Adding SSL is the equivalent of exchanging those toy walkie talkies for serious ones with secure channels like a law enforcement agency would use. Theoretically, no one can listen in who doesn’t have the proper access.

agent-tp

 

Some argue this blanket transition isn’t necessary. But as more and more web-connected devices and apps become a part of our everyday lives—tracking our health, monitoring the contents of our fridges, even driving our cars—Google is pushing this initiative because it believes it to be the best path forward to a more secure internet. It can be difficult to predict or monitor every link in the increasingly complex web ecosystem of sites and apps that handle our personal data. By pushing every site to be encrypted, Google figures you can plug security holes you didn’t even know existed.

Or, they have some as yet unknown master plan behind this push. Who are we to question the great and powerful Oz?

How do I avoid Google’s warning?

If you’re a cj Interactive client, you don’t need to do anything. You won’t have to deal with it, because your site will be moved to SSL before October 1 (if it hasn’t been already).

Our web team is on top of the transition and in communication with your in-office team to notify them one week, one day, and one hour before the transition begins. We also follow up afterwards to make sure everything looks good.

We suggest you let your IT team know when you start getting our emails about the transition. They may need to make simple changes to some network settings if your office has a private DNS (just forward the email to them and we’ll work together with them on the rest).

What do I do if I’m not a cj Interactive client?

Become our client.

Or, check to see if your site displays the secure lock and https:// in the address bar. If you see it, you’re good to go. If not, you may wish to contact your web provider. Most web providers already have a plan in place to move sites over, but it doesn’t hurt to check.

cj Interactive always makes a concerted effort to stay on top of changes, trends, and transitions that could affect your site’s performance. Our collective knowledge is our greatest resource. If you have a question or concern about Google’s SSL initiative—or any other topic riding the internet-marketing hype train—our team of digital dromedaries is always happy and excited to discuss it with you.

UPDATE: As of October 3, the warnings have not yet appeared. Google’s original email to webmasters stated the warnings would begin in “October.” The next version of Chrome will be released October 17, which is a likely date for these warnings to appear.