In April, Google posted on their Chromium Blog that http websites that include contact forms (i.e., the majority of law firm websites throughout the country) will be marked ‘not secure’ in Chrome version 62 starting in October 2017. This gave website developers and owners six months to implement necessary changes. In August, they followed up with an email to webmasters, reminding them of the change and providing more information about what the changes would look like in Chrome 62. The changes include marking input fields as ‘not secure.’ The inputs that will be affected are fields such as logins, contact forms, and even search boxes within websites – a usability and potential conversion killer for law firms. With the inclusion of search box fields, the change has the potential to affect a large portion of legal http sites. Included in the new “not secure” warning are all http sites visited in “Incognito” mode.
The change is part of a larger plan
The people at Google have been working for years to enhance internet security and pushing for change over to https secure websites. In 2014, Google called for all sites to be https sites. Google’s Chrome security team has been working since January of 2017 to change the way security indicators in Chrome function on http sites. The changes are the first steps in the process to encourage webmasters to change their sites from http to https. The first phase was marking all http sites with credit card and password fields as “not secure.” The changes that Chrome users will start to see in October are part of the second phase of the process. Eventually, Chrome will mark all http websites as not secure. Currently, there is no timeline for implementing the rest of the changes.
According to the Chromium Blog, all data that users input in any form on any site should remain confidential. With http sites, input data can be seen by others on the same network. Http sites are also at risk of being hijacked so your data does not get where you intended it to go. By labeling the http sites as not secure in Chrome 62, Google is hoping to educate people about the risks they are taking when they input data on an http website.
Reactions to this change have been mostly positive. Moving to label all http websites as “not secure” is a move toward making the whole web more secure. This change will be user friendly and will help people clearly see what sites are secure when they are inputting potentially confidential or personal data. Instead of just seeing when a site is secure with a padlock in the address bar, users will now be able to clearly see when a site is unsecured as well (when browsing in Chrome).
Are you worried your http site will not show up in Chrome anymore? You don’t have to worry about that. Even after the new changes are implemented this October and beyond, http sites will still be visible in Chrome. There are no plans to block or change the way http sites are viewed and used, they will just be labeled as not secure. That, however, may very well be a death penalty for your website leads.
How to avoid the warning?
To avoid the not secure warning, everyone with an http site is encouraged to move it over to a https secure website. Https is the secure version of an http website. It protects data that is being used and input on the site through encryption, authentication, and data integrity. By using these layers of protection, https sites keep user’s data safe by protecting it from those who are trying to read it, keeping it safe during transfer, and making sure the data gets to the correct site without being highjacked by something malicious trying to steal the data. These are usually called “man-in-the-middle attacks.”
There is a process to migrating your site over to an https website. Google’s Search Console Help has a post that explains what an http site is and how to make sure your site is secured. One of the steps in moving to an https site is obtaining a security certificate. Security certificates verify that the web address you provide really does belong to you or your organization. There are numerous reliable certificate authorities (often referred to as CAs) from which you can obtain certificates. Once you have a security certificate, you will want to make sure it does not expire. Certificates are generally issued for a specific length of time, so you will want to keep an eye on the renewal period and expiration date.
When creating an https site, you will want to make sure your page can still be indexed by search engines. Https sites already provide a positive signal toward ranking on Google, so making the change can potentially help your rankings in search engines. There are some common pitfalls that can happen when you are setting up an https website, however. Some of them include making sure you do not block indexing and crawling by search engines, use old protocols, or embed http content pages into your https website.
Should you migrate your http website?
The decision to migrate your site over to https has many factors. One of the perks of an https site is that it does have potential to help increase your rankings. Currently, that increase is small but could be larger and more impactful in the future. Https also increases security. If you are asking users on your page to input data, especially personal data and information, you need https to make sure that data is secured. Some sites have less sensitive input fields, such as email forms. It can still be helpful to make sure the user data is safe and your site visitors feel protected.
If you have a smaller site with mostly content that does not ask users to input any data, then the decision to migrate over to an http site might not be so clear. You might want to if you plan on adding user inputs later or want your site to be as secure as possible.
The plan to eventually mark all http sites as ‘not secure’ is currently just a Chrome feature. Other browsers, however, such as Mozilla’s Firefox, have also announced changes in their browser stating that “Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure.”
Support in getting your law firm site into https
If you need help in getting your website into https, begin by speaking to an experienced consultant or company. Contact Consultwebs at firstname.lastname@example.org or call us at 800.872.6590 to discuss.
Tanner Jones is the vice president of business development for Consultwebs Inc.