Google continues pushing the web towards a more secure future with Phase 3 of its multi-year plan to mark non-HTTPS sites as "not secure." Check out our review of the timeline of Google's march to HTTPS and find out what is coming next.
Google announced that the next phase of their plans to eventually mark all insecure pages with warnings in Chrome will take place in July 2018. If you haven’t yet updated your website or blog to use HTTPS, you are running out of time.
Didn’t Google Already Do This?
Securing the entire web is a tall order. Google recognizes this and has been phasing in these changes over a few years to ease this significant transition in the web’s architecture.
What Has Google Done Already?
Google’s grand march to HTTPS began back in July of 2008 when Gmail added an option to its settings allowing users to access Gmail over an HTTPS connection by default. In January of 2010, this setting was enabled by default (and was turned on for people who hadn’t already enabled it). In March 2014, Google removed this setting and started securing all Gmail accounts with an encrypted HTTPS connection.
In November of 2009, Google released a whitepaper for a new protocol for the web named SPDY, meant to potentially replace HTTP as the transfer protocol for the web. While this new protocol was aimed at performance as opposed to security, forward-thinking engineers developed the protocol with an HTTPS-only future in mind, and as such the protocol didn’t support unencrypted connections. The message was clear, if you want SPDY, you have to have HTTPS. In May 2014, when the HTTP/2 standard was ratified, implementing many of the same performance improvements of SPDY, the same HTTPS-only restriction was enforced there.
Things started picking up steam in 2014. During the Google I/O conference in June, their engineers delivered an HTTPS Everywhere presentation, which advocated for a future where HTTPS was a global requirement. Three months later in August, Google announced that it was going to start treating HTTPS as a ranking signal when it came to the Google Search Index. The ranking signal was very minor, basically amounting to a tie-breaker, but it was there and for the first time HTTPS affected the ranking of your website.
In September 2016, the Chrome team announced that it was going to start a multi-year plan to mark websites as insecure if they didn’t have HTTPS. The transition started with the announcement that the upcoming Chrome version 56 was going to put up a warning in the address bar of any pages that had a password (login or signup forms) and any form that took in credit cards (payment forms). This warning was relatively minor (a grey “Not Secure” on a white background), but it was a wake up call for web developers that HTTPS was going to be necessary for ALL websites eventually.
While many took this as reason enough to update at that time, still many stayed behind. On April 27, 2017, Google announced Phase 2. The “Not Secure” message was extended to be displayed on any page with a form (regardless of the type of data being submitted on the form) once users started entering data in the form. The warning was also permanently displayed on unsecured pages when loaded through Incognito mode. This Phase went live with Chrome Version 62 in October of last year.
Phase 3 of the plan was announced on February 8, 2018. Under Phase 3, Chrome will mark all HTTP sites on the web as “Not secure,” regardless of whether the page contains a form or not. Phase 3 will go into effect with the release of Chrome Version 68 which is scheduled for late July 2018.
Is This The end?
In short, no. Under the roadmap for the “Marking HTTP as Non-Secure” plan, the final step will be to change the “Not secure” message to appear in red with a red triangle with an exclamation point (rather than its current unobtrusive appearance of a gray message accompanied by a gray letter “i”).
What Do I Need to Do?
If you are a Justia website or blog customer, you don’t need to do anything. Justia has already migrated your site or blog to HTTPS as part of our dedication to keeping your site operating well. Migrating a site to HTTPS isn’t as easy as flipping a switch, but it is an important part of maintaining your web presence, and is a service we provide to our customers at no additional cost.
If you aren’t a Justia customer, and your website provider has not migrated your site to HTTPS, you may already be losing business by staying on HTTP. The warning that appears may deter potential leads from submitting information through your unsecured contact forms to inquire about your service. This will only get worse when Phase 3 goes into effect. Right now, the warning appears only when a user attempts to contact you, but after Phase 3, it will appear the moment anyone visits your site. Once Google transitions to the more emphatic red “Not secure” message, you may see an even steeper drop-off on contact form leads.
Don’t wait to move to HTTPS. If you want help moving your law firm’s website or blog to HTTPS contact Justia today! HTTPS is one of many features we provide to improve our clients’ web presence. To get an idea of how we can improve your website, or to discover ways you can optimize your website yourself, request a free audit of your site. This professional site audit is free to you whether you sign up with us or not, and it can help you find ways you can improve your site’s performance in search engines and enhance your site’s user experience.