It’s all over the Internet: Google is making a big change that affects every single website it browses. By October 2017, all sites with input fields, including contact forms and search fields, must have a security certificate—or risk dropping dramatically in Google’s estimation. Though Google has been set on enforcing “certificate transparency” for quite some time, this marks a tangible change in the company’s approach to insecure websites.
And isn’t Google the only search engine that matters?
So let’s talk about why you need to switch to https by October.
Encryption and Certification: the Basics
In the early 1990s, people began shopping online. That means personal financial information was being passed along the data highway that is the World Wide Web. Credit card numbers, mostly; but we’re sure there were some banking accounts as well.
Savvy hackers had two options: either tap into the online communication between the customer and the website and wait until a credit card number was given; or set up a “dummy” website made to look like the real one and just have the customer type his own financial info away. To combat such malicious behavior, the following security measures were developed:
Encryption solves the first type of hacking. It converts all website communications to code to prevent unauthorized access.
Security certificates solve the second type of hacking. These certificates are given to websites by a trusted “third party” authority, like Norton. Once your browser reads a certificate, it encrypts your connection to the site. Now hackers should be unable to grab any personal information you enter.
What Is “Certificate Transparency”?
Google is having trust issues with Symantec, a software security company that is a “certificate authority.” Google claims that Symantec isn’t doing its job—that over 30,000 certificates were issued to websites without the company performing proper checks. (In 2011, a similar situation with a Dutch certificate authority led to hackers spying/stealing from over 300,000 Gmail accounts, as well as major security repercussions for the Dutch government.)
In response, Google is making a blanket change. All websites with “noncompliant certificates”—that is, without a certificate from a Google-approved provider—will be flagged with a warning in the Chrome browser. Internet users will almost certainly abandon these sites, because there’s no guaranteed safety. So it is, in effect, a Google blacklist.
The certificate transparency plan aims to do three things:
- Make it impossible for a certificate authority to issue a certificate for a domain to anyone other than the domain’s owner.
- Establish a list of certified domains, an open monitoring system that lets any domain owner or certificate authority determine whether a certificate has been mistakenly or fraudulently issued.
- Protect users from being duped by false certificates.
Noble goals, right? So how do they affect your legal marketing presence?
What Does Google’s Push Mean for Your Website?
This move, similar to a blanket ban, is punishing all websites for security concerns relating to a few. Now, many legitimate websites that don’t even deal in financial or personal information must get themselves an “approved” security certificate or be flagged by Google. Most certificate authorities charge for certification, so this will cost website owners.
Why the Big Change Now?
Google is a big company with big plans. These plans do not always get the momentum needed to make a splash. For some time, website security seemed most important for business that used highly personal information online, as in financial transactions. This changed in late August, when Google issued a message in Google Search Console to let webmasters know that their http sites with any text input fields would be flagged as insecure in Chrome, starting in October. The message was clear: Google intends to make good on their goal to push the web to https.
While October marks a shift for all sites with any type of input field – including search bars – this is a warning for the Internet at large. Google wants to see a valid security certificate on every site, and insecure sites will start to disappear from search results in favor of those with certificate transparency. Even if your site does not have text fields, it may be time for you to consider the switch to https while things are still good.
Making the Switch to https
How will you be able to tell if you’re compliant? Answer: it’s the difference between http and https. That extra “s” in your Chrome browser tells you that the website is secure (it has a valid certificate from a trusted certificate authority). Without that https, your site will be flagged as “unsecure.” (Granted, Mozilla, Apple, and Microsoft haven’t outright stated that they’ll blacklist you—yet.)
This big red warning would NOT look good to potential clients.
So if you need help complying with Google’s security enforcement, we at SLS Consulting are prepared. Our SEO team is helping client websites make the switch right now, and we’re always on the hunt for better legal marketing practices!