HTTPS Not Secure Warnings Live

Welcome back Rankers! Hope you’re all having a good week. An interesting thing has happened this week.

Over the weekend, Google started sending out warning messages to website owners from Google Search Console. Now if you don’t have Google Search Console set up, then you wouldn’t have received one of these messages. So Google is now sending out messages like this to site owners whose sites have pages on it that are insecure.

HTTPS not secure warning
HTTPS not secure warning emailed

This is part of the HTTPS warning we’ve been talking about. Apparently it hasn’t rolled out yet. My understanding is that you will start to see the warning once this version of Chrome (this is Chrome 56) comes out of beta in around a week.

Why The Warnings?

The reason Google is sending out these warnings is that there are a lot of sites that are insecure. The search I’ve done here is for ‘login –inurl:https site:.au’ meaning, I’m searching for the word ‘login’ but asking Google not to give me results that have ‘https’ in the URL, and just show me sites from Australia. Basically I’m asking to see webpages that have the word ‘login’ on them, and that they are actually insecure.

insecure search
insecure search

Here are some of the results we’ve looked at. Qantas is a big one. You may be familiar with that brand. We’ve got the Courier Mail, which I think is News Limited. So presumably many of the News Corp sites would be the same as they use the same digital pass.

not secure site warning
not secure site warning

 

How To See The Not Secure

Now you can see up here by the URL we have a ‘Not Secure’ warning tab. Now you won’t see that with just the normal browser. If you want to see the ‘Not Secure’ warnings you’ll need to do a little jiggery-pokery. There’s a nice little article that tells you how to do that here. The article explains quite clearly how you can get that ‘Not Secure’ message in your browser by adjusting some of the flags that Chrome produces. I’ve just asked it to show me the non-secure warning when I go to non-secure sites. When this browser comes out of beta, it will be the default.

There are lots of sites displaying it at the moment. This is an interesting thing. We’ve spoken to a lot of clients and many of them have said things like, “My cart’s secure. It has HTTPS on it, and my login and accounts sections have got HTTPS login on it. So we should be right.” I said okay, maybe for the moment, but what I hadn’t seen was this. This site for instance doesn’t show any log-ins or credit card information being collected and we don’t have non-secure next to the browser bar. The pop-up that appears won’t trigger a non-secure warning as it’s not collecting passwords. But as soon as you click ‘Login’ you get a different pop-up appearing that asks you to enter your user name and password, then we get the non-secure warning.

insecure-popup-login

There are a lot of sites in that boat. Home Improvement Pages, AFL, to name another couple. It’s not going to affect traffic initially to your site, but it will affect your bounce rate significantly, especially for new users or even returning users that aren’t familiar with it. If you start seeing ‘Not Secure’ on sites, do you really want to be entering your user names and passwords? So for the search I did, we got 6.4 million pages in Australia, of which 5.2 million are businesses. The Law Society and Loan Kit are both insecure. For government sites, we have 1.7 million pages. Lots of councils do not have HTTPS and they are collecting user names and passwords. Our own local council is Monash Council. They show a Not Secure warning yet they request an email and password for entry.

Be Prepared

Google is pushing pretty hard on this. They’re not saying it’s going to affect your rankings right now, but I think it certainly will. Especially when they do what they say they’re going to do which is roll this out to every page that is not HTTPS. At the moment you’re only going to get these non-secure warnings on pages that are collecting passwords and/or credit card details. What Google has said in its messages and in this article today, which they hadn’t said before, is that you should plan to have every page prepped for HTTPS. Any pages that are HTTP will be marked Not Secure by them. It’s a pain to do and not as easy as Google wants you to think it is. It’s a time consuming process, but in the long run it’s going to affect your traffic and your transactions, which ultimately will affect conversions. So you are going to have to do it. Those dragging their feet on the issue, Google is serious about it. Hopefully that’s helpful. If you see anything like this or you have anything to add, please let us know about it. If you want a site review or anything like that, just leave it in the comments in YouTube, SmartCompany, the blog, Facebook, or wherever you’re watching this video. I’ll see you all next week. Thanks very much. Bye.